Comments on: Monitoring site-to-site VPNs on a Cisco ASA http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/ Applied Trust off-leash: IT infrastructure, security, and performance Thu, 29 Jul 2010 20:30:05 +0000 hourly 1 http://wordpress.org/?v=3.0 By: GKhamait http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/comment-page-1/#comment-129 GKhamait Mon, 31 May 2010 14:57:59 +0000 http://www.barkingseal.com/?p=920#comment-129 Thank you so much for the script. Saved my day!! Thank you so much for the script. Saved my day!!

]]> By: VPNTTG http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/comment-page-1/#comment-107 VPNTTG Wed, 03 Feb 2010 13:00:56 +0000 http://www.barkingseal.com/?p=920#comment-107 VPNTTG (VPN Tunnel Traffic Grapher) is a software for monitoring Cisco ASA IPSec Tunnel traffic. Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database. For more information about VPNTTG please visit www.vpnttg.com VPNTTG (VPN Tunnel Traffic Grapher) is a software for monitoring Cisco ASA IPSec Tunnel traffic.

Advantage of VPNTTG over other SNMP based monitoring software’s is following: Other (commonly used) software’s are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer’s IP address and it stores for each VPN tunnel historical monitoring data into the Database.

For more information about VPNTTG please visit http://www.vpnttg.com

]]> By: BigMcLargehuge http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/comment-page-1/#comment-101 BigMcLargehuge Thu, 10 Dec 2009 12:01:07 +0000 http://www.barkingseal.com/?p=920#comment-101 I also have this working with a VPN concentrator. Great script...it was just what I was looking for. Saved me a lot of scripting time. I also have this working with a VPN concentrator. Great script…it was just what I was looking for. Saved me a lot of scripting time.

]]> By: Matthew http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/comment-page-1/#comment-96 Matthew Wed, 11 Nov 2009 22:21:47 +0000 http://www.barkingseal.com/?p=920#comment-96 Ok I don't know if I miss understood something about but i am getting (Service check did not exit properly) when i run it from nagios. works great via command line. Any ideas? I think it has to do with the exit code but i could be wrong. Thanks in advance for your help. Ok I don’t know if I miss understood something about but i am getting (Service check did not exit properly) when i run it from nagios. works great via command line. Any ideas? I think it has to do with the exit code but i could be wrong. Thanks in advance for your help.

]]> By: Chuck http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/comment-page-1/#comment-91 Chuck Sun, 01 Nov 2009 22:03:14 +0000 http://www.barkingseal.com/?p=920#comment-91 Hi, First off, I'm an SNMP newbie. I have had this plugin working wonderfully monitoring a tunnel between a customer's site and ours. Last night, the tunnel bounced. However, I no longer see the remote IP via an snmpwalk of OID ...1.2.3.1.7. Hence, the plugin reports the tunnel as down. The ASA shows the tunnel as up (via ASDM) and it is passing traffic as usual. No changes have been made to the ASA on our side. I don't have insight into possible changes on the customer's side. An ideas what could be going on? Thanks in advance. Hi,
First off, I’m an SNMP newbie. I have had this plugin working wonderfully monitoring a tunnel between a customer’s site and ours. Last night, the tunnel bounced. However, I no longer see the remote IP via an snmpwalk of OID …1.2.3.1.7. Hence, the plugin reports the tunnel as down. The ASA shows the tunnel as up (via ASDM) and it is passing traffic as usual. No changes have been made to the ASA on our side. I don’t have insight into possible changes on the customer’s side.

An ideas what could be going on?

Thanks in advance.

]]> By: Matt http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/comment-page-1/#comment-90 Matt Tue, 27 Oct 2009 21:35:03 +0000 http://www.barkingseal.com/?p=920#comment-90 I was able to get the script to work. The issue was the difference between the embedded perl binary and actual location. I changed the command definition command_line to define the location of the perl binary. # 'check_asa_l2lvpn' command definition define command{ command_name check_asa_l2lvpn command_line /usr/bin/perl $USER1$/check_asa_l2lvpn $HOSTADDRESS$ $ARG1$ $ARG2$ $ARG3$ } Thanks to Chris M for the Tip I was able to get the script to work. The issue was the difference between the embedded perl binary and actual location. I changed the command definition command_line to define the location of the perl binary.

