Hi,
I would like to monitor my Site-to-Site VPN Tunnels, im just interested in what the state of the tunnel is (up/down).
we have a cisco asa firewall, it already is being monitored (the state of asa itself) so snmp is already configured.
Please help.
Thanks,
ASA Site-to-Site Tunnel Checks
Re: ASA Site-to-Site Tunnel Checks
I would like to point you to a plugin developed by the community for this purpose:
https://exchange.nagios.org/directory/P ... pn/details
Let me know if it works for you!
https://exchange.nagios.org/directory/P ... pn/details
Let me know if it works for you!
Re: ASA Site-to-Site Tunnel Checks
Perfect, that looks like exactly what i need!
However there no instruction on how to use, im fairly new to using commands not already on Nagios.
How can i add the plugin to nagios?
How can i configure the plugin once imported in Nagios?
Thanks,
However there no instruction on how to use, im fairly new to using commands not already on Nagios.
How can i add the plugin to nagios?
How can i configure the plugin once imported in Nagios?
Thanks,
Re: ASA Site-to-Site Tunnel Checks
Download the plugin and put it in the same directory as your other plugins - typically this is /usr/local/nagios/libexec.
Once the plugin is installed there, we can alter its permissions and run the help command against it:
Create the plugin:
Permissions:
help:
The help menu returns the following:
Once the plugin is installed there, we can alter its permissions and run the help command against it:
Create the plugin:
Code: Select all
vi /usr/local/nagios/libexec/check_asa_vpn.plCode: Select all
chmod +x /usr/local/nagios/libexec/check_asa_vpn.plCode: Select all
/usr/local/nagios/libexec/check_asa_vpn.pl -helpLet me know when you're at this point.Usage:
check_asa_vpn.pl [options] (-help || -?)
Options:
Mandatory:
-H IP address of monitored Cisco ASA device
-C SNMP community
-P IP address of primary VPN peer
Optional:
-N Name of VPN peer
-S IP address of secondary VPN peer
Re: ASA Site-to-Site Tunnel Checks
Okay i have installed the plugin.
i ran the /usr/local/nagios/libexec/check_asa_vpn.pl -help and using that, is this what my command should look like?
[root@svhomermon02 ~]# /usr/local/nagios/libexec/check_asa_vpn.pl -H asa interface ip -C community string -P peer IP address
Thanks,
i ran the /usr/local/nagios/libexec/check_asa_vpn.pl -help and using that, is this what my command should look like?
[root@svhomermon02 ~]# /usr/local/nagios/libexec/check_asa_vpn.pl -H asa interface ip -C community string -P peer IP address
Thanks,
Re: ASA Site-to-Site Tunnel Checks
Yup! That looks correct to me. You will have to make a command definition, and then you can make a new service definition for your ASA. Let me know if you need help with that.
What I like to do is run the command on the CLI first to verify that it will work:
What I like to do is run the command on the CLI first to verify that it will work:
Code: Select all
/usr/local/nagios/libexec/check_asa_vpn.pl -H asa interface ip -C community string -P peer IP addressRe: ASA Site-to-Site Tunnel Checks
I ran the command on the server and all looks good 
[root@svhomermon02 ~]# /usr/local/nagios/libexec/check_asa_vpn.pl -H asa interface ip -C community string -P peer IP address
OK! VPN peer peer IP address available.
However i cant seem to get it to work using service definition, here are the steps i took:
1) created a vpn.cfg file in /usr/local/nagios/etc/objects
define service{
use Urgent-services
host_name Office-ASA
service_description Active VPN Tunnels
check_command check_asa_vpn.pl!-H asa interface ip -C community string -P peer IP address
}
the host is already cretaed in another .cfg file
2) defined the command in command.cfg
define command{
command_name check_asa_vpn.pl
command_line /usr/local/nagios/libexec/check_asa_vpn.pl
}
3) defined the vpn.cfg file in nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/vpn.cfg
4) restarted Nagios
now the check shows in nagios, but as WARNING
Can you see if im missing something?
Thanks,
[root@svhomermon02 ~]# /usr/local/nagios/libexec/check_asa_vpn.pl -H asa interface ip -C community string -P peer IP address
OK! VPN peer peer IP address available.
However i cant seem to get it to work using service definition, here are the steps i took:
1) created a vpn.cfg file in /usr/local/nagios/etc/objects
define service{
use Urgent-services
host_name Office-ASA
service_description Active VPN Tunnels
check_command check_asa_vpn.pl!-H asa interface ip -C community string -P peer IP address
}
the host is already cretaed in another .cfg file
2) defined the command in command.cfg
define command{
command_name check_asa_vpn.pl
command_line /usr/local/nagios/libexec/check_asa_vpn.pl
}
3) defined the vpn.cfg file in nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/vpn.cfg
4) restarted Nagios
now the check shows in nagios, but as WARNING
Can you see if im missing something?
Thanks,
Re: ASA Site-to-Site Tunnel Checks
Change your service to:
Change your command to:
Code: Select all
define service{
use Urgent-services
host_name Office-ASA
service_description Active VPN Tunnels
check_command check_asa_vpn!COMMUNITY!PEERIP
}Code: Select all
define command{
command_name check_asa_vpn
command_line $USER1$/check_asa_vpn.pl -H $HOSTADDRESS$ -C $ARG1$ -P $ARG2$
}Re: ASA Site-to-Site Tunnel Checks
Thanks ssax, that worked perfectly.
Now i have another tunnel to monitor however for this device the community string (unfortunately) end with a "!" and i think this is messing up my checks. Do you know of a way around this?
Thanks,
Now i have another tunnel to monitor however for this device the community string (unfortunately) end with a "!" and i think this is messing up my checks. Do you know of a way around this?
Thanks,
Re: ASA Site-to-Site Tunnel Checks
You would use the resource.cfg file to get around that limitation.
You should be able to edit /usr/local/nagios/etc/resource.cfg and add:
*** Note - If the one of the characters you are passing is a special character in the linux shell (say for example a $), you want to escape it with a backslash in your resource.cfg file OR single quote it in the command.
Then set your service to be:
You should be able to edit /usr/local/nagios/etc/resource.cfg and add:
*** Note - If the one of the characters you are passing is a special character in the linux shell (say for example a $), you want to escape it with a backslash in your resource.cfg file OR single quote it in the command.
Code: Select all
$USER3$=YOURCOMMUN!TYCode: Select all
define service{
use Urgent-services
host_name Office-ASA2
service_description Active VPN Tunnels 2
check_command check_asa_vpn!$USER3$!PEERIP
}