Nagios Support Forum

Hi,

I would like to monitor my Site-to-Site VPN Tunnels, im just interested in what the state of the tunnel is (up/down).
we have a cisco asa firewall, it already is being monitored (the state of asa itself) so snmp is already configured.
Please help.
Thanks,

I would like to point you to a plugin developed by the community for this purpose:
https://exchange.nagios.org/directory/P ... pn/details

Let me know if it works for you!

Perfect, that looks like exactly what i need!
However there no instruction on how to use, im fairly new to using commands not already on Nagios.

How can i add the plugin to nagios?
How can i configure the plugin once imported in Nagios?

Thanks,

Download the plugin and put it in the same directory as your other plugins - typically this is /usr/local/nagios/libexec.

Once the plugin is installed there, we can alter its permissions and run the help command against it:

Create the plugin: Permissions: help: The help menu returns the following:

Usage:
check_asa_vpn.pl [options] (-help || -?)

Options:
Mandatory:

-H IP address of monitored Cisco ASA device

-C SNMP community

-P IP address of primary VPN peer

Optional:

-N Name of VPN peer

-S IP address of secondary VPN peer

Let me know when you're at this point.

Okay i have installed the plugin.
i ran the /usr/local/nagios/libexec/check_asa_vpn.pl -help and using that, is this what my command should look like?
[root@svhomermon02 ~]# /usr/local/nagios/libexec/check_asa_vpn.pl -H asa interface ip -C community string -P peer IP address

Thanks,

Yup! That looks correct to me. You will have to make a command definition, and then you can make a new service definition for your ASA. Let me know if you need help with that.

What I like to do is run the command on the CLI first to verify that it will work:

I ran the command on the server and all looks good
[root@svhomermon02 ~]# /usr/local/nagios/libexec/check_asa_vpn.pl -H asa interface ip -C community string -P peer IP address
OK! VPN peer peer IP address available.

However i cant seem to get it to work using service definition, here are the steps i took:
1) created a vpn.cfg file in /usr/local/nagios/etc/objects
define service{
use Urgent-services
host_name Office-ASA
service_description Active VPN Tunnels
check_command check_asa_vpn.pl!-H asa interface ip -C community string -P peer IP address
}
the host is already cretaed in another .cfg file
2) defined the command in command.cfg
define command{
command_name check_asa_vpn.pl
command_line /usr/local/nagios/libexec/check_asa_vpn.pl
}

3) defined the vpn.cfg file in nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/vpn.cfg

4) restarted Nagios

now the check shows in nagios, but as WARNING

Can you see if im missing something?

Thanks,

Change your service to:
Change your command to:

Thanks ssax, that worked perfectly.
Now i have another tunnel to monitor however for this device the community string (unfortunately) end with a "!" and i think this is messing up my checks. Do you know of a way around this?

Thanks,

You would use the resource.cfg file to get around that limitation.

You should be able to edit /usr/local/nagios/etc/resource.cfg and add:

*** Note - If the one of the characters you are passing is a special character in the linux shell (say for example a $), you want to escape it with a backslash in your resource.cfg file OR single quote it in the command.
Then set your service to be: