cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30816
Views
0
Helpful
24
Comments
puseth
Level 1
Level 1

 

If we are looking to get the username/ip/tunnel-group of the cisco ipsec ra vpn users connected to the ASA using SNMP

 

then we need to use this MIB "CISCO-REMOTE-ACCESS-MONITOR-MIB".

 

 

crasUsername (1.3.6.1.4.1.9.9.392.1.3.21.1.1) is the OID that can be used to fetch the username.

 

But if we closely check our ASA we don’t have any such OID in the built-in database of the ASA.

 

ASA-5510-8x(config)# sh snmp-server oidlist | in crasU

 

So we don’t have

1.3.6.1.4.1.9.9.392.1.3.21.1.1(crasUsername).

 

 

But if we explore this OID tree on the ASA, then we have a other OID’s which can fetch information about the VPN clients connected to the ASA.

 

 

1.3.6.1.4.1.9.9.392.1.3.21.1.2.          crasGroup

1.3.6.1.4.1.9.9.392.1.3.21.1.4.          crasAuthenMethod

1.3.6.1.4.1.9.9.392.1.3.21.1.5.          crasAuthorMethod

1.3.6.1.4.1.9.9.392.1.3.21.1.6.          crasSessionDuration

1.3.6.1.4.1.9.9.392.1.3.21.1.7.          crasLocalAddressType

1.3.6.1.4.1.9.9.392.1.3.21.1.8.          crasLocalAddress

1.3.6.1.4.1.9.9.392.1.3.21.1.9.          crasISPAddressType

1.3.6.1.4.1.9.9.392.1.3.21.1.10.        crasISPAddress

1.3.6.1.4.1.9.9.392.1.3.21.1.11.        crasSessionProtocol

1.3.6.1.4.1.9.9.392.1.3.21.1.12.        crasProtocolElement

1.3.6.1.4.1.9.9.392.1.3.21.1.13.        crasSessionEncryptionAlgo

1.3.6.1.4.1.9.9.392.1.3.21.1.14.        crasSessionPktAuthenAlgo

1.3.6.1.4.1.9.9.392.1.3.21.1.15.        crasSessionCompressionAlgo

1.3.6.1.4.1.9.9.392.1.3.21.1.16.        crasHeartbeatInterval

1.3.6.1.4.1.9.9.392.1.3.21.1.17.        crasClientVendorString

1.3.6.1.4.1.9.9.392.1.3.21.1.18.        crasClientVersionString

1.3.6.1.4.1.9.9.392.1.3.21.1.19.        crasClientOSVendorString

1.3.6.1.4.1.9.9.392.1.3.21.1.20.        crasClientOSVersionString

1.3.6.1.4.1.9.9.392.1.3.21.1.21.        crasPrimWINSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.22.        crasPrimWINSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.23.        crasSecWINSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.24.        crasSecWINSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.25.        crasPrimDNSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.26.        crasPrimDNSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.27.        crasSecDNSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.28.        crasSecDNSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.29.        crasDHCPServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.30.        crasDHCPServer

1.3.6.1.4.1.9.9.392.1.3.21.1.31.        crasSessionInPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.32.        crasSessionOutPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.33.        crasSessionInDropPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.34.        crasSessionOutDropPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.35.        crasSessionInOctets

1.3.6.1.4.1.9.9.392.1.3.21.1.36.        crasSessionOutOctets

1.3.6.1.4.1.9.9.392.1.3.21.1.37.        crasSessionState

 

 

 

ASA as of now doesn’t provides us the username of the VPN user in *clear text* and we have couple of bugs filed for it.

 

 

One of them being

 

CSCtc36391    ASA snmp object crasUsername should be readable

 

 

But we can follow this to get other useful information

 

 

 

snmpwalk.exe -c public -v 2c 192.168.16.xx "1.3.6.1.4.1.9.9.392.1.3.21.1.2"

 

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.2.8.97.115.116.114.105.112.97.116.290817 = STRING: "puneet"

 

 

This tells us the name of "tunnel-group" and the "username" used to connect to the ASA.

 

 

In this output “puneet” is the name of the tunnel-group.

 
Now we need to Convert name from ASCII based indexing

 

 

 

 

9.9.392.1.3.21.1.2.8.97.115.116.114.105.112.97.116.290817

                                     a      s      t      r     i       p      a      t

 

 

 
ASCII translation:

 

  97 = a

115 = s

116 = t

114 = r

105 = i

112 = p

  97 = a

116 = t

 

 

Check the hex to character table at this website

http://www.asciitable.com/

 

 

Compare this with the simultaneous output from the ASA

 

 

ASA-5510-8x(config)# sh vpn-sessiondb remote

Session Type: IPsec

Username     : astripat               Index        : 71

Assigned IP  : 3.3.3.5                Public IP    : 10.78.167.32

Protocol     : IKE IPsec

License      : IPsec

Encryption   : 3DES                   Hashing      : MD5 SHA1

Bytes Tx     : 0                           Bytes Rx     : 0

Group Policy : puneet                Tunnel Group : puneet

Login Time   : 12:43:47 MST Thu Jan 14 1993

Duration     : 0h:22m:28s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

 

 

These OID's can give us some more information

 

 

Client's local ip address (crasISPAddress)

****************************************

snmpwalk.exe -c public -v 2c 192.168.16.xx 1.3.6.1.4.1.9.9.392.1.3.21.1.10

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.10.8.97.115.116.114.105.112.97.116.290817 = STRING: "10.78.167.32"

 

 

IP address assigned to the vpn client(crasLocalAddress)

********************************************************

snmpwalk.exe -c public -v 2c 192.168.16.xx 1.3.6.1.4.1.9.9.392.1.3.21.1.8

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.8.8.97.115.116.114.105.112.97.116.290817 = STRING: "3.3.3.5"

 

 

Another example:-

 

 

snmpwalk.exe -c public -v 2c 192.168.16.xx 1.3.6.1.4.1.9.9.392.1.3.21.1.2

 

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.2.6.103.97.117.114.97.118.90113 =STRING: "puneet"

 

 

9.9.392.1.3.21.1.2.6.103.97.117.114.97.118.81921

                                     g      a      u      r     a     v 

 
ASCII translation:

 

103 = g

97  = a

117 = u

114 = r

97 =  a

118 = v

 

 

Compare this with the simultaneous output from the ASA

 

 

ASA-5510-8x# sh vpn-sessiondb remote

 

Session Type: IPsec

 

Username     : gaurav                 Index        : 22

Assigned IP  : 3.3.3.3                Public IP    : 10.78.167.68

Protocol     : IKE IPsec

License      : IPsec

Encryption   : 3DES                   Hashing      : SHA1

Bytes Tx     : 0                           Bytes Rx     : 0

Group Policy : puneet                 Tunnel Group : puneet

Login Time   : 17:13:51 MST Sat Jan 2 1993

Duration     : 0h:03m:11s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

 

 

Scenario 2:

Problem:

User is trying to add one of our 5525-X into our solarwinds orion. just wanted to know if temperature OID is supported? i tried to list "resources" for the ASA but it's only giving me CPU, memory, interfaces, etc. but there's no option to monitor its temperature.

 

 

Solution:


Try under "CISCO-FIREWALL-MIB" and OID:- 1.3.6.1.4.1.9.9.147.1.2.1.1 or 1.3.6.1.4.1.9.9.147.1.2.1.1.1.3.{cfwHardwareStatusValue}

 

-Puneet Seth

Comments
drivera_
Level 1
Level 1

Hello everybody.

I've been seraching everywhere how to monitor several VPNs, only the vpn connections, not users connected to the VPN.  I don't know how to do this. I've been reading this post and it's really interesting but I will appreciate if someone could help me.  What OID can do this? 

Hello Guys,

 

Is possible to get "Group Policy" for the user?

 

I cannot do it.

 

Thanks,

 

Diego

anemisti
Community Member

great script.

is possible to have a change to show the assigned ip, public ip, tunnel group and converted counter32 duration in hh:mm on the same raw ?

many thanks

Andrea

 

DavidAbelGonzalez
Community Member

Hello everyone,

It has been a while since the initial post, but I think it is worth the reply/re-opening.

As I was in need to gather information about the VPN users that were connected to my ASA, I managed to find an script made by Phil Hendren (dizzythinks).

I just modify it a little bit to get the VPN profiles of the users, so all credits go to this guy https://github.com/dizzythinks/asavpnusers

Thanks and best regards, David Abel.

erdokkilic
Community Member

Hi David,

Can you please give more information. We have Solarwinds Orion, is it possible to run this script on Orion, and do you know if that works with snmpv3

Thanks

-Erdo

DavidAbelGonzalez
Community Member

Hello Erdo,

I just run it from Nagios/Icinga, down below you can find a little example of its usage, although if you execute the script with "--help" you can get the optional arguments and their explanation.

[root@server ~]$ /usr/bin/python /usr/local/icinga/libexec/get_vpn_users_profiles.py -f 192.168.0.1 -i 8.8.8.8,4.4.4.2 -c SNMPPublicCommunity -o text

NOTE: attached to this reply you can find an update version of the script.

Best regards, David Abel.

erdokkilic
Community Member

Hi David,

Thank you for quick response. This script is great, it is something we have been looking for a long time.

We also have Icinga in production, but I am not sure if Icinga can save historical data. The goal is to have AnyConnect users' activity, so we can easily find in the future, if needed.

That's why I was asking about Solarwinds Orion.

Thank you

-Erdo

DavidAbelGonzalez
Community Member

Hi Erdo,

You can use open source solutions like Elastic Search (http://blogs.cisco.com/security/step-by-step-setup-of-elk-for-netflow-analytics) in order to get a graph like the attached one.

On the other hand, you can track the users activity via the RADIUS logs and make a query to create reports.

Regards, David.

saykin
Level 1
Level 1

We started with the following code for the test:

#!/bin/bash
if [[ -n "$1" ]]; then echo "#RUN_OK"
else
	# ERROR
	echo "You need to pass the host ip address"
	exit
fi
if [[ -n "$2" ]]; then echo "#RUN_OK"
else
	# ERROR
        echo "You need to calculate the number of characters after the user name in the SNMP response string"
        echo "maybe 24 for ASA1 or 36 for ASA2"
        exit
fi

#We get the host variable and the calculated number of characters at the end of the string
MODULES=$(for ascii in `snmpwalk -v 2c -c public $1 1.3.6.1.4.1.9.9.392.1.3.21.1.2 | cut -c 36- | rev | cut -c $2- | rev | tr '.' '  ' | sed 's/\(.*\)/\1 59 59/' | awk '!($0 in a) {a[$0];print}'`; do printf -v char_value "\\$(printf %o $ascii)"; printf '%c' "$char_value"; done)
#Delete [36] characters at the beginning of the string
	# cut -c 36-
#Turn over string
	# rev
#Delete [the calculated value of the characters] at the beginning of the string
	# cut -c 24-
	# or
	# cut -c 36-
#Turn over string back
	# rev
#Replace point with space
	# tr '.' ' '
#Supplement each of the string with a double colon
	# sed 's/\(.*\)/\1 59 59/'
#Delete duplicate of the strings
	# awk '!($0 in a) {a[$0];print}'
#Convert characters from ASCII to text
	# for ascii in ''; do printf -v char_value "\\$(printf %o $ascii)"; printf '%c' "$char_value"; done

#Output VPN user logins received via SNMP
MODULEScount=$(echo $MODULES | sed -e 's/;;/\n/g' | sed '/^$/d' | wc -l)

#Compare the number of VPN users and sessions
MODULESusers=$(snmpwalk -v 2c -c public $1 1.3.6.1.4.1.9.9.392.1.3.35.0 | cut -c 42- | tr -d '[:space:]')
if [[ $MODULESusers == $MODULEScount ]]; then
        # OK
        echo  "#VPN users count OK"
else
        # ERROR
        echo "#VPN users count BAD"
fi

#Output Results
echo "#TOTAL sessions:"
	echo "#$MODULESusers"
echo "#TOTAL USERs:"
	echo "#$MODULEScount"
echo "#VPN USERs:"
	echo $MODULES | sed -e 's/;;/\n/g' | sed '/^$/d'

We are currently using the following elegant code for zabbix:

#!/bin/bash
if [[ -n "$1" ]]; then echo "#RUN_OK"
else
	# ERROR
	echo "You need to pass the host ip address"
	exit
fi

INPUT=`snmpwalk -v 2c -c public $1 1.3.6.1.4.1.9.9.392.1.3.21.1.2`
USERS=""

ASCIIToChar() {
  [ "${1}" -lt 0 -o "${1}" -gt 127 ] && return 1
  printf "\\$(printf "%o" "${1}")"
}

for LINE in $INPUT
do
        if [[ "$LINE" =~ ^iso ]]
        then
                CODES=( `echo $LINE | tr "." " "` )
                last=${#CODES[@]}
                last=$[last-1]
                for i in "${!CODES[@]}"
                do
                        if [ $i -le 14  ] || [ $i -eq $last ]
                        then
                                continue
                        fi
                        CHAR=$(ASCIIToChar "${CODES[$i]}")
                        USERS="${USERS}${CHAR}"
                done
                USERS="${USERS}\n"
        fi
done
SESSIONS=`snmpwalk -v 2c -c public $1 1.3.6.1.4.1.9.9.392.1.3.35.0  | grep -Eoh '[0-9]{1,}$'`
USERS=`echo -e $USERS | sort | uniq | sed '/^[[:space:]]*$/d'`


echo "Total sessions: ${SESSIONS}"
echo "Total users: `echo "${USERS}" | wc -l`"
echo ""
echo -e "User list:\n${USERS}"

P.S.: Also thanks for the following code: https://github.com/dizzythinks/asavpnusers

Zabbix External checks: https://www.zabbix.com/documentation/current/manual/config/items/itemtypes/external

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: