VPN Tunnel monitoring

Templates, scripts for templates, scripts and requests for templates.

Moderators: Moderators, Developers

Author
Message
knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

VPN Tunnel monitoring

#1 Post by knobdy » Thu Apr 06, 2006 3:38 pm

Anyone done anything to monitor bandwidth used by individual VPN tunnels on either a router or firewall? We have SEVERAL customers that connect to us via VPN tunnels and we'd like to be able to see the traffic each generates. None of the templates I've seen thus far will do this - since I want more than just the number of sessions, but instead a graph like an ordinary interface for "bits/sec Total Bandwidth".

I'm pretty sure CiscoWorks can do this (at least for the concentrators) but I'm not sure what it uses and our installation of CiscoWorks is java-junk...

vanc
Posts: 30
Joined: Thu Mar 02, 2006 2:54 pm
Location: Boston MA USA
Contact:

#2 Post by vanc » Wed Apr 12, 2006 10:50 am

I don't know that you will be able to get that via snmp interface statistics. You can try doing a snmpwalk and check if your tunnel defs are shown individually.

We graph our ipsec with all tunnels on the single interface, but our VPN GW is a linux box.

If I was to start graphing the individual traffic with our device I would look into writing a script to read the values from iptables, which I believe that I have seen some templates for in past topics.

Hope that helps a little bit.
Attachments
ipsec_traffic.PNG
IPSec Interface Traffic
ipsec_traffic.PNG (12.57 KiB) Viewed 76959 times

knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

#3 Post by knobdy » Wed Apr 12, 2006 11:08 am

I appreciate the response.

knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

#4 Post by knobdy » Wed Apr 12, 2006 3:19 pm

What do you think of these?

Code: Select all

1.3.6.1.2.1.31.1.1.1.15
1.3.6.1.4.1.9.9.171.1.2.1.4
It would seem that the OID 1.3.6.1.4.1.9.9.171.1.3.2.1.32 is what I'm after or close to it, (http://tools.cisco.com/Support/SNMP/do/ ... 1.3.2.1.32) but while doing a basic "snmpwalk -v 2c -c public -t 120 10.10.10.10 .1.3.6.1.4.1.9.9" I get

Code: Select all

Error: OID not increasing: .1.3.6.1.4.1.9.9.171.1.2.2.1.6.1.13.54.53.46.49.57.55.46.50.56.46.49.52.49.1.14.54.54.46.49.54.50.46.50.53.50.46.49.53.48.6
 >= .1.3.6.1.4.1.9.9.171.1.2.2.1.6.1.13.54.53.46.49.57.55.46.50.56.46.49.52.49.1.14.49.52.54.46.49.52.53.46.49.50.56.46.53.48.2

Any ideas?

adp
Posts: 2
Joined: Tue Apr 25, 2006 3:29 am

#5 Post by adp » Tue Apr 25, 2006 3:31 am

On all routers we use for this, the tunnels are created just like an interface. Adding the router to cacti, just shows the Tunnel interfaces just like any other interface. Do you have a different config?

cheers,
arthur

knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

#6 Post by knobdy » Tue Apr 25, 2006 9:05 am

These are Cisco 2600 routers. Templates available for the concentrators are also kind of lame - only providing number of associations and the like. That's generally okay though, since most of their connections aren't LAN-to-LAN. The connections on the routers, however, are a different story.

The tunnels on the routers are defined as isakmp policies/SAs - as best I can figure. I can find those in the MIBs...I think - just not their more detailed info. On these routers, the closest I've found to a "sh int" command for the tunnels would have to be:

Code: Select all

#sh crypto isakmp sa
dst             src             state           conn-id    slot
pub.ip.xx.141   cus.ip.xx.250 QM_IDLE               6       0
pub.ip.xx.141   cus.ip.xx.130 QM_IDLE              19       0
cus.ip.xx.2     pub.ip.xx.141 QM_IDLE              18       0
pub.ip.xx.141   cus.ip.xx.31  QM_IDLE               8       0
pub.ip.xx.141   cus.ip.xx.34  QM_IDLE               3       0
pub.ip.xx.141   cus.ip.xx.150 QM_IDLE              13       0
pub.ip.xx.141   cus.ip.xx.50  QM_IDLE              12       0
pub.ip.xx.141   cus.ip.xx.241 QM_IDLE              20       0
pub.ip.xx.141   cus.ip.xx.71  QM_IDLE               9       0
pub.ip.xx.141   cus.ip.xx.31  QM_IDLE              11       0

adp
Posts: 2
Joined: Tue Apr 25, 2006 3:29 am

#7 Post by adp » Wed Apr 26, 2006 3:34 am

Are you doing dynamic user-based tunnels? Or site-to-site tunnels? As these are (can) normally configured like

Code: Select all

interface Tunnel1
 ip address 10.1.1.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 10.2.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SECUR1
That way, it's just an interface like any other. If you're doing dynamic per-user based tunnels, the story might get much more complex :)

cheers,
arthur

knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

#8 Post by knobdy » Wed Apr 26, 2006 8:38 am

adp wrote:Are you doing dynamic user-based tunnels?
These are site-to-site tunnels, but to be honest I have yet to set one up myself or even look into how they're currently done. The guys I work with mostly copy/paste what was there before them. <shrug>

Here's an example, though I'm not sure this is everything that goes into bringing a single tunnel up:

Code: Select all

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key akeyhash address pub.cust.ip.add
!
!
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

crypto map outside 1 ipsec-isakmp
 set peer pub.cust.ip.add
 set security-association lifetime kilobytes 256000
 set transform-set 3des
 match address customer_name-in
crypto map outside 3 ipsec-isakmp
 set peer pub.cust.ip.add
 set security-association lifetime kilobytes 256000
 set security-association lifetime seconds 1200
 set transform-set 3des-md5

ip access-list standard customer_name-nat

ip access-list extended customer-name

dbrummer
Posts: 29
Joined: Wed Apr 19, 2006 11:50 am
Location: Las Vegas, NV
Contact:

#9 Post by dbrummer » Thu Apr 27, 2006 10:23 am

I use a Cisco VPN 3000 concentrator for lan-to-lan sessions. I wrote a perl script that you may be interested in. The script takes inputs of community, host, session ip and rx or tx. Based on the session ip you provide the script, it will search for the corresponding lan-to-lan session and grab the OID index and return either rx or tx ocets received/transfered. Let me know if you're interested in it.

-Dan

knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

#10 Post by knobdy » Thu Apr 27, 2006 11:42 am

VERY!!! If you don't want to post the to the community, feel free to send private message!

I've even played in perl before, so maybe I or one of my cohorts can look at what you've done in regards to these routers/firewalls.

Did I mention we also have firewalls managing LAN-to-LAN VPNs? Can't find a "tunnel interface OID" for them either... :x

dbrummer
Posts: 29
Joined: Wed Apr 19, 2006 11:50 am
Location: Las Vegas, NV
Contact:

#11 Post by dbrummer » Thu Apr 27, 2006 11:50 am

See attached. I appologize for how dirty and ugly the script is, but it works.

Note: I had to make the script like this because the OID index for lan2lan sessions change whenever a session is disconnected/reconnected.

UPDATE: Added Graph Template

-Dan
Attachments
cacti_graph_template_lan2lan_ancaliantectgw_traffic.xml
(13.04 KiB) Downloaded 4188 times
lan2lantraffic.txt
(2.78 KiB) Downloaded 4720 times

knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

#12 Post by knobdy » Thu Apr 27, 2006 12:18 pm

Cool.

Can you describe the parameters a little more? Perhaps provide an example CLI statement?

What is the "sessionip" in 3000 concentrator terminology?

Actually, while I'm still not sure what some of those parameters (sessionip, rx/tx) refer to exactly, it looks like the RX and TX data templates, under "Custom Data", should have the SessionIP and Flow checkboxes checked so that you define them when applying 'em to a device?

dbrummer
Posts: 29
Joined: Wed Apr 19, 2006 11:50 am
Location: Las Vegas, NV
Contact:

#13 Post by dbrummer » Thu Apr 27, 2006 12:21 pm

Yea the session IP is the Peer IP of the LAN2LAN session. I took out my data from the exported graph template so you are correct with the per-device settings.

If you have the web administration enabled for the VPN3000 you can see the peer ip for the lan2lan session under the monitoring->sessions.

-Dan

knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

#14 Post by knobdy » Thu Apr 27, 2006 12:23 pm

what about rx/tx parameters?
Last edited by knobdy on Thu Apr 27, 2006 12:27 pm, edited 2 times in total.

dbrummer
Posts: 29
Joined: Wed Apr 19, 2006 11:50 am
Location: Las Vegas, NV
Contact:

#15 Post by dbrummer » Thu Apr 27, 2006 12:26 pm

lan2lansessions.pl community host ip tx will return the TX bytes (alActiveSessionOctetsSent OID) from the device while lan2lansessions.pl community host ip rx will return the RX bytes (alActiveSessionOctetsRecvd OID).

Post Reply