VPN monitoring solution

Answered Question
Aug 26th, 2007

A certain customer has a main office and several branch offices connected through VPN .

He needs a solution that will allow him to monitor VPN sessions, and specific info ( ex: number of sessions, source of session ,date ,duration, bandwidth used ,ect,.,,,,)

Does Cisco provide such a solution .

a solution that is preferred with graphical interface

Please , your fast response is appreciated

I have this problem too.
0 votes
Correct Answer by beecher about 9 years 3 months ago

Included with Cisco Security Manager is an application called Performance Monitor, which supports the monitoring of remote-access and site-to-site VPNs. Links:

Security Manager:

http://www.cisco.com/go/csmanager

Performance Monitor User Guide:

http://www.cisco.com/en/US/products/ps6498/products_user_guide_book09186a00806b7a60.html

Performance Monitor originates from the previous security managment product called CiscoWorks VMS and is currently not undergoing much further enhancement. We would like to introduce an updated security-related health and performance monitoring capability on-par with Security Manager, but no definite word yet.

Security Manager and Performance Monitor can be downloaded and used for up to 90 days for evaluation.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (5 ratings)
Loading.
elovelace256 Wed, 08/29/2007 - 04:59

I have been asking the same question for weeks with no definitave answer. If you find one please let me know.

Correct Answer
beecher Fri, 08/31/2007 - 10:06

Included with Cisco Security Manager is an application called Performance Monitor, which supports the monitoring of remote-access and site-to-site VPNs. Links:

Security Manager:

http://www.cisco.com/go/csmanager

Performance Monitor User Guide:

http://www.cisco.com/en/US/products/ps6498/products_user_guide_book09186a00806b7a60.html

Performance Monitor originates from the previous security managment product called CiscoWorks VMS and is currently not undergoing much further enhancement. We would like to introduce an updated security-related health and performance monitoring capability on-par with Security Manager, but no definite word yet.

Security Manager and Performance Monitor can be downloaded and used for up to 90 days for evaluation.

zakid Mon, 12/15/2008 - 22:59

good day,

dear, can u provide me the usage guide for CSM.

thanks & regards,

khinze Thu, 09/13/2007 - 06:47

We have CSM and I'm working on getting it configured. I do not see Perf Mon and see no way to monitor devices such as # sessions, etc. I have been looking at Open Source Cacti . It looks like it could provide this. Anyone else get Cacti, NMIS, or other NMS tool working to monitor ASA's for VPN Session info?

beecher Thu, 09/13/2007 - 06:55

Beginning with Security Manager 3.1, Performance Monitor is included on the product DVD as a separate installer. You need to at least first install Common Services using the Security Manager installer and then install Performance Monitor. Performance Monitor uses the traditional CiscoWorks browser interface.

For 3.0 and 3.1 versions, Performance Monitor is also available for download here:

http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app

khinze Thu, 09/13/2007 - 07:00

Thank you, CSM looks pretty amazing but is really a huge application. I had been working to setup to manage not monitor. I will take a look.

khinze Thu, 09/13/2007 - 07:13

BTW, I just downloaded and started the installer but it won't accept the CSM license key file. I guess I can just install as eval.

beecher Thu, 09/13/2007 - 07:19

Performance Monitor requires a different license file. For Security Manager 3.0, the license file is included on the DVD, but for 3.1 it is delivered via registering the included PAK on Cisco.com and receiving via email. The Performance Monitor license file is installed using the Common Services browser interface (not the Security Manager client). Click CiscoWorks in the upper right of the browser after logging in, then Common Services > Server > Admin > Licensing.

jaye15394 Wed, 07/16/2008 - 12:35

Hi all, I'm in the same boat.

I actually have PIX running 6.3 software with a few site to site VPN tunnels. Is there any way to monitor the bandwidth utilization of a particular tunnel?

Same question goes with ASAs and using ASDM...no plans to get CSM here...

Thanks,

Jason

khinze Wed, 07/16/2008 - 13:01

Interesting question. I installed Cacti [www.cacti.net] and am getting graphs of number of tunnels, bandwidth etc. But I don't know whether you can do bandwidth per tunnel. I'll have to tinker with that.

nikuhappy2010 Mon, 07/21/2008 - 16:14

Guys, did u find any way to monitor the bandwidth based on per tunnel. If yes, then tell me...Thanks

Darthkim_2 Mon, 09/24/2007 - 16:45

For our install, I was only interested in the concurrent # of users logged int.

Here is the SNMP OID.

.1.3.6.1.4.1.9.9.392.1.3.3.0

If you want more, you should look at the MIB and MIB2 for the ASA. (available on the cisco website)

elovelace256 Mon, 07/21/2008 - 17:15

This seems to be a never ending question. I think thatCisco works and cacti can monitor them but its cumbersome either to setup or to managage.

