Plugin Of The Month: Check Cisco VPN active sessions

NOTE: This post covers a Nagios/Icinga/Centreon Core compatible plugin addressed to monitor the VPN sessions open in a Cisco device. If you are interested in the background information that supports the plugin, see the post Monitoring Cisco VPN sessions

Description

check_cisco_cras_sessions is a Nagios/Icinga/Centreon Core compatible plugin for checking the active sessions on a Cisco Remote Access Server (cras) device.

It can check overall or typed sessions supporting email, ipsec, LAN to LAN (l2l), load balancing (lb), SSL VPN Client (svc) and Web VPN sessions. It can also check sessions based on absolute (count) or relative, taking as base the  max sessions supportable by the device. Finally it can totalize (sum) sessions prior to compare against thresholds.

Based on the previous defined capabilities the plugin can be used in different ways:

• For controlling if a device is reaching its limits by checking all sessions in relative mode, ie, comparing the overall sessions with the max sessions supportable and returning the result as a percent.
• For controlling if a device is reaching its license limits by checking a given set of session types in a totalized mode (Cisco ASA licensing  restricts the number of SSL VPN Client + Web VPN sessions)
• Finally for fine controlling sessions by type restricting the type of sessions checked to just one.

check_cisco_cras_sessions is based on fetching session data using SNMP v1/2c, so it's necessary that the device being checkek supported this protocol and served info managed by the ciscoRemoteAccessMonitorMIB MIB.

You can get detailed help and usage examples by running the script with the  --help option.

Usage examples

check_cisco_cras_sessions -H 192.168.0.12

Checks the number of sessions on a host with address 192.168.0.12 using SNMP protocol version 1 and 'public' as community. Plugin returns always OK.

check_cisco_cras_sessions -H 192.168.0.12 -w 30 -c 50

Similar to the previous example but returning WARNING if the number of sessions of any kind is higher than 30 and CRITICAL if it's higher than 50.

check_cisco_cras_sessions -H 192.168.0.12 -s email -s ipsec -w 30 -c 50

Similar to the previous example but just checking the Email and IPSec sessions.

check_cisco_cras_sessions -H 192.168.0.12 -s email -s ipsec -T -w 30 -c 50

Similar to the previous example but totalizing the sessions, ie, returning WARNING if the sum of email and ipsec sessions is higher than 30 and CRITICAL if it's higher than 50.

check_cisco_cras_sessions -H 192.168.0.12 -p -w 30 -c 50

Sessions of any kind are checked and their total is managed as percent over the device max supportable sessions. Thresholds and results are considered as percent.

Download

You can download the latest version of the plugin here.

The development of this plugin, that now is freely released, implies hours of reading technical documentation, programming and testing. I will be more than glad if you support this effort by clicking in some of the interesting advertisements that you can find on this website.

Last but not least, if you find some bug don't hesitate in contacting me for fixing it quickly. Feedback comments are welcome too!

Tweet

Monitoring Cisco VPN sessions

Cisco Remote Access Servers (or CRAS) are those devices whose mission is allowing users and devices to access to remote networks, mainly -but not limited to- by building Virtual Private Networks (VPN). Cisco ASA firewalls can be classified into this category.

Taking control over the amount of active VPN sessions on a CRAS device is important for various reasons:

• Checking that the number of sessions doesn't reach the maximum defined by the device
• Taking fine control on what kind of sessions (eMail, IPSec, LAN to LAN, load balancing, SSL VPN Client and Web VPN) are being stablished
• Last but not least, and specifically in Cisco ASA devices with Premium licenses, checking that the number of active sessions doesn't reach the maximum defined by the license (that ranges from 10 to 10,000 active sessions)

How to get it

Cisco Remote Access Server devices (and thus Cisco ASA firewalls) publish the session information via SNMP protocol using the ciscoRemoteAccessMonitorMIB MIB, specifically via the crasActivity group OIDs:

• crasEmailNumSessions (1.3.6.1.4.1.9.9.392.1.3.23) stores active email sessions.
• crasIPSecNumSessions (1.3.6.1.4.1.9.9.392.1.3.26) stores active IPSec sessions.
• crasL2LNumSessions (1.3.6.1.4.1.9.9.392.1.3.29) stores active LAN to LAN sessions.
• crasLBNumSessions (1.3.6.1.4.1.9.9.392.1.3.32) stores active Load Balancing sessions.
• crasSVCNumSessions (1.3.6.1.4.1.9.9.392.1.3.35) stores active SSL VPN Client sessions.
• crasWEBVPNNumSessions (1.3.6.1.4.1.9.9.392.1.3.38) stores active Web VPN sessions.

Additionally,  crasMaxSessionsSupportable OID (1.3.6.1.4.1.9.9.392.1.1.1) from the crasCapacity group stores the maximum supportable active sessions.

Polling these OIDs is possible getting info about the active session in both absolute or relative to the maximum supportable by the device. In order to control the number of sessions restriction that the Cisco ASA Premium  licensing sets, it is necessary to sum the VPN client (OID crasSVCNumSessions) and Web VPN (OID crasWEBVPNNumSessions) active sessions and then comparing the result with the number of active VPN users that the ASA license imposes.

Nagios/Icinga/Centreon compatible plugin

You can download a Nagios/Icinga/Centreon Core compatible plugin addressed to monitor the Cisco VPN session via the post Plugin of the month: Check Cisco VPN active sessions.

The plugin can check a list of session types (-t argument) or all if no session types are defined. Also, it can run in absolute mode returning the number of active sessions, or relative mode (argument -p) returning the percent of active sessions when compared with the maximun supportable active sessions. Finally, the plugin can totalize (argument -T) the checked session types for returning a unique active sessions value.

Getting together these features, the plugin can be used:

• For getting the overall active sessions (not stating any session type will check all sessions) in absolute or relative (using the -p argument) mode. In both cases the -T argument will make the plugin to return the total of sessions instead of returning a value per session type.
• For getting active sessions per session type by specifying the session types to check (argument -t)
• For checking the ASA firewall Premium license limits by setting the plugin to check SSL VPN Client and Web VPN active sessions (-t svc -t webvpn) and totalizing (-T) the result.

Here are some usage examples:

check_cisco_cras_sessions -H 192.168.0.12

Checks the number of sessions on a host with address 192.168.0.12 using SNMP protocol version 1 and 'public' as community. Plugin returns always OK.

check_cisco_cras_sessions -H 192.168.0.12 -w 30 -c 50

Similar to the previous example but returning WARNING if the number of sessions of any kind is higher than 30 and CRITICAL if it's higher than 50.

check_cisco_cras_sessions -H 192.168.0.12 -s email -s ipsec -w 30 -c 50

Similar to the previous example but just checking the Email and IPSec sessions.

check_cisco_cras_sessions -H 192.168.0.12 -s email -s ipsec -T -w 30 -c 50

Similar to the previous example but totalizing the sessions, ie, returning WARNING if the sum of email and ipsec sessions is higher than 30 and CRITICAL if it's higher than 50.

check_cisco_cras_sessions -H 192.168.0.12 -p -w 30 -c 50

Sessions of any kind are checked and their total is managed as percent over the device max supportable sessions. Thresholds and results are considered as percent.

Tweet