topic Re: Monitoring ASA IPSec using SNMP in Network Security

Monitoring ASA IPSec using SNMP

Qays — Sun, 27 Jun 2021 00:51:36 GMT

I have ASA 5515 configured with multiple VPNs I want to monitor these VPNs using ZABBIX

I used the SNMPwalk command as shown,

snmpwalk -v3 -l authPriv -u USER -a SHA -A "XXXXXXXXX" -x AES -X "XXXXXXXX" 192.168.15.12 CISCO-IPSEC-FLOW-MONITOR-MIB::cikeTunLocalValue

the ASA returns with

CISCO-IPSEC-FLOW-MONITOR-MIB::cikeTunLocalValue = No Such Instance currently exists at this OID

while when I tried the same command to another ASA 5515 it works properly

I checked all the SNMP configuration it looks ok

is there any idea about this, please?

Re: Monitoring ASA IPSec using SNMP

balaji.bandi — Sun, 27 Jun 2021 01:57:16 GMT

what is the version of ASA code for both working and not working. Not that i am ware using SNMP you can monitor Multiple tunnels

Instead, why not set up SNMP traps to Syslog and generate events or alerts

or use out of the box any script login to ASA get VPN details and report or generate alert ?

Re: Monitoring ASA IPSec using SNMP

Marvin Rhoads — Mon, 28 Jun 2021 01:47:35 GMT

SNMP MIB support varies across ASA versions and is not well-documented. Give this command a try to check your ASA:

show snmp-server oidlist | i 1.3.6.1.4.1.9.9.392.1.3

Also see my article relating similar experiences with SSL VPN sessions:

https://community.cisco.com/t5/security-documents/prtg-vs-asa/ta-p/4083428

Re: Monitoring ASA IPSec using SNMP

Qays — Tue, 29 Jun 2021 11:52:55 GMT

Hi balaji.bandi

I will try SNMP Traps thanks

Re: Monitoring ASA IPSec using SNMP

Qays — Tue, 29 Jun 2021 11:54:53 GMT

Hi Marvin Rhoads

this the output

ASA15# show snmp-server oidlist | i 1.3.6.1.4.1.9.9.392.1.3
[681] 1.3.6.1.4.1.9.9.392.1.3.1. crasNumSessions
[682] 1.3.6.1.4.1.9.9.392.1.3.2. crasNumPrevSessions
[683] 1.3.6.1.4.1.9.9.392.1.3.3. crasNumUsers
[684] 1.3.6.1.4.1.9.9.392.1.3.4. crasNumGroups
[685] 1.3.6.1.4.1.9.9.392.1.3.5. crasGlobalInPkts
[686] 1.3.6.1.4.1.9.9.392.1.3.6. crasGlobalOutPkts
[687] 1.3.6.1.4.1.9.9.392.1.3.7. crasGlobalInOctets
[688] 1.3.6.1.4.1.9.9.392.1.3.8. crasGlobalInDecompOctets
[689] 1.3.6.1.4.1.9.9.392.1.3.9. crasGlobalOutOctets
[690] 1.3.6.1.4.1.9.9.392.1.3.10. crasGlobalOutUncompOctets
[691] 1.3.6.1.4.1.9.9.392.1.3.11. crasGlobalInDropPkts
[692] 1.3.6.1.4.1.9.9.392.1.3.12. crasGlobalOutDropPkts
[693] 1.3.6.1.4.1.9.9.392.1.3.21.1.2. crasGroup
[694] 1.3.6.1.4.1.9.9.392.1.3.21.1.4. crasAuthenMethod
[695] 1.3.6.1.4.1.9.9.392.1.3.21.1.5. crasAuthorMethod
[696] 1.3.6.1.4.1.9.9.392.1.3.21.1.6. crasSessionDuration
[697] 1.3.6.1.4.1.9.9.392.1.3.21.1.7. crasLocalAddressType
[698] 1.3.6.1.4.1.9.9.392.1.3.21.1.8. crasLocalAddress
[699] 1.3.6.1.4.1.9.9.392.1.3.21.1.9. crasISPAddressType
[700] 1.3.6.1.4.1.9.9.392.1.3.21.1.10. crasISPAddress
[701] 1.3.6.1.4.1.9.9.392.1.3.21.1.11. crasSessionProtocol
[702] 1.3.6.1.4.1.9.9.392.1.3.21.1.12. crasProtocolElement
[703] 1.3.6.1.4.1.9.9.392.1.3.21.1.13. crasSessionEncryptionAlgo
[704] 1.3.6.1.4.1.9.9.392.1.3.21.1.14. crasSessionPktAuthenAlgo
[705] 1.3.6.1.4.1.9.9.392.1.3.21.1.15. crasSessionCompressionAlgo
[706] 1.3.6.1.4.1.9.9.392.1.3.21.1.16. crasHeartbeatInterval
[707] 1.3.6.1.4.1.9.9.392.1.3.21.1.17. crasClientVendorString
[708] 1.3.6.1.4.1.9.9.392.1.3.21.1.18. crasClientVersionString
[709] 1.3.6.1.4.1.9.9.392.1.3.21.1.19. crasClientOSVendorString
[710] 1.3.6.1.4.1.9.9.392.1.3.21.1.20. crasClientOSVersionString
[711] 1.3.6.1.4.1.9.9.392.1.3.21.1.21. crasPrimWINSServerAddrType
[712] 1.3.6.1.4.1.9.9.392.1.3.21.1.22. crasPrimWINSServer
[713] 1.3.6.1.4.1.9.9.392.1.3.21.1.23. crasSecWINSServerAddrType
[714] 1.3.6.1.4.1.9.9.392.1.3.21.1.24. crasSecWINSServer
[715] 1.3.6.1.4.1.9.9.392.1.3.21.1.25. crasPrimDNSServerAddrType
[716] 1.3.6.1.4.1.9.9.392.1.3.21.1.26. crasPrimDNSServer
[717] 1.3.6.1.4.1.9.9.392.1.3.21.1.27. crasSecDNSServerAddrType
[718] 1.3.6.1.4.1.9.9.392.1.3.21.1.28. crasSecDNSServer
[719] 1.3.6.1.4.1.9.9.392.1.3.21.1.29. crasDHCPServerAddrType
[720] 1.3.6.1.4.1.9.9.392.1.3.21.1.30. crasDHCPServer
[721] 1.3.6.1.4.1.9.9.392.1.3.21.1.31. crasSessionInPkts
[722] 1.3.6.1.4.1.9.9.392.1.3.21.1.32. crasSessionOutPkts
[723] 1.3.6.1.4.1.9.9.392.1.3.21.1.33. crasSessionInDropPkts
[724] 1.3.6.1.4.1.9.9.392.1.3.21.1.34. crasSessionOutDropPkts
[725] 1.3.6.1.4.1.9.9.392.1.3.21.1.35. crasSessionInOctets
[726] 1.3.6.1.4.1.9.9.392.1.3.21.1.36. crasSessionOutOctets
[727] 1.3.6.1.4.1.9.9.392.1.3.21.1.37. crasSessionState
[728] 1.3.6.1.4.1.9.9.392.1.3.22.1.2. crasActGrNumUsers
[729] 1.3.6.1.4.1.9.9.392.1.3.22.1.3. crasActGrpInPkts
[730] 1.3.6.1.4.1.9.9.392.1.3.22.1.4. crasActGrpOutPkts
[731] 1.3.6.1.4.1.9.9.392.1.3.22.1.5. crasActGrpInDropPkts
[732] 1.3.6.1.4.1.9.9.392.1.3.22.1.6. crasActGrpOutDropPkts
[733] 1.3.6.1.4.1.9.9.392.1.3.22.1.7. crasActGrpInOctets
[734] 1.3.6.1.4.1.9.9.392.1.3.22.1.8. crasActGrpOutOctets
[735] 1.3.6.1.4.1.9.9.392.1.3.26. crasIPSecNumSessions
[736] 1.3.6.1.4.1.9.9.392.1.3.27. crasIPSecCumulateSessions
[737] 1.3.6.1.4.1.9.9.392.1.3.28. crasIPSecPeakConcurrentSessions
[738] 1.3.6.1.4.1.9.9.392.1.3.29. crasL2LNumSessions
[739] 1.3.6.1.4.1.9.9.392.1.3.30. crasL2LCumulateSessions
[740] 1.3.6.1.4.1.9.9.392.1.3.31. crasL2LPeakConcurrentSessions
[741] 1.3.6.1.4.1.9.9.392.1.3.32. crasLBNumSessions
[742] 1.3.6.1.4.1.9.9.392.1.3.33. crasLBCumulateSessions
[743] 1.3.6.1.4.1.9.9.392.1.3.34. crasLBPeakConcurrentSessions
[744] 1.3.6.1.4.1.9.9.392.1.3.35. crasSVCNumSessions
[745] 1.3.6.1.4.1.9.9.392.1.3.36. crasSVCCumulateSessions
[746] 1.3.6.1.4.1.9.9.392.1.3.37. crasSVCPeakConcurrentSessions
[747] 1.3.6.1.4.1.9.9.392.1.3.38. crasWebvpnNumSessions
[748] 1.3.6.1.4.1.9.9.392.1.3.39. crasWebvpnCumulateSessions
[749] 1.3.6.1.4.1.9.9.392.1.3.40. crasWebvpnPeakConcurrentSessions

Thanks

Re: Monitoring ASA IPSec using SNMP

Marvin Rhoads — Wed, 30 Jun 2021 12:14:47 GMT

So we can see in that output a plethora of available metrics that can be polled for VPN information. Do those not suffice?

Re: Monitoring ASA IPSec using SNMP

Qays — Sun, 04 Jul 2021 12:28:13 GMT

Hi Marvin Rhoads

Firstly thanks for your response

as clarification, I want to make alarms for specific connections

I tried to use

snmpwalk -v3 -Ir -l authPriv -u USER -a SHA -A "XXXXXXX" -x AES -X "XXXXXXXX" 10.10.10.10 CISCO-REMOTE-ACCESS-MONITOR-MIB::crasSessionState

it gives me all current up sessions but I couldn't check the status for a specific VPN Like what I used with other ASA that support

CISCO-IPSEC-FLOW-MONITOR-MIB::cikeTunStatus

when I add the session ID as Shown

snmpwalk -v3 -Ir -l authPriv -u USER -a SHA -A "XXXXXXX" -x AES -X "XXXXXXXX" 11.111.11.1 CISCO-IPSEC-FLOW-MONITOR-MIB::cikeTunStatus.9

it gives me the status for that tunnel (9) only.

For this ASA I tried all of CISCO-REMOTE-ACCESS-MONITOR-MIB the most suitable one is

CISCO-REMOTE-ACCESS-MONITOR-MIB::crasSessionState

I tried to add the ID with MIB

snmpwalk -v3 -Ir -l authPriv -u USER -a SHA -A "XXXXXXX" -x AES -X "XXXXXXXX" 10.10.10.10 CISCO-REMOTE-ACCESS-MONITOR-MIB::crasSessionState.202657795

the response comes with:
CISCO-REMOTE-ACCESS-MONITOR-MIB::crasSessionState.202657795: Unknown Object Identifier (Index out of range: 202657795 (crasUsername))

is there any advice for this?

Thanks

Re: Monitoring ASA IPSec using SNMP

Marvin Rhoads — Mon, 05 Jul 2021 02:17:47 GMT

I checked one of my SolarWinds installations that's monitoring an ASA with remote access VPN. It appears to be getting the remote address of IPsec site-to-site VPNs by polling the following:

crasISPAddress
1.3.6.1.4.1.9.9.392.1.3.21.1.10

I'm not positive how it is correlating that with the statistics it also reports for the same sessions as there doesn't appear to be an index value in that overall MIB section. The ASA is this case is running 9.12(4)18.

Re: Monitoring ASA IPSec using SNMP

Qays — Mon, 05 Jul 2021 09:25:49 GMT

I think the way that I want to use couldn't work with my ASA, ASA version 9.12(4)24

Thanks, Marvin