...A place where sharing IT monitoring knowledges

Saturday 27 July 2013

Monitoring Cisco VPN sessions


Cisco Remote Access Servers (or CRAS) are those devices whose mission is allowing users and devices to access to remote networks, mainly -but not limited to- by building Virtual Private Networks (VPN). Cisco ASA firewalls can be classified into this category.

Taking control over the amount of active VPN sessions on a CRAS device is important for various reasons:
  • Checking that the number of sessions doesn't reach the maximum defined by the device
  • Taking fine control on what kind of sessions (eMail, IPSec, LAN to LAN, load balancing, SSL VPN Client and Web VPN) are being stablished
  • Last but not least, and specifically in Cisco ASA devices with Premium licenses, checking that the number of active sessions doesn't reach the maximum defined by the license (that ranges from 10 to 10,000 active sessions)

How to get it

Cisco Remote Access Server devices (and thus Cisco ASA firewalls) publish the session information via SNMP protocol using the ciscoRemoteAccessMonitorMIB MIB, specifically via the crasActivity group OIDs:
  • crasEmailNumSessions (1.3.6.1.4.1.9.9.392.1.3.23) stores active email sessions.
  • crasIPSecNumSessions (1.3.6.1.4.1.9.9.392.1.3.26) stores active IPSec sessions.
  • crasL2LNumSessions (1.3.6.1.4.1.9.9.392.1.3.29) stores active LAN to LAN sessions.
  • crasLBNumSessions (1.3.6.1.4.1.9.9.392.1.3.32) stores active Load Balancing sessions.
  • crasSVCNumSessions (1.3.6.1.4.1.9.9.392.1.3.35) stores active SSL VPN Client sessions.
  • crasWEBVPNNumSessions (1.3.6.1.4.1.9.9.392.1.3.38) stores active Web VPN sessions.
Additionally,  crasMaxSessionsSupportable OID (1.3.6.1.4.1.9.9.392.1.1.1) from the crasCapacity group stores the maximum supportable active sessions.

Polling these OIDs is possible getting info about the active session in both absolute or relative to the maximum supportable by the device. In order to control the number of sessions restriction that the Cisco ASA Premium  licensing sets, it is necessary to sum the VPN client (OID crasSVCNumSessions) and Web VPN (OID crasWEBVPNNumSessions) active sessions and then comparing the result with the number of active VPN users that the ASA license imposes.

Nagios/Icinga/Centreon compatible plugin

You can download a Nagios/Icinga/Centreon Core compatible plugin addressed to monitor the Cisco VPN session via the post Plugin of the month: Check Cisco VPN active sessions.

The plugin can check a list of session types (-t argument) or all if no session types are defined. Also, it can run in absolute mode returning the number of active sessions, or relative mode (argument -p) returning the percent of active sessions when compared with the maximun supportable active sessions. Finally, the plugin can totalize (argument -T) the checked session types for returning a unique active sessions value.

Getting together these features, the plugin can be used:
  • For getting the overall active sessions (not stating any session type will check all sessions) in absolute or relative (using the -p argument) mode. In both cases the -T argument will make the plugin to return the total of sessions instead of returning a value per session type.
  • For getting active sessions per session type by specifying the session types to check (argument -t)
  • For checking the ASA firewall Premium license limits by setting the plugin to check SSL VPN Client and Web VPN active sessions (-t svc -t webvpn) and totalizing (-T) the result.
Here are some usage examples:

check_cisco_cras_sessions -H 192.168.0.12
Checks the number of sessions on a host with address 192.168.0.12 using SNMP protocol version 1 and 'public' as community. Plugin returns always OK.

check_cisco_cras_sessions -H 192.168.0.12 -w 30 -c 50
Similar to the previous example but returning WARNING if the number of sessions of any kind is higher than 30 and CRITICAL if it's higher than 50.

check_cisco_cras_sessions -H 192.168.0.12 -s email -s ipsec -w 30 -c 50
Similar to the previous example but just checking the Email and IPSec sessions.

check_cisco_cras_sessions -H 192.168.0.12 -s email -s ipsec -T -w 30 -c 50
Similar to the previous example but totalizing the sessions, ie, returning WARNING if the sum of email and ipsec sessions is higher than 30 and CRITICAL if it's higher than 50.

check_cisco_cras_sessions -H 192.168.0.12 -p -w 30 -c 50
Sessions of any kind are checked and their total is managed as percent over the device max supportable sessions. Thresholds and results are considered as percent.

Publicado por
Etiquetas: ,

8 comments:

  1. Ethan C5 August 2015 at 16:24

    I can't find a working link to this plugin. Can anyone provide it for me?

    ReplyDelete
    Replies
    1. Vicente Gavara5 August 2015 at 18:15

      You have a private email ;)

      Delete
    2. Ethan C5 August 2015 at 18:49

      Thanks Vincente!

      Delete
    3. Unknown21 September 2017 at 23:58

      Need it ASAP

      Thanx in advance

      Delete
    4. Vicente Gavara24 September 2017 at 22:19

      The plugin is now freely shared in the first of a new series of monthly posts in this site: https://monitoringtt.blogspot.com.es/2017/09/plugin-of-month-check-cisco-vpn-active.html

      Delete
  2. Unknown18 November 2015 at 19:08

    I also would like a working link to this plug-in.

    ReplyDelete
    Replies
    1. Ethan C7 December 2015 at 16:26

      Do you still need it? I can email you a copy.

      Delete
  3. Unknown18 March 2020 at 16:18

    can you the provide the correct download link

    ReplyDelete

Subscribe to: Post Comments (Atom)
 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes