Home » Configs » MRTG VPN tunnels Cisco ASA

MRTG VPN tunnels Cisco ASA

mrtg

MRTG VPN tunnels Cisco ASA

MRTG VPN tunnels Cisco ASA

This post was written for ASA 7.X and has likely changed.

Problem: Every time a tunnel disconnects and reconnects, it is a assigned a new OID number, presumably based on something similar to the ifIndex.  This means that I constantly have to remove and re-add tunnels as they drop and reconnect.  It also means that the historical data gathered on the connection is lost each time.

Solution: Use some shell scripting and snmp to determine the proper OID for each peer.

This script runs every 5 minutes from crontab (runs on the mrtg machine)

/opt/Scripts/remote-vpn.sh

#!/bin/sh
# VPN to our remote site
#
#
# Remember to replace Public with your snmp community name and 192.192.192.192 with your Peer IP Address
XYZ=`snmpwalk -v1 -c Public 10.50.100.2 1.3.6.1.4.1.9.9.171.1.2.3.1 |grep 192.192.192.192 | awk -F’.’ ‘{print $10}’ | awk ‘{print $1}’`

# Replace Public with your snmp community name and 10.10.10.1 with your ASA IP Address
snmpget -v1 -c Public 10.10.10.1 1.3.6.1.4.1.9.9.171.1.2.3.1.19.$XYZ | awk ‘{print $4}’ > /tmp/xyz.txt
snmpget -v1 -c Public 10.10.10.1 1.3.6.1.4.1.9.9.171.1.2.3.1.27.$XYZ | awk ‘{print $4}’ >> /tmp/xyz.txt

This is the config you’d need in your mrtg config to check the contents of /tmp/xyz.txt (We have a 45Mb circuit so 47185920 MaxBytes will vary according to your bandwidth)

mrtg.cfg

Crontab

0-59/5 * * * * /opt/Scripts/remote-vpn.sh
0-59/5 * * * * env LANG=C /usr/bin/mrtg /opt/mrtg/mrtg.cfg

This is just my method to work around the dynamic OID assigned in the Cisco ASA (Pix). If you have a better/cleaner method please email me and I’ll post it.

Use at your own risk. As always, please test before telling your boss that you have it working!

Update: It sounds like Cisco has changed some of the way the ASA does VPN, this may or may not work for you, depending on version, but might still be a good starting point.

Was this helpful?
If you found my posts interesting, or I helped you figure something out, please consider tossing me a tiny gratuity for my time, research, to help offset the web hosting/development costs or to buy me a cup of coffee.

* This post may contain affiliate links. This means that I “might” receive a tiny amount of money, if you make a purchase using one of our links. It does not cost you anything extra, and helps us defray the costs of hosting and maintaining this site.

4 comments

  1. I cant look at your MRTG config. It looks like Dropbox has deleted the content. Anyway can you post it to your site? If its too long I wouldnt mind a copy.

    Thanks!
    NHawkins

Leave a Reply