Network related stuff for Monitoring

[RIDS_I2MP]

Hello team,

Can you please confirm if we can able to monitor Site to Site tunnel on Nagios monitoring system. These site to site tunnels are configured on Cisco ASA Firewall (FW3).

We need to find out two things.

1. Monitoring of Site to Site tunnel (they are configure on Cisco ASA firewalls). We can monitor firewall but need to know if tunnels can able to monitor which is configured as a service.
2. If we able to monitor tunnel status then can we able to monitor for data flow if data is flowing through tunnel or not.


Kindly let us know the possibilities of the above points for Nagios XI.

[ssax]

We don't have any official plugins that do this but I found this that may work for you:

https://exchange.nagios.org/directory/P ... pn/details

I'm not sure if this will report on the bandwidth for the tunnels, you can try it:

https://exchange.nagios.org/directory/P ... pl/details

Here are the other ASA ones I found:

https://exchange.nagios.org/index.php?o ... isco%20ASA

[RIDS_I2MP]

Hi Team,

While searching for the exact plugin we encountered one plugin named "Cisco ASA VPN Monitoring" which is only compatible with Nagios Log Server. As we are using Nagios XI we cannot use the plugin- Kindly let us know if we can still use the plugin and if yes how exactly we can use it in Nagios XI. Please guide us through entire steps.

If No - can you please suggest us some plugins which works exactly similar to the plugin we mentioned above or similar to that.
Our requirement is that we want to check which VPN are connected to Cisco Firewall , how much data is flowing through it etc which is done by the plugin above.

[ssax]

That is not a plugin, it is a dashboard for Nagios Log Server for parsing logs from an ASA with elasticsearch. You cannot use it with XI because they are incompatible (XI doesn't use elasticsearch).

This plugin looks like it should support most of the metrics you're looking for, you'll need to lab it up and try it out:

Code: Select all

https://exchange.nagios.org/directory/Plugins/Network-Connections,-Stats-and-Bandwidth/check_nwc_health/details

You can set it up by running these commands as root:

Code: Select all

yum install perl-Module-Load -y
cd /tmp
wget https://labs.consol.de/assets/downloads/nagios/check_nwc_health-8.0.tar.gz
tar zxf check_nwc_health-8.0.tar.gz
cd check_nwc_health-8.0
./configure
make all
make install

I haven't been able to find a plugin that supports checking the tunnel bandwidth but you can check the ASAs interfaces/Tunnels/Sessions:

Code: Select all

/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode list-interfaces
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode vpn-status
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode vpn-sessions
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode interface-usage
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode interface-errors
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode interface-status
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode interface-health
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode vpn-status
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode vpn-sessions

You can use the --name to limit what it monitors for each of the checks:

Code: Select all

/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode vpn-status --name X.X.X.X

You can see what the plugins supports with this command and test from the command line:

Code: Select all

/usr/local/nagios/libexec/check_nwc_health -h

[RIDS_I2MP]

Hi Team,

Thankyou for the plugin , when we are giving firewall IP it is giving some count for vpn sessions but we want to get the number of VPN sessions for ( SSL/TLS) like AnyConnect plus IPSEC Tunnel to Tunnel and others(like wireless or web ) in a segregated manner and not as a whole only.

But that functionality was found missing with the help of this plugin.

Kindly let us know any other plugin which shows VPN Sessions and Connected Users in a segregated manner.

PFA for the way we want to get it.

[ssax]

You're limited to the plugins that are available, I do not see anything that do what you are trying to do, you would likely need to write your own to get that data in the format you want.

You can likely get access to the data through polling with SNMP, if you run this command on the ASA it will show you what available OIDs it has:

Code: Select all

show snmp-server oidlist

Then you could monitor the ones you want (we do not know what they are, you'll need to reach out to cisco to get the matching oids for the output that command shows).

Code: Select all

/usr/local/nagios/libexec/check_snmp -H 192.168.223.2 -C 'nagiosprivate' -o 1.3.6.1.4.1.9.9.392.1.3.38.0 -l crasWebvpnNumSessions -o 1.3.6.1.4.1.9.9.392.1.3.39.0 -l crasWebvpnCumulateSessions -o 1.3.6.1.4.1.9.9.392.1.3.40.0 -l crasWebvpnPeakConcurrentSessions