Query IPSEC VPNs with snmpwalk on Cisco ASA

Posted on May 5, 2014

3



The followings links can be used for the list of Cisco ASA SNMP MIBs. Cisco ASA SNMP MIBs:

ftp://ftp.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html

ftp://ftp.cisco.com/pub/mibs/v2/CISCO-IPSEC-FLOW-MONITOR-MIB.my

OIDs Information page:

http://www.mibdepot.com/cgi-bin/getmib3.cgi?win=mib_av&i=1&n=CISCO-IPSEC-FLOW-MONITOR-MIB&r=hp&f=ipsec-flow.mi2&v=v2&t=tree

IKE SNMP Queries example

1. Check my IP in the firewall that terminates vpns.

OID 1.3.6.1.4.1.9.9.171.1.2.3.1.3
OID NAME cikeTunRemoteValue
OID Description The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is a host name, then this is the host name used to identify the local peer.

 

[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.2.3.1.3
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.3.22269952 = STRING: "190.130.44.212"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.3.53874688 = STRING: "190.130.44.212"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.3.57499648 = STRING: "190.130.44.212"
...

2. Check List the remote peer IPs for VPN tunnels.

OID 1.3.6.1.4.1.9.9.171.1.2.3.1.7
OID NAME cikeTunRemoteValue
OID Description The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is a host name, then this is the host name used to identify the remote peer.

 

[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.2.3.1.7 | grep 190.78.22.60
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.178352128 = STRING: "190.78.22.60"

3. List the octets (bytes) used by IKE (not productive traffic!)

OID 1.3.6.1.4.1.9.9.171.1.2.3.1.19
OID NAME cikeTunInOctets
OID Description The total number of octets received by this IPsec Phase-1 IKE Tunnel.

 

[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.2.3.1.19 | grep 178352128
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.19.178352128 = Counter32: 1774880
OID 1.3.6.1.4.1.9.9.171.1.2.3.1.27
OID NAME cikeTunOutOctets
OID Description The total number of octets sent by this IPsec Phase-1 IKE Tunnel.

 

[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.2.3.1.27 | grep 178352128
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.27.178352128 = Counter32: 1345213

4. Count of vpn L2L tunnels.

OID 1.3.6.1.4.1.9.9.392.1.3.29.0
OID NAME crasL2LNumSessions
OID Description Count of VPN Sessions…

 

[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.392.1.3.29.0
SNMPv2-SMI::enterprises.9.9.392.1.3.29.0 = Gauge32: 86

IPSec SNMP Queries example

1. List the remote peer IPs for VPN tunnels in HEX.

OID 1.3.6.1.4.1.9.9.171.1.3.2.1.5
OID NAME cipSecTunRemoteAddr
OID Description The IP address of the remote endpoint for the IPsec Phase-2 Tunnel.

 

[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.3.2.1.5 | grep 2240428
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.5.2240428 = Hex-STRING: BE 4E 16 3C 

Hex-STRING: BE 4E 16 3C is the ip 190.78.22.60

2. List the associated IKE oid indexes.

OID 1.3.6.1.4.1.9.9.171.1.3.2.1.2
OID NAME cipSecTunIkeTunnelIndex
OID Description The index of the associated IPsec Phase-1 IKE Tunnel.(cikeTunIndex in the cikeTunnelTable)

 

[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.3.2.1.2 | grep 178352128 
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.2.2240428 = INTEGER: 178352128
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.2.2485303 = INTEGER: 178352128
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.2.2486216 = INTEGER: 178352128
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.2.2486679 = INTEGER: 178352128
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.2.2487198 = INTEGER: 178352128

3. List the octets (bytes) used by IPSec (productive traffic for each SAs)

OID 1.3.6.1.4.1.9.9.171.1.3.2.1.26
OID NAME cipSecTunInOctets
OID Description The total number of octets received by this IPsec Phase-2 Tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed. See also cipSecTunInOctWraps for the number of times this counter has wrapped.

 

[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.3.2.1.26.2240428
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.26.2240428 = Counter32: 1180178837
[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.3.2.1.26.2485303
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.26.2485303 = Counter32: 25944214
[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.3.2.1.26.2486216
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.26.2486216 = Counter32: 217919744
OID 1.3.6.1.4.1.9.9.171.1.3.2.1.39
OID NAME cipSecTunOutOctets
OID Description The total number of octets sent by this IPsec Phase-2 Tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed. See also cipSecTunOutOctWraps for the number of times this counter has wrapped.

 

[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.3.2.1.39.2240428
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.39.2240428 = Counter32: 341998368
[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.3.2.1.39.2485303
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.39.2485303 = Counter32: 13769851
[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.3.2.1.39.2486216
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.39.2486216 = Counter32: 42068995

Cisco ASA perl scripts: http://www.cpan.org/scripts/

— they should be all here…

Cacti plugin for vpn: http://forums.cacti.net/about22877.html

Problem with snmp for IPSec VPN

The problem with snmp for vpn ipsec tunnels is that it changes the OID for a peer dynamically after the ipsec sa will be deleted.
(If the sa will be rekeyed, the OID will not change.) If you have many of vpn like 100 vpn peers, then you have a multiple of ike sas (see the point “2. List the associated IKE oid indexes.” above.).
The script, that collects the ipsec traffic for specific peer or peers, needs a quite lot of time to process the OIDs for all tha IKE SAs per peer.

If you download a perl script that can collect IPSec traffic you will see on your own that it is slow.

It the following section I checked if oid change is really true:

[root@localhost ~]# clock
Tue 08 Apr 2014 10:19:23 AM CEST  -0.711612 seconds
[root@localhost ~]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.2.3.1.7 | grep 65.203.231.61
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.53874688 = STRING: "65.203.231.61" 
asa-tg2-fr2k/pri/act(config)# sh cry ipsec sa peer 65.203.231.61
peer address: 65.203.231.61
    Crypto map tag: firmen, seq num: 10, local addr: 190.130.44.212

      access-list tun-blackhawk-prod2 extended permit ip host 194.156.44.251 65.203.238.160 255.255.255.240 time-range End-Dec-2035 
      local ident (addr/mask/prot/port): (194.156.44.251/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (65.203.238.160/255.255.255.240/0/0)
      current_peer: 65.203.231.61

      #pkts encaps: 34229, #pkts encrypt: 34229, #pkts digest: 34229
      #pkts decaps: 68186, #pkts decrypt: 68186, #pkts verify: 68186
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 34229, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 190.130.44.212/0, remote crypto endpt.: 65.203.231.61/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: F55F7208
      current inbound spi : FEF46C81

    inbound esp sas:
      spi: 0xFEF46C81 (4277431425)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 53874688, crypto-map: firmen
         sa timing: remaining key lifetime (sec): 1848  

 

[root@localhost cli]# clock
Tue 08 Apr 2014 03:13:54 PM CEST  -0.613167 seconds
[root@localhost cli]# snmpwalk -v 2c -c cisco1234 191.126.40.130 1.3.6.1.4.1.9.9.171.1.2.3.1.7 | grep 65.203.231.61
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.53874688 = STRING: "65.203.231.61" 

That all folks!

Advertisements
Posted in: ASA, Cisco, Linux, Security, VPN