This took me way too long to research so I’m putting this here in case anyone can use it.
I have an ASA 5520 that is used for IPSEC, Anyconnect, and Clientless WebVPN vpn clients. I was asked to track total # of sessions for the migration of licenses. Since there was a Nagios Monitor onsite, I hoped to add an snmp check for the total number of WebVPN sessions (Anyconnect and clientless).
Cisco has the ASA MIBs located here:
ftp://ftp.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html
The oid values you need are as follows:
crasIPSecNumSessions .1.3.6.1.4.1.9.9.392.1.3.26. crasWebvpnNumSessions .1.3.6.1.4.1.9.9.392.1.3.35.
Drop the MIB into the shared mib folder on the nagios host in usrsharesnmpmibs
I had some issues with the Cisco MIB, I haven’t tried on another nagios host yet, but the OID values worked just fine for my purposes.
In nagios, create the check_snmp lookup, I opted for a new command:
define command{ command_name check_snmp_cisco_oid command_line $USER1$/check_snmp -H $HOSTADDRESS$ -P 2c -C communityname -o $ARG1$ -w $ARG2$ -c $ARG3$ }
Then define the services for the host:
define service{ use generic-service host_name ASA5520 service_description Total Number of Web SSL VPN sessions check_command check_snmp_cisco_oid!.1.3.6.1.4.1.9.9.392.1.3.35.0!50!75 } define service{ use generic-service host_name ASA5520 service_description Total Number of IPSEC VPN sessions check_command check_snmp_cisco_oid!.1.3.6.1.4.1.9.9.392.1.3.26.0 }
Unfortunately the first OID only works for IKEv1 IPSEC sessions. So far I haven’t seen any OID that works for IKEv2 IPSEC sessions. Still hunting around, but that would be a good addition.
Is there a way to monitor IKEv2 IPSEC sessions? Couldn’t find it online. Cheers!
Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for monitoring Cisco ASA IPSec Tunnel traffic.
Advantage of VPNTTG over other SNMP based monitoring software’s is following: Other (commonly used) software’s are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer’s IP address and it stores for each VPN tunnel historical monitoring data into the Database.
For more information about VPNTTG please visit http://www.vpnttg.com