Welcome to my website


Archive
Four year birthday for my blog
11 August 2009 10:30
It is now four years ago that i started blogging on this page.

Hope to find more time to post some more.

Tooms @ 11 August 2009 10:30 | Comment | Direct link

SSL Anyconnect vpn connection count in MRTG

8 August 2009 22:38
As we are changing from IPsec classic VPN client to the new SSL Anyconnect client for the users vpn connection to the firm Cisco ASA 5510 VPN box, I was trying to get the snmp value of the number ssl vpn connections but seems that i not can finde it and from many posts on the Internet it seems to be a bug in some versions where there is missing some snmp OID's or they are displaying the wrong values..
So what to-do.... I then found one OID for the total count of VPN connections and one OID for IPsec connections so now i can calc the ssl connection count by take the Total_VPN_count - IPsec_VPN_count = SSL_VPN_count.
So i have then made a small script there is doing this and it can be used in MRTG.

Here is the script there is pulling the total count and ipsec count and then subtract them and return the value to MRTG.
Change the IP number to be the one of your ASA

sslcountfromasa.sh

#!/bin/sh
#

TOTALVPN=`snmpget -O vq 10.0.0.101 public .1.3.6.1.4.1.9.9.392.1.3.1.0 `
TOTALVPN_INT=`expr $TOTALVPN`

IPSECVPN=`snmpget -O vq 10.0.0.101 public .1.3.6.1.4.1.9.9.171.1.2.1.1.0 `
IPSECVPN_INT=`expr $IPSECVPN`

if [ $TOTALVPN_INT > 0 ];
then
        if [ $IPSECVPN_INT > 0 ];
        then
                SSLVPN_INT=`expr $TOTALVPN_INT - $IPSECVPN_INT`
                echo $SSLVPN_INT
                echo $SSLVPN_INT
        else
                echo $TOTALVPN_INT
                echo $TOTALVPN_INT
        fi
else
        echo 0
        echo 0
fi

remember to run a chmod 777 sslcountfromasa.sh on the script to make it a executable


Here is my mrtg.cfg file there is using the script and i have include some other nice OID's

MRTG.cfg (note this is a only a part of the file and you have to put in the missing parts)


# Display the SSL anyconnec count
Target[10.0.0.101.SSLvpn.count]: `/usr/local/mrtg-2/bin/sslcountfromasa.sh`
MaxBytes[10.0.0.101.SSLvpn.count]: 250
Options[10.0.0.101.SSLvpn.count]: gauge
Title[10.0.0.101.SSLvpn.count]: 10.0.0.101.SSLvpn.count
PageTop[10.0.0.101.SSLvpn.count]: Number of SSL Anyconnect VPN connections

# Number of connections currently in use by the entire ASA
Target[10.0.0.101.connection.count]: 1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.7&1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6:public@10.0.0.101
MaxBytes[10.0.0.101.connection.count]:  99999999999999999999
Options[10.0.0.101.connection.count]: gauge
Title[10.0.0.101.connection.count]: 10.0.0.101.connection.count
PageTop[10.0.0.101.connection.count]: Total number of connections to the Cisco ASA

# Display the IPsec VPN count
Target[10.0.0.101.IPsec.count]: 1.3.6.1.4.1.9.9.171.1.2.1.1.0&1.3.6.1.4.1.9.9.171.1.2.1.1.0:public@10.0.0.101
MaxBytes[10.0.0.101.IPsec.count]: 250
Options[10.0.0.101.IPsec.count]: gauge
Title[10.0.0.101.IPsec.count]: 10.0.0.101.IPsec.count
PageTop[10.0.0.101.IPsec.count]: Number of IPsec VPN connections

# Display the total vpn count
Target[10.0.0.101.TOTALvpn.count]: 1.3.6.1.4.1.9.9.392.1.3.1.0&1.3.6.1.4.1.9.9.392.1.3.1.0:public@10.0.0.101
MaxBytes[10.0.0.101.TOTALvpn.count]: 250
Options[10.0.0.101.TOTALvpn.count]: gauge
Title[10.0.0.101.TOTALvpn.count]: 10.0.0.101.TOTALvpn.count
PageTop[10.0.0.101.TOTALvpn.count]: Total number of  VPN connections

# Display the CPU load on the ASA
Target[10.0.0.101.CPU.Load]: 1.3.6.1.4.1.9.9.109.1.1.1.1.5.1&1.3.6.1.4.1.9.9.109.1.1.1.1.5.1:public@10.0.0.101
MaxBytes[10.0.0.101.CPU.Load]: 100
Options[10.0.0.101.CPU.Load]: gauge
Title[10.0.0.101.CPU.Load]: 10.0.0.101.CPU.Load
PageTop[10.0.0.101.CPU.Load]: Cisco ASA CPU load

# Display the memory use of the ASA
Target[10.0.0.101.Memory]: 1.3.6.1.4.1.9.9.48.1.1.1.6.1&1.3.6.1.4.1.9.9.48.1.1.1.5.1:public@10.0.0.101
MaxBytes[10.0.0.101.Memory]:  256999999
Options[10.0.0.101.Memory]: gauge
Title[10.0.0.101.Memory]: 10.0.0.101.Memory
PageTop[10.0.0.101.Memory]: Cisco ASA memory use

I have remove some of the html from the mrtg.cfg as this mixup the blog post but if your using MRTG then you know what is missing

hope Cisco some day get this right but for now i have to live with the fix.



Tooms @ 8 August 2009 22:38 | Comment | Direct link


Arkive list
2015 - November
2014 - August
2014 - April
2014 - March
2014 - February
2014 - January
2013 - December
2013 - November
2013 - October
2013 - August
2013 - June
2012 - December
2012 - September
2012 - August
2012 - May
2012 - April
2011 - November
2011 - October
2011 - September
2010 - May
2010 - March
2010 - January
2009 - December
2009 - November
2009 - October
2009 - August
2009 - July
2009 - May
2009 - April
2009 - March
2009 - February
2009 - January
2008 - December
2008 - November
2008 - August
2008 - January
2007 - December
2007 - November
2007 - October
2007 - August
2007 - July
2007 - April
2007 - March
2007 - February
2007 - January
2006 - December
2006 - November
2006 - September
2006 - August
2006 - July
2006 - May
2006 - April
2006 - March
2006 - February
2006 - January
2005 - December
2005 - November
2005 - October
2005 - September
2005 - August