Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN monitoring solution

A certain customer has a main office and several branch offices connected through VPN .

He needs a solution that will allow him to monitor VPN sessions, and specific info ( ex: number of sessions, source of session ,date ,duration, bandwidth used ,ect,.,,,,)

Does Cisco provide such a solution .

a solution that is preferred with graphical interface

Please , your fast response is appreciated

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN monitoring solution

Included with Cisco Security Manager is an application called Performance Monitor, which supports the monitoring of remote-access and site-to-site VPNs. Links:

Security Manager:

http://www.cisco.com/go/csmanager

Performance Monitor User Guide:

http://www.cisco.com/en/US/products/ps6498/products_user_guide_book09186a00806b7a60.html

Performance Monitor originates from the previous security managment product called CiscoWorks VMS and is currently not undergoing much further enhancement. We would like to introduce an updated security-related health and performance monitoring capability on-par with Security Manager, but no definite word yet.

Security Manager and Performance Monitor can be downloaded and used for up to 90 days for evaluation.

30 REPLIES
New Member

Re: VPN monitoring solution

I have been asking the same question for weeks with no definitave answer. If you find one please let me know.

Cisco Employee

Re: VPN monitoring solution

Included with Cisco Security Manager is an application called Performance Monitor, which supports the monitoring of remote-access and site-to-site VPNs. Links:

Security Manager:

http://www.cisco.com/go/csmanager

Performance Monitor User Guide:

http://www.cisco.com/en/US/products/ps6498/products_user_guide_book09186a00806b7a60.html

Performance Monitor originates from the previous security managment product called CiscoWorks VMS and is currently not undergoing much further enhancement. We would like to introduce an updated security-related health and performance monitoring capability on-par with Security Manager, but no definite word yet.

Security Manager and Performance Monitor can be downloaded and used for up to 90 days for evaluation.

New Member

Re: VPN monitoring solution

good day,

dear, can u provide me the usage guide for CSM.

thanks & regards,

New Member

Re: VPN monitoring solution

We have CSM and I'm working on getting it configured. I do not see Perf Mon and see no way to monitor devices such as # sessions, etc. I have been looking at Open Source Cacti . It looks like it could provide this. Anyone else get Cacti, NMIS, or other NMS tool working to monitor ASA's for VPN Session info?

Cisco Employee

Re: VPN monitoring solution

Beginning with Security Manager 3.1, Performance Monitor is included on the product DVD as a separate installer. You need to at least first install Common Services using the Security Manager installer and then install Performance Monitor. Performance Monitor uses the traditional CiscoWorks browser interface.

For 3.0 and 3.1 versions, Performance Monitor is also available for download here:

http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app

New Member

Re: VPN monitoring solution

Thank you, CSM looks pretty amazing but is really a huge application. I had been working to setup to manage not monitor. I will take a look.

New Member

Re: VPN monitoring solution

BTW, I just downloaded and started the installer but it won't accept the CSM license key file. I guess I can just install as eval.

Cisco Employee

Re: VPN monitoring solution

Performance Monitor requires a different license file. For Security Manager 3.0, the license file is included on the DVD, but for 3.1 it is delivered via registering the included PAK on Cisco.com and receiving via email. The Performance Monitor license file is installed using the Common Services browser interface (not the Security Manager client). Click CiscoWorks in the upper right of the browser after logging in, then Common Services > Server > Admin > Licensing.

New Member

Re: VPN monitoring solution

Hi all, I'm in the same boat.

I actually have PIX running 6.3 software with a few site to site VPN tunnels. Is there any way to monitor the bandwidth utilization of a particular tunnel?

Same question goes with ASAs and using ASDM...no plans to get CSM here...

Thanks,

Jason

New Member

Re: VPN monitoring solution

Interesting question. I installed Cacti [www.cacti.net] and am getting graphs of number of tunnels, bandwidth etc. But I don't know whether you can do bandwidth per tunnel. I'll have to tinker with that.

New Member

Re: VPN monitoring solution

Guys, did u find any way to monitor the bandwidth based on per tunnel. If yes, then tell me...Thanks

New Member

Re: VPN monitoring solution

For our install, I was only interested in the concurrent # of users logged int.