What I want is solarwinds orion or even another easy network management tool to provide this functionality.

I would like to see the asa to treat the vpn tunnels almost like interfaces, That way you can manage, monitor, and configure them just like any other interface.

Michael.Tuggle@... Fri, 08/01/2008 - 11:06

I am looking into the same thing. What I have found so far is OID string 1.3.6.1.4.1.9.9.171.1.2.3.1.7 will give you the tunnels with remote address and I use OID 1.3.6.1.4.1.9.9.171.1.2.1.1 to verify the number of tunnels are correct. These are Phase 1 stats. I am looking on how to monitor some WEBVPN session. If anyone has any information it would be appreciated.

bhpci Mon, 09/08/2008 - 09:34

I have ASAs that I monitor using the ASDM (v. 6.02) Under monitoring, VPN statistics, Sessions you can filter by Remote Access, Site-to-Site, clientless SSL, SSL client or email proxy. Under Site-to-Site there are stats for connection/IP address, protocol/encryption, login time/duration and Bytes TX/RX

cchughes Tue, 12/23/2008 - 18:39

I see what you mean but everytime the connection is re-negotiated the stats clear. Is there a way gather real history?

khinze Wed, 12/24/2008 - 06:25

Well, Cacti <http://www.cacti.net/> provides a close to 90% solution. It provides metrics but I don't think it will report. We also use NMIS and it will send alerts for outages. This is the best I've been able to come up with.

cchughes Wed, 12/24/2008 - 06:34

I just implemented Netflow with SolarWinds and I can now get the statistics I need by filtering on the tunneled destination address's.

elovelace256 Wed, 12/24/2008 - 13:43

I would like to see vpn's configured as a virtual interface just like a vlan.

This way I can just add the virtual interface to my monitoring soultion and monitor it just like the rest of the interfaces.

Santa can you bring me that for christmas?

Eric,

If it was that piece of cake, every one would have already done that :)..

Kevin,

About cacti, would it be possible for you to share some snaps, because may be your 90% solution could be more useful for some one else.

Chris,

i believe net flow is only for routers/switches. Did u configure it for firewall/concentrator? Haven't heard about that in my exp, can you share something useful?

I guess, everyone here needs this sort of solution, so we must raise the bar to Cisco, may be on idea forum, or some other platform, that they should work on these particular features, Monitoring the VPN tunnels, their historical bandwidth and session reporting, and above all, flow analysis of traffic passing through the tunnels.

regards,

Mohsin

cchughes Fri, 12/26/2008 - 06:08

Because all traffic within the network I am working with has to go through my core to traverse the vpn link, by implementing netflow on the core I get stats on any source/destination traffic that uses the tunnels I support. (there are more than one)

I'm using SolarWinds Orion to poll for netflow stats and query history.

Also, in a pinch, with a little ASA log analysis I can pick up stats on individual user vpn sessions as well.

khinze Fri, 12/26/2008 - 07:38

I'll try to attach again - it croaked last time.

So just to be clear, our ~90% solution includes NMIS <http://nmis.co.nz/drupal/> to provide the system uptime and alerting, while Cacti <http://www.cacti.net/> provides metrics on active tunnels, throughput etc.

Attachments are NMIS_Ping_Response, Cacti_24hr_Active_Tunnels and Cacti_30days_Active_Tunnels.

Djiguidjik Tue, 05/26/2009 - 07:33

Hi,

Do you have the same for SSL VPN?

I want to have graphs for SSL VPN on my ASA but Performance Monitor doesn't support it and I can't find anything on the internet to do it with Cacti or anything else...

cchughes Tue, 05/26/2009 - 07:43

I use Netflow. If I want graphs for ssl vpn I need to identify the ip address of the endpoint fisrt and then I can get good graphs etc. This isnt the best solution as most endpoint for ssl vpn change periodically. Custom snmp pollers dont work well as the vpn session changes between connections and you cant easily track sessiond because the snmp mib keeps changing.

khinze Tue, 05/26/2009 - 11:17

I have to say we do not use SSL. Only IPSec. But I am looking for OID and how to configure Cacti for SSL as well. I will post / let you know what I find.

Djiguidjik Thu, 10/01/2009 - 01:08

Nobody has found anything for SSL Statistics on Cacti?? I'm trying to do it myself but I'm not getting any results...

khinze Mon, 10/05/2009 - 07:11

Thanks, I am going to try it on for size. Good work,

raindrop18 Mon, 11/02/2009 - 13:31

I have tried your cacti template great work but the graph is blank and I create new template using Generic snmp template as you suggested on cacti forum but OID 1.3. 6. 1. 4. 1. 9. 9. 392. 1. 3. 38 returning 2000 lines of out put. may need specific submode, did you anything specific? thanks!

Actions

This Discussion