Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Fri Apr 19, 2019 7:40 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 64 posts ]  Go to page 1, 2, 3, 4, 5  Next
Author Message
 Post subject: VPN Tunnel monitoring
PostPosted: Thu Apr 06, 2006 3:38 pm 
Offline
Cacti User

Joined: Wed Sep 28, 2005 1:39 pm
Posts: 495
Anyone done anything to monitor bandwidth used by individual VPN tunnels on either a router or firewall? We have SEVERAL customers that connect to us via VPN tunnels and we'd like to be able to see the traffic each generates. None of the templates I've seen thus far will do this - since I want more than just the number of sessions, but instead a graph like an ordinary interface for "bits/sec Total Bandwidth".

I'm pretty sure CiscoWorks can do this (at least for the concentrators) but I'm not sure what it uses and our installation of CiscoWorks is java-junk...


Top
 Profile  
 
 Post subject:
PostPosted: Wed Apr 12, 2006 10:50 am 
Offline

Joined: Thu Mar 02, 2006 2:54 pm
Posts: 30
Location: Boston MA USA
I don't know that you will be able to get that via snmp interface statistics. You can try doing a snmpwalk and check if your tunnel defs are shown individually.

We graph our ipsec with all tunnels on the single interface, but our VPN GW is a linux box.

If I was to start graphing the individual traffic with our device I would look into writing a script to read the values from iptables, which I believe that I have seen some templates for in past topics.

Hope that helps a little bit.


Attachments:
File comment: IPSec Interface Traffic
ipsec_traffic.PNG
ipsec_traffic.PNG [ 12.57 KiB | Viewed 76026 times ]
Top
 Profile  
 
 Post subject:
PostPosted: Wed Apr 12, 2006 11:08 am 
Offline
Cacti User

Joined: Wed Sep 28, 2005 1:39 pm
Posts: 495
I appreciate the response.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Apr 12, 2006 3:19 pm 
Offline
Cacti User

Joined: Wed Sep 28, 2005 1:39 pm
Posts: 495
What do you think of these?

Code:
1.3.6.1.2.1.31.1.1.1.15
1.3.6.1.4.1.9.9.171.1.2.1.4


It would seem that the OID 1.3.6.1.4.1.9.9.171.1.3.2.1.32 is what I'm after or close to it, (http://tools.cisco.com/Support/SNMP/do/ ... 1.3.2.1.32) but while doing a basic "snmpwalk -v 2c -c public -t 120 10.10.10.10 .1.3.6.1.4.1.9.9" I get
Code:
Error: OID not increasing: .1.3.6.1.4.1.9.9.171.1.2.2.1.6.1.13.54.53.46.49.57.55.46.50.56.46.49.52.49.1.14.54.54.46.49.54.50.46.50.53.50.46.49.53.48.6
>= .1.3.6.1.4.1.9.9.171.1.2.2.1.6.1.13.54.53.46.49.57.55.46.50.56.46.49.52.49.1.14.49.52.54.46.49.52.53.46.49.50.56.46.53.48.2



Any ideas?


Top
 Profile  
 
 Post subject:
PostPosted: Tue Apr 25, 2006 3:31 am 
Offline

Joined: Tue Apr 25, 2006 3:29 am
Posts: 2
On all routers we use for this, the tunnels are created just like an interface. Adding the router to cacti, just shows the Tunnel interfaces just like any other interface. Do you have a different config?

cheers,
arthur


Top
 Profile  
 
 Post subject:
PostPosted: Tue Apr 25, 2006 9:05 am 
Offline
Cacti User

Joined: Wed Sep 28, 2005 1:39 pm
Posts: 495
These are Cisco 2600 routers. Templates available for the concentrators are also kind of lame - only providing number of associations and the like. That's generally okay though, since most of their connections aren't LAN-to-LAN. The connections on the routers, however, are a different story.

The tunnels on the routers are defined as isakmp policies/SAs - as best I can figure. I can find those in the MIBs...I think - just not their more detailed info. On these routers, the closest I've found to a "sh int" command for the tunnels would have to be:

Code:
#sh crypto isakmp sa
dst             src             state           conn-id    slot
pub.ip.xx.141   cus.ip.xx.250 QM_IDLE               6       0
pub.ip.xx.141   cus.ip.xx.130 QM_IDLE              19       0
cus.ip.xx.2     pub.ip.xx.141 QM_IDLE              18       0
pub.ip.xx.141   cus.ip.xx.31  QM_IDLE               8       0
pub.ip.xx.141   cus.ip.xx.34  QM_IDLE               3       0
pub.ip.xx.141   cus.ip.xx.150 QM_IDLE              13       0
pub.ip.xx.141   cus.ip.xx.50  QM_IDLE              12       0
pub.ip.xx.141   cus.ip.xx.241 QM_IDLE              20       0
pub.ip.xx.141   cus.ip.xx.71  QM_IDLE               9       0
pub.ip.xx.141   cus.ip.xx.31  QM_IDLE              11       0


Top
 Profile  
 
 Post subject:
PostPosted: Wed Apr 26, 2006 3:34 am 
Offline

Joined: Tue Apr 25, 2006 3:29 am
Posts: 2
Are you doing dynamic user-based tunnels? Or site-to-site tunnels? As these are (can) normally configured like

Code:
interface Tunnel1
ip address 10.1.1.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 10.2.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SECUR1


That way, it's just an interface like any other. If you're doing dynamic per-user based tunnels, the story might get much more complex :)

cheers,
arthur


Top
 Profile  
 
 Post subject:
PostPosted: Wed Apr 26, 2006 8:38 am 
Offline
Cacti User

Joined: Wed Sep 28, 2005 1:39 pm
Posts: 495
adp wrote:
Are you doing dynamic user-based tunnels?


These are site-to-site tunnels, but to be honest I have yet to set one up myself or even look into how they're currently done. The guys I work with mostly copy/paste what was there before them. <shrug>

Here's an example, though I'm not sure this is everything that goes into bringing a single tunnel up:
Code:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key akeyhash address pub.cust.ip.add
!
!
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

crypto map outside 1 ipsec-isakmp
set peer pub.cust.ip.add
set security-association lifetime kilobytes 256000
set transform-set 3des
match address customer_name-in
crypto map outside 3 ipsec-isakmp
set peer pub.cust.ip.add
set security-association lifetime kilobytes 256000
set security-association lifetime seconds 1200
set transform-set 3des-md5

ip access-list standard customer_name-nat

ip access-list extended customer-name


Top
 Profile  
 
 Post subject:
PostPosted: Thu Apr 27, 2006 10:23 am 
Offline

Joined: Wed Apr 19, 2006 11:50 am
Posts: 29
Location: Las Vegas, NV
I use a Cisco VPN 3000 concentrator for lan-to-lan sessions. I wrote a perl script that you may be interested in. The script takes inputs of community, host, session ip and rx or tx. Based on the session ip you provide the script, it will search for the corresponding lan-to-lan session and grab the OID index and return either rx or tx ocets received/transfered. Let me know if you're interested in it.

-Dan


Top
 Profile  
 
 Post subject:
PostPosted: Thu Apr 27, 2006 11:42 am 
Offline
Cacti User

Joined: Wed Sep 28, 2005 1:39 pm
Posts: 495
VERY!!! If you don't want to post the to the community, feel free to send private message!

I've even played in perl before, so maybe I or one of my cohorts can look at what you've done in regards to these routers/firewalls.

Did I mention we also have firewalls managing LAN-to-LAN VPNs? Can't find a "tunnel interface OID" for them either... :x


Top
 Profile  
 
 Post subject:
PostPosted: Thu Apr 27, 2006 11:50 am 
Offline

Joined: Wed Apr 19, 2006 11:50 am
Posts: 29
Location: Las Vegas, NV
See attached. I appologize for how dirty and ugly the script is, but it works.

Note: I had to make the script like this because the OID index for lan2lan sessions change whenever a session is disconnected/reconnected.

UPDATE: Added Graph Template

-Dan


Attachments:
cacti_graph_template_lan2lan_ancaliantectgw_traffic.xml [13.04 KiB]
Downloaded 4082 times
lan2lantraffic.txt [2.78 KiB]
Downloaded 4610 times
Top
 Profile  
 
 Post subject:
PostPosted: Thu Apr 27, 2006 12:18 pm 
Offline
Cacti User

Joined: Wed Sep 28, 2005 1:39 pm
Posts: 495
Cool.

Can you describe the parameters a little more? Perhaps provide an example CLI statement?

What is the "sessionip" in 3000 concentrator terminology?

Actually, while I'm still not sure what some of those parameters (sessionip, rx/tx) refer to exactly, it looks like the RX and TX data templates, under "Custom Data", should have the SessionIP and Flow checkboxes checked so that you define them when applying 'em to a device?


Top
 Profile  
 
 Post subject:
PostPosted: Thu Apr 27, 2006 12:21 pm 
Offline

Joined: Wed Apr 19, 2006 11:50 am
Posts: 29
Location: Las Vegas, NV
Yea the session IP is the Peer IP of the LAN2LAN session. I took out my data from the exported graph template so you are correct with the per-device settings.

If you have the web administration enabled for the VPN3000 you can see the peer ip for the lan2lan session under the monitoring->sessions.

-Dan


Top
 Profile  
 
 Post subject:
PostPosted: Thu Apr 27, 2006 12:23 pm 
Offline
Cacti User

Joined: Wed Sep 28, 2005 1:39 pm
Posts: 495
what about rx/tx parameters?


Last edited by knobdy on Thu Apr 27, 2006 12:27 pm, edited 2 times in total.

Top
 Profile  
 
 Post subject:
PostPosted: Thu Apr 27, 2006 12:26 pm 
Offline

Joined: Wed Apr 19, 2006 11:50 am
Posts: 29
Location: Las Vegas, NV
lan2lansessions.pl community host ip tx will return the TX bytes (alActiveSessionOctetsSent OID) from the device while lan2lansessions.pl community host ip rx will return the RX bytes (alActiveSessionOctetsRecvd OID).


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 64 posts ]  Go to page 1, 2, 3, 4, 5  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group