MRTG Graphing VPN tunnels
on Cisco ASA 5540
Problem: Every time a tunnel
disconnects and reconnects, it is a assigned a new OID number,
presumably based on something similar to the ifIndex. This
means that I constantly have to remove and re-add tunnels as they
drop and reconnect. It also means that the historical data
gathered on the connection is lost each time.
Solution: Use some shell scripting and snmp to determine
the proper OID for each peer.
This script runs every 5 minutes from crontab (runs on the mrtg
machine)
/opt/Scripts/remote-vpn.sh
#!/bin/sh
# VPN to our remote site
#
#
# Remember to replace Public with your snmp community name and 192.192.192.192 with your Peer IP Address
XYZ=`snmpwalk -v1 -c Public 10.50.100.2
1.3.6.1.4.1.9.9.171.1.2.3.1 |grep 192.192.192.192 | awk -F'.'
'{print $10}' | awk '{print $1}'`
# Replace Public with your snmp community name and 10.10.10.1
with your ASA IP Address
snmpget -v1 -c Public 10.10.10.1
1.3.6.1.4.1.9.9.171.1.2.3.1.19.$XYZ | awk '{print $4}' >
/tmp/xyz.txt
snmpget -v1 -c Public 10.10.10.1
1.3.6.1.4.1.9.9.171.1.2.3.1.27.$XYZ | awk '{print $4}' >>
/tmp/xyz.txt
This is the config you'd need in your mrtg config to check the
contents of /tmp/xyz.txt (We have a 45Mb circuit so 47185920 MaxBytes will vary according to your bandwidth)
mrtg.cfg
#### VPN Tunnels
# XYZ Columbus, Ohio 192.192.192.192
Target[columbus]: `cat /tmp/xyz.txt`
MaxBytes[columbus]: 47185920
Title[columbus]: XYZ - Columbus, Ohio (Peer: 192.192.192.192)
PageTop[columbus]: <H1>XYZ - Columbus, Ohio (Peer:
192.192.192.192)</H1>
<TABLE>
<TR><TD>System:</TD>XYZ - Columbus,
Ohio<TD></TD></TR>
<TR><TD>Description:</TD><TD>VPN to XYZ -
Columbus, Ohio (Peer: 192.192.192.192) </TD></TR>
<TR><TD>ifType:</TD> <TD>IPSec VPN
Tunnel</TD></TR>
<TR><TD>Max Speed:</TD> <TD>45.0
Mbits/s</TD></TR>
<TR><TD>Ip:</TD>
<TD>66.0.41.154</TD></TR>
</TABLE>
Crontab
0-59/5 * * * * /opt/Scripts/remote-vpn.sh
0-59/5 * * * * env LANG=C /usr/bin/mrtg /opt/mrtg/mrtg.cfg
This is just my method to work around the dynamic OID assigned in
the Cisco ASA (Pix). If you have a better/cleaner method please
email me and I'll post it.
Use at your own risk. As always, please test before telling your boss that you have it working!
johnb at unixsamurai dot com