# ‘check_asa_l2lvpn’ command definition
define command{
command_name check_asa_l2lvpn
command_line /usr/bin/perl $USER1$/check_asa_l2lvpn $HOSTADDRESS$ $ARG1$ $ARG2$ $ARG3$
}

Thanks to Chris M for the Tip

]]> By: Matt http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/comment-page-1/#comment-89 Matt Wed, 21 Oct 2009 22:21:11 +0000 http://www.barkingseal.com/?p=920#comment-89 I have the same problem as Rainer. I have changed the path in the script to point to the snmpwalk binary. If I run the command from the command line the script runs flawlessly ( ./check_asa_l2lvpn ). We were testing this on an ubuntu server and it worked great. We since moved it to a CentOS 5.3 system and the paths are different to the plugins (/usr/lib/nagios/plugins) and the config files (/etc/nagios). Can you think of anything else I am missing? -Thanks I have the same problem as Rainer. I have changed the path in the script to point to the snmpwalk binary. If I run the command from the command line the script runs flawlessly ( ./check_asa_l2lvpn ). We were testing this on an ubuntu server and it worked great. We since moved it to a CentOS 5.3 system and the paths are different to the plugins (/usr/lib/nagios/plugins) and the config files (/etc/nagios). Can you think of anything else I am missing?

-Thanks

]]> By: Ned http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/comment-page-1/#comment-85 Ned Thu, 08 Oct 2009 20:02:54 +0000 http://www.barkingseal.com/?p=920#comment-85 Rainer, I agree - you may need to do a "which snmpwalk" and edit the script to point to the snmpwalk binary. You might have to install net-snmp if snmpwalk doesn't exist on your computer. John, Looks like you're using a GUI to manage your Nagios installation - I'm sorry, but I'm not familiar with how to use that GUI. Perhaps you can try looking at the config files the GUI makes and seeing if they look like the examples in the beginning of the script. Thomas, On my servers, snmpwalk returns strings in quotes, so the quotes are essential on line 40. I guess maybe a different version of snmpwalk might return strings without quotes, but this sure works on my servers. Best, Ned. Rainer,

I agree – you may need to do a “which snmpwalk” and edit the script to point to the snmpwalk binary. You might have to install net-snmp if snmpwalk doesn’t exist on your computer.

John,

Looks like you’re using a GUI to manage your Nagios installation – I’m sorry, but I’m not familiar with how to use that GUI. Perhaps you can try looking at the config files the GUI makes and seeing if they look like the examples in the beginning of the script.

Thomas,

On my servers, snmpwalk returns strings in quotes, so the quotes are essential on line 40. I guess maybe a different version of snmpwalk might return strings without quotes, but this sure works on my servers.

Best, Ned.

]]> By: Farid http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/comment-page-1/#comment-83 Farid Tue, 06 Oct 2009 21:34:10 +0000 http://www.barkingseal.com/?p=920#comment-83 Rainer, It sounds as if the path to snmpwalk is not right. It could be that the user running Nagios does not find snmpwalk, while the user you use to run it manually finds it. Rainer,
It sounds as if the path to snmpwalk is not right.
It could be that the user running Nagios does not find snmpwalk, while the user you use to run it manually finds it.

]]> By: Thomas http://www.barkingseal.com/2009/08/monitoring-site-to-site-vpns-on-a-cisco-asa/comment-page-1/#comment-79 Thomas Fri, 02 Oct 2009 13:29:50 +0000 http://www.barkingseal.com/?p=920#comment-79 I think you should leave out the quotationmarks around the variable peerip in line 40. Otherwise the comparison will never be positive and all vpns marked down. I think you should leave out the quotationmarks around the variable peerip in line 40. Otherwise the comparison will never be positive and all vpns marked down.

]]>