ipsec aggregate session counters for crypto maps

Unanswered Question
Mar 20th, 2010

Hi All,

  I'm attempting to poll / graph the usage of various IPSec tunnels. In this case, my side is a cisco IOS router and the tunnels are static but built with crypto maps. I'd prefer to use VTI, unfortunately, cisco doesn't allow custom SA's per VTI, and the other side won't agree to an SA of *.. but that's a different conversation.

  I can't find an SNMP MIB OID that will give me aggregate statistics for phase 2 data flow for a given end point. I can however, find the index of all existing IPsec phase 2 flows, poll the statistics for each.

  I'm using Cacti to do the polls, and it lacks the ability to perform a complicated query such as this, so I've written a script to do the data collection and I simply collect statistics from the script. This is a bit inefficient, so I thought I'd check to see if any of you knew of an OID to report what I'm after.

  My script should give you a clear idea of what I'm looking for:

#!/bin/sh

snmpwalk -Oqn myrouter .1.3.6.1.4.1.9.9.172.1.2.1.1.4 | grep "UNIQUE-ACL-NAME-FOR-IPSEC-PEER-I-AM-LOOKINGFOR" | cut -d' ' -f1 | awk -F. '{ print $NF }' | while read BLAH

do

        VALUE=`snmpget -Oqvn myrouter .1.3.6.1.4.1.9.9.171.1.3.2.1.26.$BLAH | cut -d' ' -f1`

        TOTAL_IN=$(($TOTAL_IN + $VALUE))

        VALUE=`snmpget -Oqvn myrouter .1.3.6.1.4.1.9.9.171.1.3.2.1.39.$BLAH | cut -d' ' -f1`

        TOTAL_OUT=$(($TOTAL_OUT + $VALUE))

        echo $TOTAL_IN $TOTAL_OUT

done | tail -1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion