|
|
| Author |
Message |
knobdy
Cacti User
Joined: 28 Sep 2005
Posts: 495
|
 Posted: Thu Apr 06, 2006 3:38 pm Post subject: VPN Tunnel monitoring |
 |
|
Anyone done anything to monitor bandwidth used by individual VPN tunnels on either a router or firewall? We have SEVERAL customers that connect to us via VPN tunnels and we'd like to be able to see the traffic each generates. None of the templates I've seen thus far will do this - since I want more than just the number of sessions, but instead a graph like an ordinary interface for "bits/sec Total Bandwidth".
I'm pretty sure CiscoWorks can do this (at least for the concentrators) but I'm not sure what it uses and our installation of CiscoWorks is java-junk...
|
|
| Back to top |
|
 |
vanc
Joined: 02 Mar 2006
Posts: 30
Location: Boston MA USA
|
| Posted: Wed Apr 12, 2006 10:50 am Post subject: |
|
|
I don't know that you will be able to get that via snmp interface statistics. You can try doing a snmpwalk and check if your tunnel defs are shown individually.
We graph our ipsec with all tunnels on the single interface, but our VPN GW is a linux box.
If I was to start graphing the individual traffic with our device I would look into writing a script to read the values from iptables, which I believe that I have seen some templates for in past topics.
Hope that helps a little bit.
| Description: |
|
| Filesize: |
12.57 KB |
| Viewed: |
34695 Time(s) |
|
|
|
| Back to top |
|
|
knobdy
Cacti User
Joined: 28 Sep 2005
Posts: 495
|
| Posted: Wed Apr 12, 2006 11:08 am Post subject: |
|
|
| I appreciate the response.
|
|
| Back to top |
|
|
knobdy
Cacti User
Joined: 28 Sep 2005
Posts: 495
|
| Posted: Wed Apr 12, 2006 3:19 pm Post subject: |
|
|
What do you think of these?
| Code: | 1.3.6.1.2.1.31.1.1.1.15
1.3.6.1.4.1.9.9.171.1.2.1.4
|
It would seem that the OID 1.3.6.1.4.1.9.9.171.1.3.2.1.32 is what I'm after or close to it, (http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.171.1.3.2.1.32) but while doing a basic "snmpwalk -v 2c -c public -t 120 10.10.10.10 .1.3.6.1.4.1.9.9" I get | Code: | Error: OID not increasing: .1.3.6.1.4.1.9.9.171.1.2.2.1.6.1.13.54.53.46.49.57.55.46.50.56.46.49.52.49.1.14.54.54.46.49.54.50.46.50.53.50.46.49.53.48.6
>= .1.3.6.1.4.1.9.9.171.1.2.2.1.6.1.13.54.53.46.49.57.55.46.50.56.46.49.52.49.1.14.49.52.54.46.49.52.53.46.49.50.56.46.53.48.2
|
Any ideas?
|
|
| Back to top |
|
|
adp
Joined: 25 Apr 2006
Posts: 2
|
| Posted: Tue Apr 25, 2006 3:31 am Post subject: |
|
|
On all routers we use for this, the tunnels are created just like an interface. Adding the router to cacti, just shows the Tunnel interfaces just like any other interface. Do you have a different config?
cheers,
arthur
|
|
| Back to top |
|
|
knobdy
Cacti User
Joined: 28 Sep 2005
Posts: 495
|
| Posted: Tue Apr 25, 2006 9:05 am Post subject: |
|
|
These are Cisco 2600 routers. Templates available for the concentrators are also kind of lame - only providing number of associations and the like. That's generally okay though, since most of their connections aren't LAN-to-LAN. The connections on the routers, however, are a different story.
The tunnels on the routers are defined as isakmp policies/SAs - as best I can figure. I can find those in the MIBs...I think - just not their more detailed info. On these routers, the closest I've found to a "sh int" command for the tunnels would have to be:
| Code: | #sh crypto isakmp sa
dst src state conn-id slot
pub.ip.xx.141 cus.ip.xx.250 QM_IDLE 6 0
pub.ip.xx.141 cus.ip.xx.130 QM_IDLE 19 0
cus.ip.xx.2 pub.ip.xx.141 QM_IDLE 18 0
pub.ip.xx.141 cus.ip.xx.31 QM_IDLE 8 0
pub.ip.xx.141 cus.ip.xx.34 QM_IDLE 3 0
pub.ip.xx.141 cus.ip.xx.150 QM_IDLE 13 0
pub.ip.xx.141 cus.ip.xx.50 QM_IDLE 12 0
pub.ip.xx.141 cus.ip.xx.241 QM_IDLE 20 0
pub.ip.xx.141 cus.ip.xx.71 QM_IDLE 9 0
pub.ip.xx.141 cus.ip.xx.31 QM_IDLE 11 0
|
|
|
| Back to top |
|
|
adp
Joined: 25 Apr 2006
Posts: 2
|
| Posted: Wed Apr 26, 2006 3:34 am Post subject: |
|
|
Are you doing dynamic user-based tunnels? Or site-to-site tunnels? As these are (can) normally configured like
| Code: | interface Tunnel1
ip address 10.1.1.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 10.2.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SECUR1 |
That way, it's just an interface like any other. If you're doing dynamic per-user based tunnels, the story might get much more complex 
cheers,
arthur
|
|
| Back to top |
|
|
knobdy
Cacti User
Joined: 28 Sep 2005
Posts: 495
|
| Posted: Wed Apr 26, 2006 8:38 am Post subject: |
|
|
| adp wrote: | | Are you doing dynamic user-based tunnels? |
These are site-to-site tunnels, but to be honest I have yet to set one up myself or even look into how they're currently done. The guys I work with mostly copy/paste what was there before them. <shrug>
Here's an example, though I'm not sure this is everything that goes into bringing a single tunnel up:
| Code: | crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key akeyhash address pub.cust.ip.add
!
!
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto map outside 1 ipsec-isakmp
set peer pub.cust.ip.add
set security-association lifetime kilobytes 256000
set transform-set 3des
match address customer_name-in
crypto map outside 3 ipsec-isakmp
set peer pub.cust.ip.add
set security-association lifetime kilobytes 256000
set security-association lifetime seconds 1200
set transform-set 3des-md5
ip access-list standard customer_name-nat
ip access-list extended customer-name |
|
|
| Back to top |
|
|
dbrummer
Joined: 19 Apr 2006
Posts: 29
Location: Las Vegas, NV
|
| Posted: Thu Apr 27, 2006 10:23 am Post subject: |
|
|
I use a Cisco VPN 3000 concentrator for lan-to-lan sessions. I wrote a perl script that you may be interested in. The script takes inputs of community, host, session ip and rx or tx. Based on the session ip you provide the script, it will search for the corresponding lan-to-lan session and grab the OID index and return either rx or tx ocets received/transfered. Let me know if you're interested in it.
-Dan
|
|
| Back to top |
|
|
knobdy
Cacti User
Joined: 28 Sep 2005
Posts: 495
|
| Posted: Thu Apr 27, 2006 11:42 am Post subject: |
|
|
VERY!!! If you don't want to post the to the community, feel free to send private message!
I've even played in perl before, so maybe I or one of my cohorts can look at what you've done in regards to these routers/firewalls.
Did I mention we also have firewalls managing LAN-to-LAN VPNs? Can't find a "tunnel interface OID" for them either... 
|
|
| Back to top |
|
|
dbrummer
Joined: 19 Apr 2006
Posts: 29
Location: Las Vegas, NV
|
| Posted: Thu Apr 27, 2006 11:50 am Post subject: |
|
|
See attached. I appologize for how dirty and ugly the script is, but it works.
Note: I had to make the script like this because the OID index for lan2lan sessions change whenever a session is disconnected/reconnected.
UPDATE: Added Graph Template
-Dan
| Description: |
|
Download |
| Filename: |
cacti_graph_template_lan2lan_ancaliantectgw_traffic.xml |
| Filesize: |
13.04 KB |
| Downloaded: |
1814 Time(s) |
| Description: |
|
Download |
| Filename: |
lan2lantraffic.txt |
| Filesize: |
2.78 KB |
| Downloaded: |
1996 Time(s) |
|
|
| Back to top |
|
|
knobdy
Cacti User
Joined: 28 Sep 2005
Posts: 495
|
| Posted: Thu Apr 27, 2006 12:18 pm Post subject: |
|
|
Cool.
Can you describe the parameters a little more? Perhaps provide an example CLI statement?
What is the "sessionip" in 3000 concentrator terminology?
Actually, while I'm still not sure what some of those parameters (sessionip, rx/tx) refer to exactly, it looks like the RX and TX data templates, under "Custom Data", should have the SessionIP and Flow checkboxes checked so that you define them when applying 'em to a device?
|
|
| Back to top |
|
|
dbrummer
Joined: 19 Apr 2006
Posts: 29
Location: Las Vegas, NV
|
| Posted: Thu Apr 27, 2006 12:21 pm Post subject: |
|
|
Yea the session IP is the Peer IP of the LAN2LAN session. I took out my data from the exported graph template so you are correct with the per-device settings.
If you have the web administration enabled for the VPN3000 you can see the peer ip for the lan2lan session under the monitoring->sessions.
-Dan
|
|
| Back to top |
|
|
knobdy
Cacti User
Joined: 28 Sep 2005
Posts: 495
|
| Posted: Thu Apr 27, 2006 12:23 pm Post subject: |
|
|
what about rx/tx parameters?
Last edited by knobdy on Thu Apr 27, 2006 12:27 pm; edited 2 times in total |
|
| Back to top |
|
|
dbrummer
Joined: 19 Apr 2006
Posts: 29
Location: Las Vegas, NV
|
| Posted: Thu Apr 27, 2006 12:26 pm Post subject: |
|
|
| lan2lansessions.pl community host ip tx will return the TX bytes (alActiveSessionOctetsSent OID) from the device while lan2lansessions.pl community host ip rx will return the RX bytes (alActiveSessionOctetsRecvd OID).
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
