...A place where sharing IT monitoring knowledges

Saturday, 27 July 2013

Monitoring Cisco VPN sessions


Cisco Remote Access Servers (or CRAS) are those devices whose mission is allowing users and devices to access to remote networks, mainly -but not limited to- by building Virtual Private Networks (VPN). Cisco ASA firewalls can be classified into this category.

Taking control over the amount of active VPN sessions on a CRAS device is important for various reasons:
  • Checking that the number of sessions doesn't reach the maximum defined by the device
  • Taking fine control on what kind of sessions (eMail, IPSec, LAN to LAN, load balancing, SSL VPN Client and Web VPN) are being stablished
  • Last but not least, and specifically in Cisco ASA devices with Premium licenses, checking that the number of active sessions doesn't reach the maximum defined by the license (that ranges from 10 to 10,000 active sessions)

How to get it

Cisco Remote Access Server devices (and thus Cisco ASA firewalls) publish the session information via SNMP protocol using the ciscoRemoteAccessMonitorMIB MIB, specifically via the crasActivity group OIDs:
  • crasEmailNumSessions (1.3.6.1.4.1.9.9.392.1.3.23) stores active email sessions.
  • crasIPSecNumSessions (1.3.6.1.4.1.9.9.392.1.3.26) stores active IPSec sessions.
  • crasL2LNumSessions (1.3.6.1.4.1.9.9.392.1.3.29) stores active LAN to LAN sessions.
  • crasLBNumSessions (1.3.6.1.4.1.9.9.392.1.3.32) stores active Load Balancing sessions.
  • crasSVCNumSessions (1.3.6.1.4.1.9.9.392.1.3.35) stores active SSL VPN Client sessions.
  • crasWEBVPNNumSessions (1.3.6.1.4.1.9.9.392.1.3.38) stores active Web VPN sessions.
Additionally,  crasMaxSessionsSupportable OID (1.3.6.1.4.1.9.9.392.1.1.1) from the crasCapacity group stores the maximum supportable active sessions.

Polling these OIDs is possible getting info about the active session in both absolute or relative to the maximum supportable by the device. In order to control the number of sessions restriction that the Cisco ASA Premium  licensing sets, it is necessary to sum the VPN client (OID crasSVCNumSessions) and Web VPN (OID crasWEBVPNNumSessions) active sessions and then comparing the result with the number of active VPN users that the ASA license imposes.

Nagios/Icinga/Centreon compatible plugin

You can download a Nagios/Icinga/Centreon Core compatible plugin addressed to monitor the Cisco VPN session via the post Plugin of the month: Check Cisco VPN active sessions.

The plugin can check a list of session types (-t argument) or all if no session types are defined. Also, it can run in absolute mode returning the number of active sessions, or relative mode (argument -p) returning the percent of active sessions when compared with the maximun supportable active sessions. Finally, the plugin can totalize (argument -T) the checked session types for returning a unique active sessions value.

Getting together these features, the plugin can be used:
  • For getting the overall active sessions (not stating any session type will check all sessions) in absolute or relative (using the -p argument) mode. In both cases the -T argument will make the plugin to return the total of sessions instead of returning a value per session type.
  • For getting active sessions per session type by specifying the session types to check (argument -t)
  • For checking the ASA firewall Premium license limits by setting the plugin to check SSL VPN Client and Web VPN active sessions (-t svc -t webvpn) and totalizing (-T) the result.
Here are some usage examples:

check_cisco_cras_sessions -H 192.168.0.12
Checks the number of sessions on a host with address 192.168.0.12 using SNMP protocol version 1 and 'public' as community. Plugin returns always OK.

check_cisco_cras_sessions -H 192.168.0.12 -w 30 -c 50
Similar to the previous example but returning WARNING if the number of sessions of any kind is higher than 30 and CRITICAL if it's higher than 50.

check_cisco_cras_sessions -H 192.168.0.12 -s email -s ipsec -w 30 -c 50
Similar to the previous example but just checking the Email and IPSec sessions.

check_cisco_cras_sessions -H 192.168.0.12 -s email -s ipsec -T -w 30 -c 50
Similar to the previous example but totalizing the sessions, ie, returning WARNING if the sum of email and ipsec sessions is higher than 30 and CRITICAL if it's higher than 50.

check_cisco_cras_sessions -H 192.168.0.12 -p -w 30 -c 50
Sessions of any kind are checked and their total is managed as percent over the device max supportable sessions. Thresholds and results are considered as percent.



8 comments:

  1. I can't find a working link to this plugin. Can anyone provide it for me?

    ReplyDelete
    Replies
    1. Need it ASAP

      Thanx in advance

      Delete
    2. The plugin is now freely shared in the first of a new series of monthly posts in this site: https://monitoringtt.blogspot.com.es/2017/09/plugin-of-month-check-cisco-vpn-active.html

      Delete
  2. I also would like a working link to this plug-in.

    ReplyDelete
    Replies
    1. Do you still need it? I can email you a copy.

      Delete
  3. can you the provide the correct download link

    ReplyDelete

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes