Page 1 of 1
Network related stuff for Monitoring
Posted: Thu Nov 12, 2020 6:52 am
by RIDS_I2MP
Hello team,
Can you please confirm if we can able to monitor Site to Site tunnel on Nagios monitoring system. These site to site tunnels are configured on Cisco ASA Firewall (FW3).
We need to find out two things.
1. Monitoring of Site to Site tunnel (they are configure on Cisco ASA firewalls). We can monitor firewall but need to know if tunnels can able to monitor which is configured as a service.
2. If we able to monitor tunnel status then can we able to monitor for data flow if data is flowing through tunnel or not.
Kindly let us know the possibilities of the above points for Nagios XI.
Re: Network related stuff for Monitoring
Posted: Thu Nov 12, 2020 6:04 pm
by ssax
We don't have any official plugins that do this but I found this that may work for you:
https://exchange.nagios.org/directory/P ... pn/details
I'm not sure if this will report on the bandwidth for the tunnels, you can try it:
https://exchange.nagios.org/directory/P ... pl/details
Here are the other ASA ones I found:
https://exchange.nagios.org/index.php?o ... isco%20ASA
Re: Network related stuff for Monitoring
Posted: Wed Dec 30, 2020 8:12 am
by RIDS_I2MP
Hi Team,
While searching for the exact plugin we encountered one plugin named "Cisco ASA VPN Monitoring" which is only compatible with Nagios Log Server. As we are using Nagios XI we cannot use the plugin- Kindly let us know if we can still use the plugin and if yes how exactly we can use it in Nagios XI. Please guide us through entire steps.
If No - can you please suggest us some plugins which works exactly similar to the plugin we mentioned above or similar to that.
Our requirement is that we want to check which VPN are connected to Cisco Firewall , how much data is flowing through it etc which is done by the plugin above.
Re: Network related stuff for Monitoring
Posted: Wed Dec 30, 2020 5:16 pm
by ssax
That is not a plugin, it is a dashboard for Nagios Log Server for parsing logs from an ASA with elasticsearch. You cannot use it with XI because they are incompatible (XI doesn't use elasticsearch).
This plugin looks like it should support most of the metrics you're looking for, you'll need to lab it up and try it out:
Code: Select all
https://exchange.nagios.org/directory/Plugins/Network-Connections,-Stats-and-Bandwidth/check_nwc_health/details
You can set it up by running these commands as root:
Code: Select all
yum install perl-Module-Load -y
cd /tmp
wget https://labs.consol.de/assets/downloads/nagios/check_nwc_health-8.0.tar.gz
tar zxf check_nwc_health-8.0.tar.gz
cd check_nwc_health-8.0
./configure
make all
make install
I haven't been able to find a plugin that supports checking the tunnel bandwidth but you can check the ASAs interfaces/Tunnels/Sessions:
Code: Select all
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode list-interfaces
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode vpn-status
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode vpn-sessions
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode interface-usage
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode interface-errors
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode interface-status
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode interface-health
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode vpn-status
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode vpn-sessions
You can use the
--name to limit what it monitors for each of the checks:
Code: Select all
/usr/local/nagios/libexec/check_nwc_health --hostname X.X.X.X --community 'yourcommunity' --mode vpn-status --name X.X.X.X
You can see what the plugins supports with this command and test from the command line:
Code: Select all
/usr/local/nagios/libexec/check_nwc_health -h
Re: Network related stuff for Monitoring
Posted: Wed Jan 06, 2021 10:34 am
by RIDS_I2MP
Hi Team,
Thankyou for the plugin , when we are giving firewall IP it is giving some count for vpn sessions but we want to get the number of VPN sessions for ( SSL/TLS) like AnyConnect plus IPSEC Tunnel to Tunnel and others(like wireless or web ) in a segregated manner and not as a whole only.
But that functionality was found missing with the help of this plugin.
Kindly let us know any other plugin which shows VPN Sessions and Connected Users in a segregated manner.
PFA for the way we want to get it.
Re: Network related stuff for Monitoring
Posted: Wed Jan 06, 2021 3:58 pm
by ssax
You're limited to the plugins that are available, I do not see anything that do what you are trying to do, you would likely need to write your own to get that data in the format you want.
You can likely get access to the data through polling with SNMP, if you run this command on the ASA it will show you what available OIDs it has:
Then you could monitor the ones you want (we do not know what they are, you'll need to reach out to cisco to get the matching oids for the output that command shows).
Code: Select all
/usr/local/nagios/libexec/check_snmp -H 192.168.223.2 -C 'nagiosprivate' -o 1.3.6.1.4.1.9.9.392.1.3.38.0 -l crasWebvpnNumSessions -o 1.3.6.1.4.1.9.9.392.1.3.39.0 -l crasWebvpnCumulateSessions -o 1.3.6.1.4.1.9.9.392.1.3.40.0 -l crasWebvpnPeakConcurrentSessions