Virtual Private Networks (VPNs) offer a way to securely connect different locations that are both connected to the Internet. Internet VPNs are way cheaper than private lines leased from a telco company, but unfortunately they are often much less reliable. Many times, when an Internet VPN “drops”, distant offices are no longer able to communicate — as network administrators, we want to know so we can fix it before our users notice anything!
This post shows one way to monitor site-to-site VPNs configured on a Cisco ASA firewall using SNMP and Nagios.
First, if you’re only managing a handful of VPN tunnels on a couple ASAs, it’s probably easiest to just enable email notifications in the ASA’s ASDM management GUI. Make sure you’ll be able to receive the email even when the VPN is down, and be sure to test.
For larger networks, or any network where availability is critical, it makes sense to monitor your systems with some kind of network management tool. I’m a firm believer that most monitoring tools can do a reasonable job, if they are configured correctly. I also believe there is no such thing as a self-configuring monitoring system (autodiscovery is a panacea that hasn’t been realized). If you’re going to be paging your IT staff about something, it should probably have been configured by a human.
I think open source software is a natual fit for system and infrastracture monitoring, and one well-established option is Nagios. Let me repeat that I really don’t have a loyalty to a specific tool, even the most expensive commercial tools take a lot of manual configuration work.
The ASA exposes a list of established site-to-site VPNs via the SNMP protocol… you can look at the list of Peer IPs for established VPNs using the command:
snmpwalk -v1 -c YourSNMPCommunity 192.168.1.254 \
1.3.6.1.4.1.9.9.171.1.2.3.1.7
Where YourSNMPCommunity is the community string you configured on the ASA, and 192.168.1.254 is the ASA’s IP address. The long dotted-decimal string at the end is the SNMP OID – just a fancy way of representing a specific metric in SNMP. You should see something like this:
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.33942200 =
STRING: "10.20.3.1"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.92152968 =
STRING: "192.168.44.254"
In this case, there are two site-to-site VPNs up: one to the peer with IP 10.20.3.1 and one to the peer with IP 192.168.44.254. If the peer IP for a configured tunnel isn’t listed here, it’s down!
I wrote a simple “check” script for Nagios to make it easy to monitor (and receive Nagios alerts on) site-to-site VPN status. You need to install the script in your Nagios libexec directory, add a few lines to your checkcommands.cfg, and then you can monitor site-to-site VPN tunnels on an ASA with just a few arguments: SNMP community string, VPN peer IP address, and an optional friendly name added to Nagios reports.
Interested in using it in your environment? Download check_asa_l2lvpn.pl from Monitoring Exchange and give it a try! Don’t be shy to ask questions in the comments below!
(Thanks to Diego_3336 for sharing the nice tunnel photo under a Creative Commons license!)
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
12 Responses
August 20th, 2009 at 1:45 am
Works great, Thanks for the script.
September 1st, 2009 at 1:02 pm
Hi,
at first i want to say thanks for check_asa plugin.
But unfortunatly i got the problem that, if i run the check manually it’s ok. But if run out of nagios i get the following return
Current Status:
CRITICAL
(for 0d 0h 6m 24s)
Status Information: (Service check did not exit properly)
Can you help me ?
Best Regards and thanks in advance
Rainer
September 23rd, 2009 at 9:11 am
This may seem simple, but i am new at this:
I followed all the directions and still can’t get this to work.
I am getting the following error
(Return code of 126 is out of bounds – plugin may be missing)
I am not sure on how or where to put in as the arguments for this plugin
I have this configured on the plugin page– -C $SNMP_COMMUNITY$ -IP $ADDRESSES$
and this is on the host monitor tab — -C $SNMP_COMMUNITY$ -IP 204.9.189.252
Can you help?
October 2nd, 2009 at 6:29 am
I think you should leave out the quotationmarks around the variable peerip in line 40. Otherwise the comparison will never be positive and all vpns marked down.
October 6th, 2009 at 2:34 pm
Rainer,
It sounds as if the path to snmpwalk is not right.
It could be that the user running Nagios does not find snmpwalk, while the user you use to run it manually finds it.
October 8th, 2009 at 1:02 pm
Rainer,
I agree – you may need to do a “which snmpwalk” and edit the script to point to the snmpwalk binary. You might have to install net-snmp if snmpwalk doesn’t exist on your computer.
John,
Looks like you’re using a GUI to manage your Nagios installation – I’m sorry, but I’m not familiar with how to use that GUI. Perhaps you can try looking at the config files the GUI makes and seeing if they look like the examples in the beginning of the script.
Thomas,
On my servers, snmpwalk returns strings in quotes, so the quotes are essential on line 40. I guess maybe a different version of snmpwalk might return strings without quotes, but this sure works on my servers.
Best, Ned.
October 21st, 2009 at 3:21 pm
I have the same problem as Rainer. I have changed the path in the script to point to the snmpwalk binary. If I run the command from the command line the script runs flawlessly ( ./check_asa_l2lvpn ). We were testing this on an ubuntu server and it worked great. We since moved it to a CentOS 5.3 system and the paths are different to the plugins (/usr/lib/nagios/plugins) and the config files (/etc/nagios). Can you think of anything else I am missing?
-Thanks
October 27th, 2009 at 2:35 pm
I was able to get the script to work. The issue was the difference between the embedded perl binary and actual location. I changed the command definition command_line to define the location of the perl binary.
# ‘check_asa_l2lvpn’ command definition
define command{
command_name check_asa_l2lvpn
command_line /usr/bin/perl $USER1$/check_asa_l2lvpn $HOSTADDRESS$ $ARG1$ $ARG2$ $ARG3$
}
Thanks to Chris M for the Tip
November 1st, 2009 at 3:03 pm
Hi,
First off, I’m an SNMP newbie. I have had this plugin working wonderfully monitoring a tunnel between a customer’s site and ours. Last night, the tunnel bounced. However, I no longer see the remote IP via an snmpwalk of OID …1.2.3.1.7. Hence, the plugin reports the tunnel as down. The ASA shows the tunnel as up (via ASDM) and it is passing traffic as usual. No changes have been made to the ASA on our side. I don’t have insight into possible changes on the customer’s side.
An ideas what could be going on?
Thanks in advance.
November 11th, 2009 at 3:21 pm
Ok I don’t know if I miss understood something about but i am getting (Service check did not exit properly) when i run it from nagios. works great via command line. Any ideas? I think it has to do with the exit code but i could be wrong. Thanks in advance for your help.
December 10th, 2009 at 5:01 am
I also have this working with a VPN concentrator. Great script…it was just what I was looking for. Saved me a lot of scripting time.
February 3rd, 2010 at 6:00 am
VPNTTG (VPN Tunnel Traffic Grapher) is a software for monitoring Cisco ASA IPSec Tunnel traffic.
Advantage of VPNTTG over other SNMP based monitoring software’s is following: Other (commonly used) software’s are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer’s IP address and it stores for each VPN tunnel historical monitoring data into the Database.
For more information about VPNTTG please visit http://www.vpnttg.com
Leave a Comment