Ad Widget

**ericgearhart** · 02-01-2010, 01:30

I must first point out that this solution borrows heavily from this thread on the Cacti forums... I also use the perl script that enables this functionality in Cacti (query_asa_lan2lan_cisco.pl) and just "port it over" to the equivalent in Zabbix.

The only significant change I had to make was the order of the arguments to the script... Zabbix expects to call external scripts with the first argument being the hostname/IP matching the item, so I had to flip the order of the arguments in query_asa_lan2lan_cisco.pl

The basic technical overview of setting this up:
-pick a folder you want to store custom scripts in on your Zabbix server. I personally use /etc/zabbix/externalscripts.

-enable the "external_scripts" folder in your zabbix_server.conf, and point it at that folder.

-copy the query_asa_lan2lan_cisco.txt script attached to this post to that external_scripts folder previously mentioned... rename it to a .pl file instead of .txt. I had to do that because of forum attachment rules.

-the script depends on the Net::SNMP perl module. On CentOS and RHEL all I had to do to get this module was "yum install perl-Net-SNMP"... your mileage may vary depending on your OS. It probably should be as easy as an 'emerge' or an 'apt-get' depending on your distribution

-Make sure you 'chown zabbix:zabbix' that script so your zabbix server user owns the script

In the Zabbix web console:
-create a Host for your PIX/ASA (unless you already have)
-create an inbound Item similar to the screenshot attached. Note the data type is decimal and the custom multiplier is 8 (this converts raw bps to Kbps or Mbps in the graphs... much prettier)

For a Cisco ASA, the format for the Key part of the item you create will be:

Code:

query_asa_lan2lan.pl[<snmp community string> ASA get RX <IPsec peer IP>]

-create an outbound item... instead of using RX in the key just mentioned use TX (transmit)

If you're querying a VPN Concentrator just switch ASA with CONCENTRATOR in the item's key.... I haven't tested anything other than ASAs though because we've moved completely to them at work

Note: in my example replace <snmp community string> with your community string and <IPsec peer IP> with the IP address of the peer that corresponds to the tunnel you'd like to monitor - for example:

Code:

query_asa_lan2lan.pl[public ASA get RX 4.2.2.2]

would query your ASA for the bandwidth of the tunnel that corresponds with IPsec peer 4.2.2.2

After you setup these Items, you can go nuts with Zabbix and create pretty graphs, triggers based on bandwidth if you like, etc etc.

Attached Files

**ericgearhart** · 02-01-2010, 01:36

If you're having problems getting this setup you should first make sure the script is working OK.

Run the script by hand and make sure it returns your tunnels first:

Code:

perl query_asa_lan2lan.pl <YourASA> <YourSNMP string> index

should return a list of IPsec tunnels you have established on your ASA/VPN concentrator

Here's an example:

Code:

perl query_asa_lan2lan.pl 192.168.1.1 my_snmp_string ASA index

**kefear** · 28-04-2010, 13:27

I've been trying to use this script to monitor if the tunnel is up. I've set up everything without problems until triggers. I did:
{ASA:query_asa_lan2lan.pl[public ASA get RX peerIP].nodata(30)}=1

Trigger fires up for a while and then goes down. And this repeats every 2-3 minutes. Shouldn't it be up for the whole time because the tunnel is constantly down ?

I got the following message in logs:

Use of uninitialized value $value in string eq at /etc/zabbix/externalscripts/query_asa_lan2lan.pl line 250.

Everything seems to be OK except that the trigger doesn't stay up.
Thanks in advance for any help

**Setarcos** · 13-05-2010, 18:09

Hi Folks,

You probably want to have a look at the changes I introduced to the Cacti script in March of this year. Some newer versions of net-snmp didn't like the way the the original script was referencing the OIDs.

**aderr** · 29-05-2013, 19:12

I have been able to get this script to work well with our ASA, but we still have some PIX firewalls as well. Does anyone know of a similar script that would work for a PIX.
When I run the Index against our PIX I get this returned:

Code:

request error: Requested table is empty or does not exist at query_asa_lan2lan.pl line 225

Thank you.

**expouser** · 09-08-2013, 15:23

ASA 5510 VPN monitoring

/query_asa_lan2lan.pl 10.2.5.1 enterprice [ASA,get] query {RX,TX}
Odd number of elements in hash assignment at /usr/lib/perl5/vendor_perl/5.16.2/Net/SNMP.pm line 2278.
request error: The argument "1.3.6.1.4.1.3076.2.1.2.17.2.1.4." is unknown at ./query_asa_lan2lan.pl line 208.

I'm getting this error when I run the script.
Please help.

**ericgearhart** · 15-09-2013, 20:54

Originally posted by expouser

/query_asa_lan2lan.pl 10.2.5.1 enterprice [ASA,get] query {RX,TX}
Odd number of elements in hash assignment at /usr/lib/perl5/vendor_perl/5.16.2/Net/SNMP.pm line 2278.
request error: The argument "1.3.6.1.4.1.3076.2.1.2.17.2.1.4." is unknown at ./query_asa_lan2lan.pl line 208.

I'm getting this error when I run the script.
Please help.

expouser I'm not with the company I was originally with who had a handful of ASAs deployed. We're thinking about deploying ASAs where I now work, and if we do I can try to get this script working again. As it stands right now I don't have an ASA that I can even test script against.

**expouser** · 16-09-2013, 09:48

Originally posted by ericgearhart

expouser I'm not with the company I was originally with who had a handful of ASAs deployed. We're thinking about deploying ASAs where I now work, and if we do I can try to get this script working again. As it stands right now I don't have an ASA that I can even test script against.

Don't worry ericgearhart I have figured out how does this script is working.
Unfortunately the script version you provides was not fully worked under my system OS.
It has some bugs is output.
I found on a cacti forum a newer version of a script
That is worked for me.
Attaching it here.

Attached Files

query_lan2_lan_cisco_final.zip (2.7 KB, 1118 views)

**darwinaloot** · 08-01-2014, 22:02

Hi, Im new to Zabbix and im trying to add VPN tunnels to our zabbix, I follow all the procedure that was posted here. But when I checked on the logs I saw that zabbix excute this - /home/zabbix/zabbix-2.2.1/scripts/query_asa_lan2lan_cisco.pl "<community string> <ASA> ASA get TX <IP peer gateway>"

Zabbix is automatically adding quotation mark

instead of zabbix executing this one:

/home/zabbix/zabbix-2.2.1/scripts/query_asa_lan2lan_cisco.pl <community string> <ASA> ASA get TX <IP peer gateway>

It execute this one:

/home/zabbix/zabbix-2.2.1/scripts/query_asa_lan2lan_cisco.pl " <community string> <ASA> ASA get TX <IP peer gateway>"

Im getting:

usage:

./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} index
./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} query {RX,TX}
./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} get {RX,TX} DEVICE

Im using zabbix 2.2.1 and the latest script that was posted here- Please help me out

Here is the log:

17548:20140108:105002.393 In substitute_key_macros() data:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get RX <IP peer gateway>]'
17548:20140108:105002.393 End of substitute_key_macros():SUCCEED data:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get RX <IP peer gateway>]'
17548:20140108:105002.393 In get_value() key:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get RX <IP peer gateway>]'
17548:20140108:105002.393 In get_value_external() key:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get RX <IP peer gateway>]'
17548:20140108:105002.393 In zbx_popen() command:'/home/zabbix/zabbix-2.2.1/scripts/query_asa_lan2lan_cisco.pl "<community string> <ASA> ASA get RX <IP peer gateway>"'
17548:20140108:105002.532 Item [MANILA-PIX:query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get RX <IP peer gateway>]] error: Received value [usage:./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} index./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} query {RX,TX}./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} get {RX,TX} DEVICE] is not suitable for value type [Numeric (unsigned)] and data type [Decimal]
17549:20140108:105003.394 In substitute_key_macros() data:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get TX <IP peer gateway>]'
17549:20140108:105003.394 End of substitute_key_macros():SUCCEED data:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get TX <IP peer gateway>]'
17549:20140108:105003.394 In get_value() key:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get TX <IP peer gateway>]'
17549:20140108:105003.394 In get_value_external() key:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get TX <IP peer gateway>]'
17549:20140108:105003.394 In zbx_popen() command:'/home/zabbix/zabbix-2.2.1/scripts/query_asa_lan2lan_cisco.pl "<community string> <ASA> ASA get TX <IP peer gateway>"'

**mrafi** · 05-03-2014, 19:11

Item is being not supported in 2.0.9, any help ?

Hi ericgearhart,

I have followed exactly what you have mentioned above, every things look good on the zabbix server console but when I set up in the GUI, item doesn't get any value and become unsupported, as per zabbix server logs I am getting the following...

4443:20140304:161527.994 item [ASA:query_asa_lan2lan.pl[public ASA get RX x.x.x.x]] became not supported: Received value [usage:./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} index./query_lan2lan_cisco.pl community host {A

Where x.x.x.x is a public ip of my peer ASA.

Please let me know if you or anyone else can help me out....

Thanks

**mrafi** · 05-03-2014, 19:12

Originally posted by ericgearhart

If you're having problems getting this setup you should first make sure the script is working OK.

Run the script by hand and make sure it returns your tunnels first:

Code:

perl query_asa_lan2lan.pl <YourASA> <YourSNMP string> index

should return a list of IPsec tunnels you have established on your ASA/VPN concentrator

Here's an example:

Code:

perl query_asa_lan2lan.pl 192.168.1.1 my_snmp_string ASA index

Hi ericgearhart,

I have followed exactly what you have mentioned above, every things look good on the zabbix server console but when I set up in the GUI, item doesn't get any value and become unsupported, as per zabbix server logs I am getting the following...

4443:20140304:161527.994 item [ASA:query_asa_lan2lan.pl[public ASA get RX x.x.x.x]] became not supported: Received value [usage:./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} index./query_lan2lan_cisco.pl community host {A

Where x.x.x.x is a public ip of my peer ASA.

Please let me know if you or anyone else can help me out....

Thanks

**darwinaloot** · 05-03-2014, 19:37

Try this

Hi,

Try this format on Key

query_asa_lan2lan_cisco.pl["{$SNMP_COMMUNITY}","<CISCOPIX IP HERE>","ASA","get","RX","<YOUR GATEWAY IP HERE>"]

**mrafi** · 06-03-2014, 13:01

Originally posted by darwinaloot

Hi,

Try this format on Key

query_asa_lan2lan_cisco.pl["{$SNMP_COMMUNITY}","<CISCOPIX IP HERE>","ASA","get","RX","<YOUR GATEWAY IP HERE>"]

Many thanks for your reply, I tried the above command but no luck, same error log...any other thoughts ? because I have tried many combinations for the key but nothing made any difference...

**mrafi** · 06-03-2014, 13:12

update

Originally posted by mrafi

Many thanks for your reply, I tried the above command but no luck, same error log...any other thoughts ? because I have tried many combinations for the key but nothing made any difference...

Sorry dude, i exactly copied you Key but i realized now your script name has different name, corrected the name and now I am having below error.

became not supported: Received value [] is not suitable for value type [Numeric (unsigned)] and data type [Decimal]

Ad Widget

Monitoring Cisco PIX/ASA IPsec VPN tunnels

Monitoring Cisco PIX/ASA IPsec VPN tunnels

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment