cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30819
Views
0
Helpful
24
Comments
puseth
Level 1
Level 1

 

If we are looking to get the username/ip/tunnel-group of the cisco ipsec ra vpn users connected to the ASA using SNMP

 

then we need to use this MIB "CISCO-REMOTE-ACCESS-MONITOR-MIB".

 

 

crasUsername (1.3.6.1.4.1.9.9.392.1.3.21.1.1) is the OID that can be used to fetch the username.

 

But if we closely check our ASA we don’t have any such OID in the built-in database of the ASA.

 

ASA-5510-8x(config)# sh snmp-server oidlist | in crasU

 

So we don’t have

1.3.6.1.4.1.9.9.392.1.3.21.1.1(crasUsername).

 

 

But if we explore this OID tree on the ASA, then we have a other OID’s which can fetch information about the VPN clients connected to the ASA.

 

 

1.3.6.1.4.1.9.9.392.1.3.21.1.2.          crasGroup

1.3.6.1.4.1.9.9.392.1.3.21.1.4.          crasAuthenMethod

1.3.6.1.4.1.9.9.392.1.3.21.1.5.          crasAuthorMethod

1.3.6.1.4.1.9.9.392.1.3.21.1.6.          crasSessionDuration

1.3.6.1.4.1.9.9.392.1.3.21.1.7.          crasLocalAddressType

1.3.6.1.4.1.9.9.392.1.3.21.1.8.          crasLocalAddress

1.3.6.1.4.1.9.9.392.1.3.21.1.9.          crasISPAddressType

1.3.6.1.4.1.9.9.392.1.3.21.1.10.        crasISPAddress

1.3.6.1.4.1.9.9.392.1.3.21.1.11.        crasSessionProtocol

1.3.6.1.4.1.9.9.392.1.3.21.1.12.        crasProtocolElement

1.3.6.1.4.1.9.9.392.1.3.21.1.13.        crasSessionEncryptionAlgo

1.3.6.1.4.1.9.9.392.1.3.21.1.14.        crasSessionPktAuthenAlgo

1.3.6.1.4.1.9.9.392.1.3.21.1.15.        crasSessionCompressionAlgo

1.3.6.1.4.1.9.9.392.1.3.21.1.16.        crasHeartbeatInterval

1.3.6.1.4.1.9.9.392.1.3.21.1.17.        crasClientVendorString

1.3.6.1.4.1.9.9.392.1.3.21.1.18.        crasClientVersionString

1.3.6.1.4.1.9.9.392.1.3.21.1.19.        crasClientOSVendorString

1.3.6.1.4.1.9.9.392.1.3.21.1.20.        crasClientOSVersionString

1.3.6.1.4.1.9.9.392.1.3.21.1.21.        crasPrimWINSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.22.        crasPrimWINSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.23.        crasSecWINSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.24.        crasSecWINSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.25.        crasPrimDNSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.26.        crasPrimDNSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.27.        crasSecDNSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.28.        crasSecDNSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.29.        crasDHCPServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.30.        crasDHCPServer

1.3.6.1.4.1.9.9.392.1.3.21.1.31.        crasSessionInPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.32.        crasSessionOutPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.33.        crasSessionInDropPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.34.        crasSessionOutDropPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.35.        crasSessionInOctets

1.3.6.1.4.1.9.9.392.1.3.21.1.36.        crasSessionOutOctets

1.3.6.1.4.1.9.9.392.1.3.21.1.37.        crasSessionState

 

 

 

ASA as of now doesn’t provides us the username of the VPN user in *clear text* and we have couple of bugs filed for it.

 

 

One of them being

 

CSCtc36391    ASA snmp object crasUsername should be readable

 

 

But we can follow this to get other useful information

 

 

 

snmpwalk.exe -c public -v 2c 192.168.16.xx "1.3.6.1.4.1.9.9.392.1.3.21.1.2"

 

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.2.8.97.115.116.114.105.112.97.116.290817 = STRING: "puneet"

 

 

This tells us the name of "tunnel-group" and the "username" used to connect to the ASA.

 

 

In this output “puneet” is the name of the tunnel-group.

 
Now we need to Convert name from ASCII based indexing

 

 

 

 

9.9.392.1.3.21.1.2.8.97.115.116.114.105.112.97.116.290817

                                     a      s      t      r     i       p      a      t

 

 

 
ASCII translation:

 

  97 = a

115 = s

116 = t

114 = r

105 = i

112 = p

  97 = a

116 = t

 

 

Check the hex to character table at this website

http://www.asciitable.com/

 

 

Compare this with the simultaneous output from the ASA

 

 

ASA-5510-8x(config)# sh vpn-sessiondb remote

Session Type: IPsec

Username     : astripat               Index        : 71

Assigned IP  : 3.3.3.5                Public IP    : 10.78.167.32

Protocol     : IKE IPsec

License      : IPsec

Encryption   : 3DES                   Hashing      : MD5 SHA1

Bytes Tx     : 0                           Bytes Rx     : 0

Group Policy : puneet                Tunnel Group : puneet

Login Time   : 12:43:47 MST Thu Jan 14 1993

Duration     : 0h:22m:28s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

 

 

These OID's can give us some more information

 

 

Client's local ip address (crasISPAddress)

****************************************

snmpwalk.exe -c public -v 2c 192.168.16.xx 1.3.6.1.4.1.9.9.392.1.3.21.1.10

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.10.8.97.115.116.114.105.112.97.116.290817 = STRING: "10.78.167.32"

 

 

IP address assigned to the vpn client(crasLocalAddress)

********************************************************

snmpwalk.exe -c public -v 2c 192.168.16.xx 1.3.6.1.4.1.9.9.392.1.3.21.1.8

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.8.8.97.115.116.114.105.112.97.116.290817 = STRING: "3.3.3.5"

 

 

Another example:-

 

 

snmpwalk.exe -c public -v 2c 192.168.16.xx 1.3.6.1.4.1.9.9.392.1.3.21.1.2

 

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.2.6.103.97.117.114.97.118.90113 =STRING: "puneet"

 

 

9.9.392.1.3.21.1.2.6.103.97.117.114.97.118.81921

                                     g      a      u      r     a     v 

 
ASCII translation:

 

103 = g

97  = a

117 = u

114 = r

97 =  a

118 = v

 

 

Compare this with the simultaneous output from the ASA

 

 

ASA-5510-8x# sh vpn-sessiondb remote

 

Session Type: IPsec

 

Username     : gaurav                 Index        : 22

Assigned IP  : 3.3.3.3                Public IP    : 10.78.167.68

Protocol     : IKE IPsec

License      : IPsec

Encryption   : 3DES                   Hashing      : SHA1

Bytes Tx     : 0                           Bytes Rx     : 0

Group Policy : puneet                 Tunnel Group : puneet

Login Time   : 17:13:51 MST Sat Jan 2 1993

Duration     : 0h:03m:11s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

 

 

Scenario 2:

Problem:

User is trying to add one of our 5525-X into our solarwinds orion. just wanted to know if temperature OID is supported? i tried to list "resources" for the ASA but it's only giving me CPU, memory, interfaces, etc. but there's no option to monitor its temperature.

 

 

Solution:


Try under "CISCO-FIREWALL-MIB" and OID:- 1.3.6.1.4.1.9.9.147.1.2.1.1 or 1.3.6.1.4.1.9.9.147.1.2.1.1.1.3.{cfwHardwareStatusValue}

 

-Puneet Seth

Comments
senthil085
Level 1
Level 1

Hi Puneet,

I appreciate your effort in explaining. It is of much useful.

-Cheers-

Senthil

cchoy
Community Member

Hi,

I have 1 tunnel group and multiple group policies that we use to assign multiple IP local pools (for various reasons).  I see in the example above that you are able to query the SNMP agent by tunnel group name to get the session count. 

I need a way to get the number of sessions per IP local pool so I can monitor the data over time to ensure that a pool is not running short on available addresses.

Is there a way to query the agent for group policy name, and have it return an integer of current active svc sessions assigned to that group policy?

Or is there a way to have the agent count the number of IP addresses in active use for an IP pool name and return an integer?

Many thanks.

probertsyork
Level 1
Level 1

Hi Puneet,

Very useful! Is there a way to do the same via CLI?

puseth
Level 1
Level 1

Hi Paul,

Sorry i didnt get your question.

What would you like to do via CLI?

Puneet

puseth
Level 1
Level 1

Hi cchoy,

Can you paste the VPN part of your configuration and i can try and set this up in my lab for you.

And try what you'd like to see.

Puneet

probertsyork
Level 1
Level 1

Hi Puneet,

I'm trying to find the list of sessions and their details much like you have done in SNMP, but do it through CLI (using SSH, running a command...).

cchoy
Community Member

Many thanks Puneet.

Below is an anonymized version of the essence of the VPN configuration.  I am using group policy override to control an agent/server based service migration.  The server side service (completely unrelated to Cisco technology) only recognizes IP address sources as its means of identifying its clients.  In the transition from the old to the new system workers that are 100% telecommuters must be guided into a new source subnet so the new system can identify their workstation and upgrade their agent.  The routable IP local pool space is limited for a number of reasons, so I could not just double the ip local pools for this effort (that would have been too easy of course).  Thus, I need a way to monitor IP usage in the ORIGINAL pool below to the MIGRATED pool as users are migrated throughout the year.  With events like the London Olympics coming, a problem is anticipated and I need to monitor consumption of addresses in both IP pools on a number of remote access dedicated ASA's (meaning no failover or multi context firewalling).

Many thanks.

##################################

ldap attribute-map LDAP1

  map-name  attribute1 Group-Policy

tunnel-group TUNNEL1 type remote-access

tunnel-group TUNNEL1 general-attributes

authentication-server-group RADIUS1

authorization-server-group LDAP1

accounting-server-group RADIUS1

default-group-policy ORIGINAL

password-management

authorization-required

tunnel-group TUNNEL1 webvpn-attributes

radius-reject-message

proxy-auth sdi

group-url https://[PUBLIC_IP_ADDR] enable

group-url https://fiction.vpn.company.com enable

ip local pool MIGRATED 2.0.0.0-2.0.0.255 mask 255.255.255.0

ip local pool ORIGINAL 1.0.0.0-1.0.0.255 mask 255.255.255.0

group-policy MIGRATED internal

group-policy MIGRATED attributes

banner value Your agent will use the new system going forward because you have come from the MIGRATED network one time. Even if you are put back on the ORIGINAL network at a later date by taking the attribute1 away from your LDAP1 account your agent has been upgraded and will use the new system.

address-pools value MIGRATED

webvpn

  svc dtls enable

  svc ask none default svc

group-policy ORIGINAL internal

group-policy ORIGINAL attributes

banner value Your agent will still use the old system and has not received the attribute1 LDAP1 trigger.

vpn-tunnel-protocol svc

default-domain value company.com

address-pools value ORIGINAL

webvpn      

  svc dtls enable

  svc ask none default svc

puseth
Level 1
Level 1

HI Paul,

If thats ASA you can try this command

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s7.html#wp1333764

show vpn-sessiondb

Puneet

kalagan750
Level 1
Level 1

Hi,

My device is an ASA 5510 with ASA Version 8.2

I juste want to know if you have a solution to get VPN username who are connecting on my VPN with snmp command.

Thanks for your reply

cchoy
Community Member

[827]   1.3.6.1.4.1.9.10.135.1.1.1.3.   crasVpnUsername

Try an snmp walk of the oid above.

Or do a "show snmp oid" on your ASA (may differ slightly from version to version) and find an OID that looks like it might give you what you need.

kalagan750
Level 1
Level 1

Thanks Cchoy,

I get "show snmp oid" on my ASA and a find " [667]   1.3.6.1.4.1.9.10.135.1.1.1.3.   crasVpnUsername "

But when i try snmp walk i have this message : " SNMPv2-SMI::enterprises.9.10.135.1.1.1.5 = No Such Instance currently exists at this OID "

An idea ?

cchoy
Community Member

.

triam8001
Community Member

Hi,

check my script

#!/usr/bin/perl -w
use strict;
use warnings;

open(VPNUSERS,'-|','snmpwalk -v 2c -c public 172.16.0.30 1.3.6.1.4.1.9.9.392.1.3.21.1.2') || die "Failed\n";

while ((my $name = <VPNUSERS>))
{
        my @t = split(/\./, $name);
        my $x = @t;
        my $iii = 10;
        while ($iii < $x-1) {
                print chr($t[$iii]);
                $iii++;
        }
        print "\n";
}

 

Your script was a help to me. Only thing I changed was to use 1.3.6.1.4.1.9.9.392.1.3.21.1.2.5 as the OID to limit to only remote users and exclude my site-to-sites. Cheers.

kalagan750
Level 1
Level 1

Hi,

 

Great script !

Do you can tell me how i can display  the IP Adress in side Name.

Thanks,

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: