Virtual Private Networks (VPNs) offer a way to securely connect different locations that are both connected to the Internet. Internet VPNs are way cheaper than private lines leased from a telco company, but unfortunately they are often much less reliable. Many times, when an Internet VPN "drops", distant offices are no longer able to communicate -- as network administrators, we want to know so we can fix it before our users notice anything!
This post shows one way to monitor site-to-site VPNs configured on a Cisco ASA firewall using SNMP and Nagios.
First, if you're only managing a handful of VPN tunnels on a couple ASAs, it's probably easiest to just enable email notifications in the ASA's ASDM management GUI. Make sure you'll be able to receive the email even when the VPN is down, and be sure to test.
For larger networks, or any network where availability is critical, it makes sense to monitor your systems with some kind of network management tool. I'm a firm believer that most monitoring tools can do a reasonable job, if they are configured correctly. I also believe there is no such thing as a self-configuring monitoring system (autodiscovery is a panacea that hasn't been realized). If you're going to be paging your IT staff about something, it should probably have been configured by a human.
I think open source software is a natual fit for system and infrastracture monitoring, and one well-established option is Nagios. Let me repeat that I really don't have a loyalty to a specific tool, even the most expensive commercial tools take a lot of manual configuration work.
The ASA exposes a list of established site-to-site VPNs via the SNMP protocol... you can look at the list of Peer IPs for established VPNs using the command:
snmpwalk -v1 -c YourSNMPCommunity 192.168.1.254 \
1.3.6.1.4.1.9.9.171.1.2.3.1.7Where YourSNMPCommunity is the community string you configured on the ASA, and 192.168.1.254 is the ASA's IP address. The long dotted-decimal string at the end is the SNMP OID - just a fancy way of representing a specific metric in SNMP. You should see something like this:
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.33942200 =
STRING: "10.20.3.1"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.92152968 =
STRING: "192.168.44.254"In this case, there are two site-to-site VPNs up: one to the peer with IP 10.20.3.1 and one to the peer with IP 192.168.44.254. If the peer IP for a configured tunnel isn't listed here, it's down!
I wrote a simple "check" script for Nagios to make it easy to monitor (and receive Nagios alerts on) site-to-site VPN status. You need to install the script in your Nagios libexec directory, add a few lines to your checkcommands.cfg, and then you can monitor site-to-site VPN tunnels on an ASA with just a few arguments: SNMP community string, VPN peer IP address, and an optional friendly name added to Nagios reports.
Interested in using it in your environment? Download check_asa_l2lvpn.pl from Monitoring Exchange and give it a try! Don't be shy to ask questions in the comments below!
(Thanks to Diego_3336 for sharing the nice tunnel photo under a Creative Commons license!)
Comments
Works great, Thanks for the script.
This may seem simple, but i am new at this:
I followed all the directions and still can't get this to work.
I am getting the following error
(Return code of 126 is out of bounds - plugin may be missing)
I am not sure on how or where to put in as the arguments for this plugin
I have this configured on the plugin page-- -C $SNMP_COMMUNITY$ -IP $ADDRESSES$
and this is on the host monitor tab -- -C $SNMP_COMMUNITY$ -IP 204.9.189.252
Can you help?
Hi,
at first i want to say thanks for check_asa plugin.
But unfortunatly i got the problem that, if i run the check manually it's ok. But if run out of nagios i get the following return
Current Status:
CRITICAL
(for 0d 0h 6m 24s)
Status Information: (Service check did not exit properly)
Can you help me ?
Best Regards and thanks in advance
Rainer
I think you should leave out the quotationmarks around the variable peerip in line 40. Otherwise the comparison will never be positive and all vpns marked down.
Rainer,
It sounds as if the path to snmpwalk is not right.
It could be that the user running Nagios does not find snmpwalk, while the user you use to run it manually finds it.
Rainer,
I agree - you may need to do a "which snmpwalk" and edit the script to point to the snmpwalk binary. You might have to install net-snmp if snmpwalk doesn't exist on your computer.
John,
Looks like you're using a GUI to manage your Nagios installation - I'm sorry, but I'm not familiar with how to use that GUI. Perhaps you can try looking at the config files the GUI makes and seeing if they look like the examples in the beginning of the script.
Thomas,
On my servers, snmpwalk returns strings in quotes, so the quotes are essential on line 40. I guess maybe a different version of snmpwalk might return strings without quotes, but this sure works on my servers.
Best, Ned.
I have the same problem as Rainer. I have changed the path in the script to point to the snmpwalk binary. If I run the command from the command line the script runs flawlessly ( ./check_asa_l2lvpn ). We were testing this on an ubuntu server and it worked great. We since moved it to a CentOS 5.3 system and the paths are different to the plugins (/usr/lib/nagios/plugins) and the config files (/etc/nagios). Can you think of anything else I am missing?
-Thanks
I was able to get the script to work. The issue was the difference between the embedded perl binary and actual location. I changed the command definition command_line to define the location of the perl binary.
# 'check_asa_l2lvpn' command definition
define command{
command_name check_asa_l2lvpn
command_line /usr/bin/perl $USER1$/check_asa_l2lvpn $HOSTADDRESS$ $ARG1$ $ARG2$ $ARG3$
}
Thanks to Chris M for the Tip
Hi,
First off, I'm an SNMP newbie. I have had this plugin working wonderfully monitoring a tunnel between a customer's site and ours. Last night, the tunnel bounced. However, I no longer see the remote IP via an snmpwalk of OID ...1.2.3.1.7. Hence, the plugin reports the tunnel as down. The ASA shows the tunnel as up (via ASDM) and it is passing traffic as usual. No changes have been made to the ASA on our side. I don't have insight into possible changes on the customer's side.
An ideas what could be going on?
Thanks in advance.
Ok I don't know if I miss understood something about but i am getting (Service check did not exit properly) when i run it from nagios. works great via command line. Any ideas? I think it has to do with the exit code but i could be wrong. Thanks in advance for your help.
I also have this working with a VPN concentrator. Great script...it was just what I was looking for. Saved me a lot of scripting time.
VPNTTG (VPN Tunnel Traffic Grapher) is a software for monitoring Cisco ASA IPSec Tunnel traffic.
Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.
For more information about VPNTTG please visit www.vpnttg.com
Thank you so much for the script. Saved my day!!
I'm not a big UNIX guy (or scripting for that matter), so i'm not sure what is meant by 'Nagios service definitions'. Trying to get this tool up and running, but not sure how to set this piece of the pie.
Thanks, Jeff
Thanks for the script, but it doesn't work for me.
I can execute it manually like this :
perl check_asa_l2lvpn.pl 192.168.1.210 public 194.1.2.3
But in Nagios, I have this result :
Current status : CRITICAL
Status Information : (null)
The script is on /usr/local/nagios/libexec/
I have entered this parameters on the commands.cfg file :
# ‘check_asa_l2lvpn’ command definition
define command{
command_name check_asa_l2lvpn
command_line /usr/bin/perl $USER1$/check_asa_l2lvpn $HOSTADDRESS$ $ARG1$ $ARG2$ $ARG3$
}
And this parameter on the ASA.cfg
define host{
use generic-switch ; Inherit default values from a template
host_name ASA ; The name we're giving to this switch
alias ASA ; A longer name associated with the switch
address 192.168.1.254 ; IP address of the switch
hostgroups ASA ; Host groups this switch is associated with
}
define hostgroup{
hostgroup_name ASA ; The name of the hostgroup
alias Cisco ASA ; Long name of the group
}
# Monitor VPN
define service{
use generic-service ; Inherit values from a template
hostgroup_name ASA
service_description VPN site to site PA-TOULOUSE
check_command check_asa_l2lvpn!public!194.1.2.3!PA-TOULOUSE
}
Please help me about this.
Thanks, Thomas
Hi,
i got it to work (on RHEL5, nothing special) by adding this command line to my commands.cfg:
/usr/bin/perl $USER1$/check_asa_l2lvpn.pl $ARG1$ $ARG2$ $ARG3$ $ARG4$
Note that instead of the $HOSTADDRESS$ macro, i just use the $USER1$ macro and than use the IP of the asa in the service definition.
nice script. it is working perfect. Thanks!
It is a good check but i had to do some editing. I first hard coded in snmp 2c because that is what we use here and also changed the path to snmpwalk. Finally i changed the regular expression to work with out firewall 8.2.1.15. the check is located at http://matthewkohn.com/check_asa_l2lvpn.
Future updates should do a which and lookup the location of snmpwalk and ask for a version.