Meraki Access point

[kalyanpabolu]

Hello Team,

We want to monitor Meraki Access point reachability from Meraki cloud. The IP address of access points is dynamic, so we are unable to use ping check here.

Could you please suggest a way to monitor it?
Like, we may use MAC address if possible.

We have already tried below plugin but this is not working for us.
https://exchange.nagios.org/directory/P ... us/details

Thanks in advance!!

[dchurch]

You can use something like an ARP check or something like it to do this. Trouble is, the ARP cache is kind of unreliable as its only use is to translate local IPs <=> MAC addresses. There's no guarantee that when a computer joins the network, your computer's ARP cache will get updated.

I got this working. What you could do is use this check_arp_ping plugin I just whipped up today. How it works is it'll scan your network to refresh the ARP cache, then send a ping to every IP address matching the MAC address you give it.

Another thing you could do -- if you Meraki Access Point supports it -- is to set up an SNMP check. More on SNMP and its role in monitoring in Nagios.

[kalyanpabolu]

Hello,

We tried to test it for one Access point, but we got below error:

[root@HO1-NAGIOSXI libexec]# ./check_arp_ping -n 10.4.4.0/24 -w 3000.0,80% -c 5000.0,100% -p 5 0c:8d:db:7b:a6:06
Unable to resolve 0c:8d:db:7b:a6:06 to IP address

Could you please help us to understand how Nagios will create ARP entry for a particular MAC address?

[ssax]

It's not nagios that's doing it, it's the plugin, and your arp table (on the XI system where this runs) may not have the arp entry.

After testing the plugin there is a minor issue, you would need to change this line (line 124) from this:

Code: Select all

    nmap -sn -T4 "$NETWORK" >& /dev/null

To this to make it actually update the ARP table on the XI server properly:

Code: Select all

    nmap -sn -T4 --send-ip "$NETWORK" >& /dev/null

That --send-ip option makes it update the arp table on the local system. Taken from here:

https://forums.centos.org/viewtopic.php?t=1940

[kalyanpabolu]

Hello,

I have made the changes to plugin, but still getting same error:

[root@HO1-NAGIOSXI libexec]# ./check_arp_ping -n 10.4.4.0/24 -w 3000.0,80% -c 5000.0,100% -p 5 0c:8d:db:7b:a6:06
Unable to resolve 0c:8d:db:7b:a6:06 to IP address

[root@HO1-NAGIOSXI libexec]#

[dchurch]

What is the output from the following commands?

Code: Select all

ip addr
/sbin/arp

[kalyanpabolu]

Hello,

Below is the output:

[root@HO1-NAGIOSXI ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:99:c1:52 brd ff:ff:ff:ff:ff:ff
inet 10.1.0.220/24 brd 10.1.0.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::193:722ce4cd/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@HO1-NAGIOSXI ~]#
[root@HO1-NAGIOSXI ~]#
[root@HO1-NAGIOSXI ~]#
[root@HO1-NAGIOSXI ~]#
[root@HO1-NAGIOSXI ~]#
[root@HO1-NAGIOSXI ~]#
[root@HO1-NAGIOSXI ~]# /sbin/arp
Address HWtype HWaddress Flags Mask Iface
Moderator's Note: The ARP output with MAC addresses has been shared with the support team but has been removed from the public forum.
[root@HO1-NAGIOSXI ~]#

[dchurch]

ens160: 10.1.0.220/24

[root@HO1-NAGIOSXI libexec]# ./check_arp_ping -n 10.4.4.0/24 -w 3000.0,80% -c 5000.0,100% -p 5 0c:8d:db:7b:a6:06

The Meraki access point doesn't appear to be in the same subnet as the box you're scanning from. As such, there's no possible way to scan by MAC address, as MAC addresses (and ARP) can't transmit across subnets.

I had suggested this plugin based on the assumption that the AP was in the same subnet as the box you're doing the scanning from.

There are a couple of other routes we can try, however.

If there's something unique about the host (e.g. a unique open port, a unique SSH host key), and you know generally what IP range the AP is in (I'll assume you do, and it's 10.4.4.0/24), we can call Nmap to scan for it and run a normal ping check.

If you can run this command and post the entire output, I can whip something up to reliably find the AP on the network and send a ping:

Code: Select all

nmap -Pn -T4 -sC <IP address of Meraki Access Point>

If you know something else about what is unique from a network standpoint about the AP besides its MAC address, let me know.

[kalyanpabolu]

Hello,

Below is the output:

[root@HO1-NAGIOSXI ~]# nmap -Pn -T4 -sC 10.4.4.179
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-30 09:34 +04
Nmap scan report for 10.4.4.179
Host is up.
All 1000 scanned ports on 10.4.4.179 are filtered

Nmap done: 1 IP address (1 host up) scanned in 103.36 seconds
[root@HO1-NAGIOSXI ~]#


When we talk about ping check, I think that would not work here because the IPs for Meraki Access points are dynamic.

We need a solution where we can monitor dynamic IPs.

[dchurch]

No TCP ports open makes this thing tricky to fingerprint to locate on the network.

Assuming the AP is actually at 10.4.4.179, and it's reachable from the Nagios XI machine at least for ICMP packets, the only way I can foresee getting this thing monitored is to give the AP a static IP address on the 10.4.4.xxx network -- for example 10.4.4.200 -- and pointing Nagios XI at that specific IP address.

If the Meraki has a setup screen that allows setting a static IP, that's the best route. Otherwise, a DHCP reservation on the 10.4.4.xxx network's DHCP server (usually the router) will do the trick.