Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5217
Views
46
Helpful
11
Comments

PRTG vs. ASA

Marvin Rhoads
Hall of Fame
Hall of Fame

on ‎02-02-2021 06:26 PM

Introduction

We will examine the interaction between a Cisco Adaptive Security Appliance (ASA) and a popular network management system, PRTG. Specifically we are focusing on the use of Simple Network Management Protocol (SNMP) to manage the ASA and how a minor upgrade changed that interaction.

 

The case illustrated here is applicable to other similar use cases where a third party tool interacts with Cisco products.

Background

Recently I upgraded an ASA 5525-X HA pair to the latest recommended code (9.12(3)12). Our previous release was 9.8(4)17. This was a routine upgrade to address a recent set of vulnerabilities announced by Cisco. A review of the release notes (both main train and interim) didn’t reveal any significant caveats or changes to expected behavior. The new release was a “Gold star” designated release so I felt the risk should be quite low.

Problem Statement

The upgrade went fine - as they usually do with ASA HA pairs. Traffic was flowing normally and failover working as designed. However, a short while later our NOC informed me they were seeing some SNMP alerts showing up in our PRTG Network Monitor.

Upon investigation, I found the error was from the built-in SNMP probe that PTRG uses to discover the VPN statistics for ASAs. It is described as follows in the PRTG manual:

SNMP Cisco ASA VPN Connections Sensor

The SNMP Cisco ASA VPN Connections sensor monitors the VPN connections on a Cisco Adaptive Security Appliance using the Simple Network Management Protocol (SNMP).

The sensor can show the following:

  • Active email sessions
  • Active Internet Protocol Security (IPsec) sessions
  • Active LAN-to-LAN (L2L) sessions
  • Active LB sessions
  • Active sessions in total
  • Active switched virtual circuit (SVC) sessions
  • Active users
  • Groups with active users

The probe had been working perfectly well across prior releases going back at least 5 years.

PRTG does not document the SNMP Object ID (OID) variables the sensor uses they use since they consider those part of their value to package all that for the customer and keep the details to themselves. However, I was able to ascertain exactly what they do by pausing all sensors it was polling and then re-enabling just that one.

A quick Wireshark capture with the capture filter for only SNMP queries (udp port 161) revealed the following:

SNMP Query pcap.png

(Once I got that, I re-enabled all the sensors.)

From the data of the captured frame we can see 9 variables are queried with an SNMP get-request. They are all taken from the Cisco remote access system (cras) monitor MIB tree. We can find a reference here explaining the variables:

http://oidref.com/1.3.6.1.4.1.9.9.392.1.3

The problem is that, when the ASA responds, one of those variables is not recognized:

ASA Response pcap.png

Note the “noSuchObject” response for variable 1.3.6.1.4.9.9.392.1.3.23.0.

A check on the ASA itself confirms that variable is no longer supported:

asa# show snmp-server oidlist | i 1.3.6.1.4.1.9.9.392.1.3

[681]     1.3.6.1.4.1.9.9.392.1.3.1.        crasNumSessions
[682]     1.3.6.1.4.1.9.9.392.1.3.2.        crasNumPrevSessions
[683]     1.3.6.1.4.1.9.9.392.1.3.3.        crasNumUsers
[684]     1.3.6.1.4.1.9.9.392.1.3.4.        crasNumGroups
[685]     1.3.6.1.4.1.9.9.392.1.3.5.        crasGlobalInPkts
[686]     1.3.6.1.4.1.9.9.392.1.3.6.        crasGlobalOutPkts
[687]     1.3.6.1.4.1.9.9.392.1.3.7.        crasGlobalInOctets
[688]     1.3.6.1.4.1.9.9.392.1.3.8.       crasGlobalInDecompOctets
[689]     1.3.6.1.4.1.9.9.392.1.3.9.        crasGlobalOutOctets
[690]    1.3.6.1.4.1.9.9.392.1.3.10.      crasGlobalOutUncompOctets
[691]    1.3.6.1.4.1.9.9.392.1.3.11.        crasGlobalInDropPkts
[692]    1.3.6.1.4.1.9.9.392.1.3.12.        crasGlobalOutDropPkts
[693] 1.3.6.1.4.1.9.9.392.1.3.21.1.2.        crasGroup
<some lines omitted for brevity>
[734] 1.3.6.1.4.1.9.9.392.1.3.22.1.8.        crasActGrpOutOctets
[735]    1.3.6.1.4.1.9.9.392.1.3.26.        crasIPSecNumSessions
[736]    1.3.6.1.4.1.9.9.392.1.3.27.      crasIPSecCumulateSessions
[737]    1.3.6.1.4.1.9.9.392.1.3.28.  crasIPSecPeakConcurrentSessions
[738]    1.3.6.1.4.1.9.9.392.1.3.29.        crasL2LNumSessions
[739]    1.3.6.1.4.1.9.9.392.1.3.30.        crasL2LCumulateSessions
[740]    1.3.6.1.4.1.9.9.392.1.3.31.  crasL2LPeakConcurrentSessions
[741]    1.3.6.1.4.1.9.9.392.1.3.32.        crasLBNumSessions
[742]   1.3.6.1.4.1.9.9.392.1.3.33.        crasLBCumulateSessions
[743]    1.3.6.1.4.1.9.9.392.1.3.34.   crasLBPeakConcurrentSessions
[744]    1.3.6.1.4.1.9.9.392.1.3.35.        crasSVCNumSessions
[745]    1.3.6.1.4.1.9.9.392.1.3.36.        crasSVCCumulateSessions
[746]    1.3.6.1.4.1.9.9.392.1.3.37.  crasSVCPeakConcurrentSessions
[747]    1.3.6.1.4.1.9.9.392.1.3.38.        crasWebvpnNumSessions
[748]    1.3.6.1.4.1.9.9.392.1.3.39.     crasWebvpnCumulateSessions
[749]    1.3.6.1.4.1.9.9.392.1.3.40. crasWebvpnPeakConcurrentSessions
asa#

The earlier oidref.com link tells us that the no-longer-supported 1.3.6.1.4.1.9.9.392.1.3.23 variable is used for “The number of currently active Email proxy sessions” – something we do not really care about. (…and something that I don’t know why we ever would have cared about on an ASA – does anybody know?)

What we are interested in (for my use case of monitor remote access SSL VPN users) is 1.3.6.1.4.1.9.9.392.1.3.35.0 or crasSVCNumSessions which is “The number of currently active SVC sessions”.

(NOTE: “SVC” is a legacy term for SSL VPN Client. It is in contrast with “WebVPN” which is used when referring to clientless SSL VPN. It can be a bit confusing since both are enabled in the “webvpn” section of an ASA configuration.)

 

Solution

Since the built-in poller is failing us, the alternative approach I used was to create a custom SNMP poller in PRTG. I did so as shown below, giving it a name and the OID we had found earlier:

PRTG Custom poller.png

 

I assigned that sensor to the ASAs (in lieu of the PTRG built-in one for VPN status) and – voila – we have a green sensor and a useful graph:

PRTG Graph.png

 

Note: At the time I first encountered the problem we were using PRTG version 20.1.56.1547+. While writing this up, I noticed there is a slightly newer release available - 20.2.58.1629. I since upgraded to that release and re-tested the built-in sensor. It continues to exhibit the problem. So, we will stick with the custom sensor for now.

Conclusion

During any system upgrade, analysis of behavior before and after is important to understand possible impacts to operations. When discrepancies are noted, a careful observation of the exact problem area combined with rigorous analysis can often highlight a potential solution. As we endeavor to continue to secure our systems using software which addresses recently disclosed vulnerabilities we must balance that with the need to operate and maintain the same systems.

References

  1. The recent set of vulnerabilities announced by Cisco that prompted us to upgrade.
  2. ASA 9.12 main train release notes.
  3. ASA 9.12 interim release notes
  4. PRTG manual section describing the Cisco ASA VPN Connections Sensor
Comments
MJ666
Level 1
Level 1
‎03-12-2024 01:26 AM

Hi Marvin,
PRTG is sending few alarm on several ASA5516 firewalls.

These are SSL-Certifcat alarms.
When I execute sh run, I don't see the line

no ssl trust-point <My_trsustpoint>

any cluee?

Marvin Rhoads
Hall of Fame
Hall of Fame
‎03-12-2024 08:09 AM

@MJ666 SSL-certificate alarms could be for several reasons. Can you share the details of one (screenshot)?

MJ666
Level 1
Level 1
‎03-13-2024 12:27 AM

i Marvin, I'm getting the warning from the monitoring system, related to SSL configuration on the asa5516 fw

Marvin Rhoads
Hall of Fame
Hall of Fame
‎03-13-2024 05:14 AM

"Unable to check revocation status" would apply if the certificate is self-signed such that the issuing CA or Root CA is not available to be queried. If that is the case, you would have to create a custom sensor that doesn't include that field.

How to do so for an SSL sensor is probably a question better suited for PRTG forums vs. here in the Cisco community.

MJ666
Level 1
Level 1
‎03-13-2024 07:19 AM

with the <sh crypto ca certificates> I can see that the issuing or root certification authority or the root certification authority is available to be queried.
I can also see the certificate via Cisco ASDM>Configuration>Remote Access VPN>Certificate Management>CA Certificates.
I don't understand why I've been getting this alarm for 1 week on 3 out of 20 firewalls.

Marvin Rhoads
Hall of Fame
Hall of Fame
‎03-13-2024 07:31 AM

@MJ666 does the chain look any different for the affected firewall when you look at it using an external tool like https://www.ssllabs.com/ssltest/analyze.html?. (I often use that site to validate my settings.)

MJ666
Level 1
Level 1
‎03-13-2024 07:32 AM

@Marvin Rhoads  in fact, I use the following command on the firewall in the CLI and if I do a firewall rule import from the firewall and then a deployment, the parameter is overwritten:        ssl trustp-point <My_trustpoint>

conf t
dynamic-access-policy-confi activate
vpn-addr-assign local reuse-delay 0
no ssl trust-point <My_trustpoint>

I don't understand why CSM keeps deleting the last command line and unfortunately, I haven't found the corner of the CSM where this is configured....


This is probl the reason why messages appear in the prtg, coz the verified CA is not the right one or it is, by default, self-signed certificates on firewalls.

MJ666
Level 1
Level 1
‎03-13-2024 08:06 AM

@Marvin Rhoads the chain is unfortunately not routed to internet." Unable to resolve domain name" is the message I got from ssllabs.

Is there any workaround to validate or compare my settings?

Best

Marvin Rhoads
Hall of Fame
Hall of Fame
‎03-13-2024 08:50 AM

It sounds like the problem is not so much PRTG then as it is CSM. PRTG is correctly highlighting the fact of the incorrect chain by seeing the effect of not being able to verify the revocation status.

I would open a TAC case to have them investigate the CSM-related issue that is causing the trustpoint association to be incorrect.

MJ666
Level 1
Level 1
‎03-25-2024 06:15 AM

@Marvin Rhoads 

On all the Firewalls affected, I noticed that the TrustPoint interface had not been created.

I did it, and it works at 70%. Some firewalls continue to return the message ...

MJ666
Level 1
Level 1
‎03-26-2024 12:45 AM

Good morning @Marvin Rhoads 

I want to install a localdmin account on all the switches and routers so that I can connect to them when the radius (SSH) is unavailable.
To do my test after installing the account, I realize that the switch takes priority over the SSH connection as long as the radius is available.
Use
#conf t
#no aaa authentication login RADIUSLOGON group radius local
#no aaa authorization exec RADIUSLOGON group radius local
#aaa authentication login default local
#aaa authentication exec default local
#username localadmin privilege 15 secret azertytest

I've temporarily disabled access to the radius from the switch and I'm able to connect to localadmin().

Is there a way to make the switch offer me to use either radius (ssh) or localadmin (console port 0) without having to disable radius?

Thanks for your feedback

Translated with DeepL.com (free version)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents