Home » Configs » MRTG VPN tunnels Cisco ASA

MRTG VPN tunnels Cisco ASA

mrtg

MRTG VPN tunnels Cisco ASA

MRTG VPN tunnels Cisco ASA

This post was written for ASA 7.X and has likely changed.

Problem: Every time a tunnel disconnects and reconnects, it is a assigned a new OID number, presumably based on something similar to the ifIndex.  This means that I constantly have to remove and re-add tunnels as they drop and reconnect.  It also means that the historical data gathered on the connection is lost each time.

Solution: Use some shell scripting and snmp to determine the proper OID for each peer.

This script runs every 5 minutes from crontab (runs on the mrtg machine)

/opt/Scripts/remote-vpn.sh

#!/bin/sh
# VPN to our remote site
#
#
# Remember to replace Public with your snmp community name and 192.192.192.192 with your Peer IP Address
XYZ=`snmpwalk -v1 -c Public 10.50.100.2 1.3.6.1.4.1.9.9.171.1.2.3.1 |grep 192.192.192.192 | awk -F’.’ ‘{print $10}’ | awk ‘{print $1}’`

# Replace Public with your snmp community name and 10.10.10.1 with your ASA IP Address
snmpget -v1 -c Public 10.10.10.1 1.3.6.1.4.1.9.9.171.1.2.3.1.19.$XYZ | awk ‘{print $4}’ > /tmp/xyz.txt
snmpget -v1 -c Public 10.10.10.1 1.3.6.1.4.1.9.9.171.1.2.3.1.27.$XYZ | awk ‘{print $4}’ >> /tmp/xyz.txt

This is the config you’d need in your mrtg config to check the contents of /tmp/xyz.txt (We have a 45Mb circuit so 47185920 MaxBytes will vary according to your bandwidth)

mrtg.cfg

Crontab

0-59/5 * * * * /opt/Scripts/remote-vpn.sh
0-59/5 * * * * env LANG=C /usr/bin/mrtg /opt/mrtg/mrtg.cfg

This is just my method to work around the dynamic OID assigned in the Cisco ASA (Pix). If you have a better/cleaner method please email me and I’ll post it.

Use at your own risk. As always, please test before telling your boss that you have it working!

Update: It sounds like Cisco has changed some of the way the ASA does VPN, this may or may not work for you, depending on version, but might still be a good starting point.


As an Amazon Associate I earn from qualifying purchases. Read our Privacy Policy for more info.

4 comments

  1. I cant look at your MRTG config. It looks like Dropbox has deleted the content. Anyway can you post it to your site? If its too long I wouldnt mind a copy.

    Thanks!
    NHawkins

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.