Solved: Monitoring ASA IPSec using SNMP

Qays · ‎06-26-2021

Hi

I have ASA 5515 configured with multiple VPNs I want to monitor these VPNs using ZABBIX

I used the SNMPwalk command as shown,

snmpwalk -v3 -l authPriv -u USER -a SHA -A "XXXXXXXXX" -x AES -X "XXXXXXXX" 192.168.15.12 CISCO-IPSEC-FLOW-MONITOR-MIB::cikeTunLocalValue

the ASA returns with

CISCO-IPSEC-FLOW-MONITOR-MIB::cikeTunLocalValue = No Such Instance currently exists at this OID

while when I tried the same command to another ASA 5515 it works properly

I checked all the SNMP configuration it looks ok

is there any idea about this, please?

Marvin Rhoads · ‎06-27-2021

SNMP MIB support varies across ASA versions and is not well-documented. Give this command a try to check your ASA:

show snmp-server oidlist | i 1.3.6.1.4.1.9.9.392.1.3

Also see my article relating similar experiences with SSL VPN sessions:

https://community.cisco.com/t5/security-documents/prtg-vs-asa/ta-p/4083428

View solution in original post

balaji.bandi · ‎06-26-2021

what is the version of ASA code for both working and not working. Not that i am ware using SNMP you can monitor Multiple tunnels

Instead, why not set up SNMP traps to Syslog and generate events or alerts

or use out of the box any script login to ASA get VPN details and report or generate alert ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Qays · ‎06-29-2021

Hi balaji.bandi

I will try SNMP Traps thanks

Marvin Rhoads · ‎06-27-2021

SNMP MIB support varies across ASA versions and is not well-documented. Give this command a try to check your ASA:

show snmp-server oidlist | i 1.3.6.1.4.1.9.9.392.1.3

Also see my article relating similar experiences with SSL VPN sessions:

https://community.cisco.com/t5/security-documents/prtg-vs-asa/ta-p/4083428

Qays · ‎06-29-2021

Hi Marvin Rhoads

this the output

ASA15# show snmp-server oidlist | i 1.3.6.1.4.1.9.9.392.1.3
[681] 1.3.6.1.4.1.9.9.392.1.3.1. crasNumSessions
[682] 1.3.6.1.4.1.9.9.392.1.3.2. crasNumPrevSessions
[683] 1.3.6.1.4.1.9.9.392.1.3.3. crasNumUsers
[684] 1.3.6.1.4.1.9.9.392.1.3.4. crasNumGroups
[685] 1.3.6.1.4.1.9.9.392.1.3.5. crasGlobalInPkts
[686] 1.3.6.1.4.1.9.9.392.1.3.6. crasGlobalOutPkts
[687] 1.3.6.1.4.1.9.9.392.1.3.7. crasGlobalInOctets
[688] 1.3.6.1.4.1.9.9.392.1.3.8. crasGlobalInDecompOctets
[689] 1.3.6.1.4.1.9.9.392.1.3.9. crasGlobalOutOctets
[690] 1.3.6.1.4.1.9.9.392.1.3.10. crasGlobalOutUncompOctets
[691] 1.3.6.1.4.1.9.9.392.1.3.11. crasGlobalInDropPkts
[692] 1.3.6.1.4.1.9.9.392.1.3.12. crasGlobalOutDropPkts
[693] 1.3.6.1.4.1.9.9.392.1.3.21.1.2. crasGroup
[694] 1.3.6.1.4.1.9.9.392.1.3.21.1.4. crasAuthenMethod
[695] 1.3.6.1.4.1.9.9.392.1.3.21.1.5. crasAuthorMethod
[696] 1.3.6.1.4.1.9.9.392.1.3.21.1.6. crasSessionDuration
[697] 1.3.6.1.4.1.9.9.392.1.3.21.1.7. crasLocalAddressType
[698] 1.3.6.1.4.1.9.9.392.1.3.21.1.8. crasLocalAddress
[699] 1.3.6.1.4.1.9.9.392.1.3.21.1.9. crasISPAddressType
[700] 1.3.6.1.4.1.9.9.392.1.3.21.1.10. crasISPAddress
[701] 1.3.6.1.4.1.9.9.392.1.3.21.1.11. crasSessionProtocol
[702] 1.3.6.1.4.1.9.9.392.1.3.21.1.12. crasProtocolElement
[703] 1.3.6.1.4.1.9.9.392.1.3.21.1.13. crasSessionEncryptionAlgo
[704] 1.3.6.1.4.1.9.9.392.1.3.21.1.14. crasSessionPktAuthenAlgo
[705] 1.3.6.1.4.1.9.9.392.1.3.21.1.15. crasSessionCompressionAlgo
[706] 1.3.6.1.4.1.9.9.392.1.3.21.1.16. crasHeartbeatInterval
[707] 1.3.6.1.4.1.9.9.392.1.3.21.1.17. crasClientVendorString
[708] 1.3.6.1.4.1.9.9.392.1.3.21.1.18. crasClientVersionString
[709] 1.3.6.1.4.1.9.9.392.1.3.21.1.19. crasClientOSVendorString
[710] 1.3.6.1.4.1.9.9.392.1.3.21.1.20. crasClientOSVersionString
[711] 1.3.6.1.4.1.9.9.392.1.3.21.1.21. crasPrimWINSServerAddrType
[712] 1.3.6.1.4.1.9.9.392.1.3.21.1.22. crasPrimWINSServer
[713] 1.3.6.1.4.1.9.9.392.1.3.21.1.23. crasSecWINSServerAddrType
[714] 1.3.6.1.4.1.9.9.392.1.3.21.1.24. crasSecWINSServer
[715] 1.3.6.1.4.1.9.9.392.1.3.21.1.25. crasPrimDNSServerAddrType
[716] 1.3.6.1.4.1.9.9.392.1.3.21.1.26. crasPrimDNSServer
[717] 1.3.6.1.4.1.9.9.392.1.3.21.1.27. crasSecDNSServerAddrType
[718] 1.3.6.1.4.1.9.9.392.1.3.21.1.28. crasSecDNSServer
[719] 1.3.6.1.4.1.9.9.392.1.3.21.1.29. crasDHCPServerAddrType
[720] 1.3.6.1.4.1.9.9.392.1.3.21.1.30. crasDHCPServer
[721] 1.3.6.1.4.1.9.9.392.1.3.21.1.31. crasSessionInPkts
[722] 1.3.6.1.4.1.9.9.392.1.3.21.1.32. crasSessionOutPkts
[723] 1.3.6.1.4.1.9.9.392.1.3.21.1.33. crasSessionInDropPkts
[724] 1.3.6.1.4.1.9.9.392.1.3.21.1.34. crasSessionOutDropPkts
[725] 1.3.6.1.4.1.9.9.392.1.3.21.1.35. crasSessionInOctets
[726] 1.3.6.1.4.1.9.9.392.1.3.21.1.36. crasSessionOutOctets
[727] 1.3.6.1.4.1.9.9.392.1.3.21.1.37. crasSessionState
[728] 1.3.6.1.4.1.9.9.392.1.3.22.1.2. crasActGrNumUsers
[729] 1.3.6.1.4.1.9.9.392.1.3.22.1.3. crasActGrpInPkts
[730] 1.3.6.1.4.1.9.9.392.1.3.22.1.4. crasActGrpOutPkts
[731] 1.3.6.1.4.1.9.9.392.1.3.22.1.5. crasActGrpInDropPkts
[732] 1.3.6.1.4.1.9.9.392.1.3.22.1.6. crasActGrpOutDropPkts
[733] 1.3.6.1.4.1.9.9.392.1.3.22.1.7. crasActGrpInOctets
[734] 1.3.6.1.4.1.9.9.392.1.3.22.1.8. crasActGrpOutOctets
[735] 1.3.6.1.4.1.9.9.392.1.3.26. crasIPSecNumSessions
[736] 1.3.6.1.4.1.9.9.392.1.3.27. crasIPSecCumulateSessions
[737] 1.3.6.1.4.1.9.9.392.1.3.28. crasIPSecPeakConcurrentSessions
[738] 1.3.6.1.4.1.9.9.392.1.3.29. crasL2LNumSessions
[739] 1.3.6.1.4.1.9.9.392.1.3.30. crasL2LCumulateSessions
[740] 1.3.6.1.4.1.9.9.392.1.3.31. crasL2LPeakConcurrentSessions
[741] 1.3.6.1.4.1.9.9.392.1.3.32. crasLBNumSessions
[742] 1.3.6.1.4.1.9.9.392.1.3.33. crasLBCumulateSessions
[743] 1.3.6.1.4.1.9.9.392.1.3.34. crasLBPeakConcurrentSessions
[744] 1.3.6.1.4.1.9.9.392.1.3.35. crasSVCNumSessions
[745] 1.3.6.1.4.1.9.9.392.1.3.36. crasSVCCumulateSessions
[746] 1.3.6.1.4.1.9.9.392.1.3.37. crasSVCPeakConcurrentSessions
[747] 1.3.6.1.4.1.9.9.392.1.3.38. crasWebvpnNumSessions
[748] 1.3.6.1.4.1.9.9.392.1.3.39. crasWebvpnCumulateSessions
[749] 1.3.6.1.4.1.9.9.392.1.3.40. crasWebvpnPeakConcurrentSessions

Thanks

Marvin Rhoads · ‎06-30-2021

So we can see in that output a plethora of available metrics that can be polled for VPN information. Do those not suffice?

Qays · ‎07-04-2021

Hi Marvin Rhoads

Firstly thanks for your response

as clarification, I want to make alarms for specific connections

I tried to use

snmpwalk -v3 -Ir -l authPriv -u USER -a SHA -A "XXXXXXX" -x AES -X "XXXXXXXX" 10.10.10.10 CISCO-REMOTE-ACCESS-MONITOR-MIB::crasSessionState

it gives me all current up sessions but I couldn't check the status for a specific VPN Like what I used with other ASA that support

CISCO-IPSEC-FLOW-MONITOR-MIB::cikeTunStatus

when I add the session ID as Shown

snmpwalk -v3 -Ir -l authPriv -u USER -a SHA -A "XXXXXXX" -x AES -X "XXXXXXXX" 11.111.11.1 CISCO-IPSEC-FLOW-MONITOR-MIB::cikeTunStatus.9

it gives me the status for that tunnel (9) only.

For this ASA I tried all of CISCO-REMOTE-ACCESS-MONITOR-MIB the most suitable one is

CISCO-REMOTE-ACCESS-MONITOR-MIB::crasSessionState

I tried to add the ID with MIB

snmpwalk -v3 -Ir -l authPriv -u USER -a SHA -A "XXXXXXX" -x AES -X "XXXXXXXX" 10.10.10.10 CISCO-REMOTE-ACCESS-MONITOR-MIB::crasSessionState.202657795

the response comes with:
CISCO-REMOTE-ACCESS-MONITOR-MIB::crasSessionState.202657795: Unknown Object Identifier (Index out of range: 202657795 (crasUsername))

is there any advice for this?

Thanks

Marvin Rhoads · ‎07-04-2021

I checked one of my SolarWinds installations that's monitoring an ASA with remote access VPN. It appears to be getting the remote address of IPsec site-to-site VPNs by polling the following:

crasISPAddress
1.3.6.1.4.1.9.9.392.1.3.21.1.10

I'm not positive how it is correlating that with the statistics it also reports for the same sessions as there doesn't appear to be an index value in that overall MIB section. The ASA is this case is running 9.12(4)18.

Qays · ‎07-05-2021

I think the way that I want to use couldn't work with my ASA, ASA version 9.12(4)24

Thanks, Marvin