Recently I upgraded an ASA 5525-X HA pair to the latest recommended code (9.12(3)12). Our previous release was 9.8(4)17. This was a routine upgrade to address a recent set of vulnerabilities announced by Cisco. A review of the release notes (both main train and interim) didn’t reveal any significant caveats or changes to expected behavior. The new release was a “Gold star” designated release so I felt the risk should be quite low.
The upgrade went fine - as they usually do with ASA HA pairs. Traffic was flowing normally and failover working as designed. However, a short while later our NOC informed me they were seeing some SNMP alerts showing up in our PRTG Network Monitor.
Upon investigation, I found the error was from the built-in SNMP probe that PTRG uses to discover the VPN statistics for ASAs. It is described as follows in the PRTG manual:
SNMP Cisco ASA VPN Connections Sensor
The SNMP Cisco ASA VPN Connections sensor monitors the VPN connections on a Cisco Adaptive Security Appliance using the Simple Network Management Protocol (SNMP).
The sensor can show the following:
Active email sessions
Active Internet Protocol Security (IPsec) sessions
Active LAN-to-LAN (L2L) sessions
Active LB sessions
Active sessions in total
Active switched virtual circuit (SVC) sessions
Groups with active users
The probe had been working perfectly well across prior releases going back at least 5 years.
PRTG does not document the SNMP Object ID (OID) variables the sensor uses they use since they consider those part of their value to package all that for the customer and keep the details to themselves. However, I was able to ascertain exactly what they do by pausing all sensors it was polling and then re-enabling just that one.
A quick Wireshark capture with the capture filter for only SNMP queries (udp port 161) revealed the following:
(Once I got that, I re-enabled all the sensors.)
From the data of the captured frame we can see 9 variables are queried with an SNMP get-request. They are all taken from the Cisco remote access system (cras) monitor MIB tree. We can find a reference here explaining the variables:
The earlier oidref.com link tells us that the no-longer-supported 126.96.36.199.188.8.131.52.3184.108.40.206 variable is used for “The number of currently active Email proxy sessions” – something we do not really care about. (…and something that I don’t know why we ever would have cared about on an ASA – does anybody know?)
What we are interested in (for my use case of monitor remote access SSL VPN users) is 220.127.116.11.18.104.22.168.322.214.171.124.0 or crasSVCNumSessions which is “The number of currently active SVC sessions”.
(NOTE: “SVC” is a legacy term for SSL VPN Client. It is in contrast with “WebVPN” which is used when referring to clientless SSL VPN. It can be a bit confusing since both are enabled in the “webvpn” section of an ASA configuration.)
Since the built-in poller is failing us, the alternative approach I used was to create a custom SNMP poller in PRTG. I did so as shown below, giving it a name and the OID we had found earlier:
I assigned that sensor to the ASAs (in lieu of the PTRG built-in one for VPN status) and – voila – we have a green sensor and a useful graph:
Note: At the time I first encountered the problem we were using PRTG version 126.96.36.1997+. While writing this up, I noticed there is a slightly newer release available - 188.8.131.529. I since upgraded to that release and re-tested the built-in sensor. It continues to exhibit the problem. So, we will stick with the custom sensor for now.
Hi everyone, Hope you are all doing well and stay safe at home. This is my first time to set up Anyconnect with FMC/FTD. So far it seems my configuration works but with one problem I can see.I used "REALM" so users can sign on by using the...
Hello,Does ISE TrustSec replace regular internal L3/L4 ASA Firewalls? These firewalls could be protecting two subnets from talking to each other or protecting the DMZ from internal/external traffic. I'm trying to understand if I deploy TrustSec, will I th...
I have a mix of 5516's and 5555's and I'm curious as to whether anyone can point me to benchmarks for device throughput when selecting different crypto options on these ASA models. Specifically, I am interested in whether individual connections or o...