...A place where sharing IT monitoring knowledges

Sunday, 24 September 2017

Plugin Of The Month: Check Cisco VPN active sessions

NOTE: This post covers a Nagios/Icinga/Centreon Core compatible plugin addressed to monitor the VPN sessions open in a Cisco device. If you are interested in the background information that supports the plugin, see the post Monitoring Cisco VPN sessions

Description

check_cisco_cras_sessions is a Nagios/Icinga/Centreon Core compatible plugin for checking the active sessions on a Cisco Remote Access Server (cras) device.

It can check overall or typed sessions supporting email, ipsec, LAN to LAN (l2l), load balancing (lb), SSL VPN Client (svc) and Web VPN sessions. It can also check sessions based on absolute (count) or relative, taking as base the  max sessions supportable by the device. Finally it can totalize (sum) sessions prior to compare against thresholds.

Based on the previous defined capabilities the plugin can be used in different ways:
  • For controlling if a device is reaching its limits by checking all sessions in relative mode, ie, comparing the overall sessions with the max sessions supportable and returning the result as a percent.
  • For controlling if a device is reaching its license limits by checking a given set of session types in a totalized mode (Cisco ASA licensing  restricts the number of SSL VPN Client + Web VPN sessions)
  • Finally for fine controlling sessions by type restricting the type of sessions checked to just one.
check_cisco_cras_sessions is based on fetching session data using SNMP v1/2c, so it's necessary that the device being checkek supported this protocol and served info managed by the ciscoRemoteAccessMonitorMIB MIB.

You can get detailed help and usage examples by running the script with the  --help option.

Usage examples

check_cisco_cras_sessions -H 192.168.0.12
Checks the number of sessions on a host with address 192.168.0.12 using SNMP protocol version 1 and 'public' as community. Plugin returns always OK.

check_cisco_cras_sessions -H 192.168.0.12 -w 30 -c 50
Similar to the previous example but returning WARNING if the number of sessions of any kind is higher than 30 and CRITICAL if it's higher than 50.

check_cisco_cras_sessions -H 192.168.0.12 -s email -s ipsec -w 30 -c 50
Similar to the previous example but just checking the Email and IPSec sessions.

check_cisco_cras_sessions -H 192.168.0.12 -s email -s ipsec -T -w 30 -c 50
Similar to the previous example but totalizing the sessions, ie, returning WARNING if the sum of email and ipsec sessions is higher than 30 and CRITICAL if it's higher than 50.

check_cisco_cras_sessions -H 192.168.0.12 -p -w 30 -c 50
Sessions of any kind are checked and their total is managed as percent over the device max supportable sessions. Thresholds and results are considered as percent.

Download

You can download the latest version of the plugin here.

The development of this plugin, that now is freely released, implies hours of reading technical documentation, programming and testing. I will be more than glad if you support this effort by clicking in some of the interesting advertisements that you can find on this website.

Last but not least, if you find some bug don't hesitate in contacting me for fixing it quickly. Feedback comments are welcome too!

Publicado por
Etiquetas: , ,

6 comments:

  1. jamey.wright10 October 2017 at 21:10

    When I try yo run the script from the LIBEXEC directory, I get several errors. See below:

    [root@localhost libexec]# ./check_cisco_cras_sessions.pl --help
    Bareword "UNKNOWN" not allowed while "strict subs" in use at ./check_cisco_cras_sessions.pl line 251.
    Bareword "OK" not allowed while "strict subs" in use at ./check_cisco_cras_sessions.pl line 360.
    Bareword "OK" not allowed while "strict subs" in use at ./check_cisco_cras_sessions.pl line 356.
    Bareword "UNKNOWN" not allowed while "strict subs" in use at ./check_cisco_cras_sessions.pl line 134.
    Bareword "UNKNOWN" not allowed while "strict subs" in use at ./check_cisco_cras_sessions.pl line 140.
    Execution of ./check_cisco_cras_sessions.pl aborted due to compilation errors.

    ReplyDelete
    Replies
    1. Vicente Gavara18 October 2017 at 09:19

      Thanks for your feedback Jamey. The problem was a reference to the previous name of the Perl library Monitoring::Plugin (that in early versions was called Nagios::Plugins and then changed by copyright matters).

      Now the problem is solved. Again, thanks for the feedback.

      Delete
  2. Robert11 November 2017 at 08:10


    You completed a few fine points there. I did a search on the subject and found nearly all persons will go along with with your blog.
    how to use

    ReplyDelete
  3. upalupa4 June 2018 at 09:56

    I get "Request for data failed" when using MJH Proxy. Have cleared data etc and logged in again. Only works when proxy is disabled and dns4me is enabled

    ReplyDelete
  4. vpnttg6 October 2021 at 21:35



    Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for monitoring Cisco ASA IPSec Tunnel traffic.

    Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.

    For more information about VPNTTG please visit www.vpnttg.com

    ReplyDelete
  5. Wall10126 May 2023 at 19:56

    The best vpn website 在中囯 是中国VPN推荐 and 中国VPN

    ReplyDelete

Subscribe to: Post Comments (Atom)
 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes