Monitoring live VPN sessions

mofnoc · ‎05-29-2024

Hello
We need to monitor RA VPN session live traffic per user.
FMC shows VPN data only at the end of the session.
All needed information we have in CLI with command "show vpn-sessiondb anyconnect", but thats is not comfortable every time do ssh connection.
Also it would be great to have some dashboard with graphs, where we can see vpn users data usage.
We use FTD 2130.

ccieexpert · ‎06-08-2024

FMC 7.3 i beleive started the support for it..

7.4 has for it sure

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-monitoring.html#RAVPN_Dashboard

what version are you running ?

CCIEx2

Freelance consultant

mofnoc · ‎06-09-2024

Hello,
We have 7.2.5 version.
Yeah, 7.3 and above can help. Thanks.

ccieexpert · ‎06-10-2024

yeah but it doesnt have real time traffic stats per user.. please see my response about using the SNMP mib.. that may be the best option... ofcourse you can regular CLI to parse and dump it to a file/database and show in a nice gui.. not very difficult...

mofnoc · ‎06-10-2024

I tried to get information using SNMP mibs + Zabbix.
I managed to get information about number of vpn session.
But further I faced some troubles. My goal was to get just 3 parameters: Username, Session packets IN and OUT.

First of all, for every snmp oid request, FTD response with 3 lines per user:
SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.1.20.100.116.111.100.111.114.101.110.107.111.64.77.79.70.46.76.79.67.65.76.518254593 = STRING: "jsmith"
SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.1.20.100.116.111.100.111.114.101.110.107.111.64.77.79.70.46.76.79.67.65.76.518254594 = STRING: "jsmith"
SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.1.20.100.116.111.100.111.114.101.110.107.111.64.77.79.70.46.76.79.67.65.76.518254595 = STRING: "jsmith"

Second of all, when I tried to preprocessing that output on Zabbix, to cut 2 lines of 3, it wasn't work.
The same situation for snmp oids for user traffic.

ccieexpert · ‎06-10-2024

i dont have a firewall in the lab at the moment.. but you may want to do a snmp walk to see what is out there... as per the MIB doc, that data is there...

balaji.bandi · ‎06-08-2024

We need to monitor RA VPN session live traffic per user.

Personally not seen on the GUI (may be i have missed dont know) Live Traffic per user - not possible.

Either you need to make a tool dump the command line Realtime and make own graphs. (but if you have huge users that will be very heavy task)

what is the use case - instead you can monitor the RAVPN traffic traversing the interface monitor using NMS see any bottle neck.

Also it would be great to have some dashboard with graphs, where we can see vpn users data usage.

You can generate reports -

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-management-center/221440-generate-fmc-reports-for-vpn-users.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mofnoc · ‎06-10-2024

Our solution at the moment is to use Stealthwatch.
It has almost everything we need to monitor users vpn activity.

ccieexpert · ‎06-10-2024

yes sw (or cisco secure analytics - current name) will work as long as they can buy another product...

balaji.bandi · ‎06-10-2024

Sure if you can send the flows to Stealthwatch you can get any useful information or using any other tools like Grafana will help you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ccieexpert · ‎06-09-2024

your right the new dashboard still does not have per user...

i think the best bet is to use a SNMP poll and you do a more agressive poll or ondemand poll to get latest data:

https://github.com/taishin/vendor_mibs/blob/master/CISCO-REMOTE-ACCESS-MONITOR-MIB.my

i have not tried but the mib does show per user traffic.