Solved: Re: Firepower Anyconnect VPN sessions SNMP monitoring

voipleo · ‎02-11-2020

We're using FTD 2100 with FMC, need to get active RA VPN sessions counter over SNMP.

Information I've found is related to ASA and not suitable for FP.

Can anybody share useful FP OIDs or point to documentation links?

voipleo · ‎02-21-2020

Enabling diagnostic interface it turned out we can use ASA-compatible SNMP mibs.

crasSVCNumSessions = 1.3.6.1.4.1.9.9.392.1.3.35.0 is the counter of RA VPN sessions.

Thanks for help, it was not so obvious from documentation.

View solution in original post

Marvin Rhoads · ‎02-11-2020

Have you tried the ASA OIDs?

Assuming you are SNMP polling the diagnostic interface (not enabled by default), it should be the LINA/ASA code that is responding to your system - not the FTD or FX-OS parts of the system.

voipleo · ‎02-21-2020

Enabling diagnostic interface it turned out we can use ASA-compatible SNMP mibs.

crasSVCNumSessions = 1.3.6.1.4.1.9.9.392.1.3.35.0 is the counter of RA VPN sessions.

Thanks for help, it was not so obvious from documentation.

Marvin Rhoads · ‎02-21-2020

You're welcome - you're right the documentation falls a bit short in this area.

ifdwolf1 · ‎03-23-2020

Is there something you need to enable on the FTD or in FXOS?

I am trying to poll using that OID but all I get is:

SNMPv2-SMI::enterprises.9.9.392.1.3.35.0 = No Such Object available on this agent at this OID

voipleo · ‎03-23-2020

Yes, you need set up in FMC the IP for diagnistic interface which hosts aside management interface and do SNMP to that address.

kapydan88 · ‎05-24-2020

If i understood correctly, i can use this oid for accounting of remote anyconnect users? Is it possible to use it to see in Zabbix accounts of users who are currently connected to anyconnect?

Marvin Rhoads · ‎05-25-2020

Support vareis by platform and version but you may be able to retrieve the usernames from here:

crasUsername

1.3.6.1.4.1.9.9.392.1.3.21.1.1

Reference:

http://www.mibdepot.com/cgi-bin/getmib3.cgi?win=mib_a&r=cisco&f=CISCO-REMOTE-ACCESS-MONITOR-MIB-V1SMI.my&v=v1&t=tree

Rene Mueller · ‎12-15-2020

Hi,

we just replaced our ASA with a FTD 2110 and FMC, so this is completely new for me. I just enabled Diagnostic Interface via FMC with an IP in the same Subnet as the FXOS Management IP. However, I cannot ping it and also SNMP cannot reach it. How can I setup a Default Route for the Diagnostic Interface?

Do I need to import a new MIB file to my Monitoring or can I just use the one I used for ASA?

voipleo · ‎12-16-2020

Hi,

I understand your confusing. Try to look at this thread https://community.cisco.com/t5/network-security/fp-diagnostic-interface-setting-up/td-p/4028172

kapydan88 · ‎12-21-2020

Hello.

Good link, thanks.

Yerlan Kanzadayev · ‎10-28-2022

hi, please tell me how to do it? in zabix and ftd?