Here is the SNMP OID.

.1.3.6.1.4.1.9.9.392.1.3.3.0

If you want more, you should look at the MIB and MIB2 for the ASA. (available on the cisco website)

New Member

Re: VPN monitoring solution

This seems to be a never ending question. I think thatCisco works and cacti can monitor them but its cumbersome either to setup or to managage.

What I want is solarwinds orion or even another easy network management tool to provide this functionality.

I would like to see the asa to treat the vpn tunnels almost like interfaces, That way you can manage, monitor, and configure them just like any other interface.

New Member

Re: VPN monitoring solution

I am looking into the same thing. What I have found so far is OID string 1.3.6.1.4.1.9.9.171.1.2.3.1.7 will give you the tunnels with remote address and I use OID 1.3.6.1.4.1.9.9.171.1.2.1.1 to verify the number of tunnels are correct. These are Phase 1 stats. I am looking on how to monitor some WEBVPN session. If anyone has any information it would be appreciated.

New Member

Re: VPN monitoring solution

I have ASAs that I monitor using the ASDM (v. 6.02) Under monitoring, VPN statistics, Sessions you can filter by Remote Access, Site-to-Site, clientless SSL, SSL client or email proxy. Under Site-to-Site there are stats for connection/IP address, protocol/encryption, login time/duration and Bytes TX/RX

New Member

Re: VPN monitoring solution

The bad thing about asdm is no historical reports or alerting.

New Member

Re: VPN monitoring solution

I see what you mean but everytime the connection is re-negotiated the stats clear. Is there a way gather real history?

New Member

Re: VPN monitoring solution

Well, Cacti <http://www.cacti.net/> provides a close to 90% solution. It provides metrics but I don't think it will report. We also use NMIS and it will send alerts for outages. This is the best I've been able to come up with.

New Member

Re: VPN monitoring solution

I just implemented Netflow with SolarWinds and I can now get the statistics I need by filtering on the tunneled destination address's.

New Member

Re: VPN monitoring solution

I would like to see vpn's configured as a virtual interface just like a vlan.

This way I can just add the virtual interface to my monitoring soultion and monitor it just like the rest of the interfaces.

Santa can you bring me that for christmas?

New Member

Re: VPN monitoring solution

Eric,

If it was that piece of cake, every one would have already done that :)..

Kevin,

About cacti, would it be possible for you to share some snaps, because may be your 90% solution could be more useful for some one else.

Chris,

i believe net flow is only for routers/switches. Did u configure it for firewall/concentrator? Haven't heard about that in my exp, can you share something useful?

I guess, everyone here needs this sort of solution, so we must raise the bar to Cisco, may be on idea forum, or some other platform, that they should work on these particular features, Monitoring the VPN tunnels, their historical bandwidth and session reporting, and above all, flow analysis of traffic passing through the tunnels.

regards,

Mohsin

New Member

Re: VPN monitoring solution

Because all traffic within the network I am working with has to go through my core to traverse the vpn link, by implementing netflow on the core I get stats on any source/destination traffic that uses the tunnels I support. (there are more than one)

I'm using SolarWinds Orion to poll for netflow stats and query history.

Also, in a pinch, with a little ASA log analysis I can pick up stats on individual user vpn sessions as well.

New Member

Re: VPN monitoring solution

I'll try to attach again - it croaked last time.

So just to be clear, our ~90% solution includes NMIS <http://nmis.co.nz/drupal/> to provide the system uptime and alerting, while Cacti <http://www.cacti.net/> provides metrics on active tunnels, throughput etc.

Attachments are NMIS_Ping_Response, Cacti_24hr_Active_Tunnels and Cacti_30days_Active_Tunnels.

New Member

Re: VPN monitoring solution

Hi,

Do you have the same for SSL VPN?

I want to have graphs for SSL VPN on my ASA but Performance Monitor doesn't support it and I can't find anything on the internet to do it with Cacti or anything else...

New Member

Re: VPN monitoring solution

I use Netflow. If I want graphs for ssl vpn I need to identify the ip address of the endpoint fisrt and then I can get good graphs etc. This isnt the best solution as most endpoint for ssl vpn change periodically. Custom snmp pollers dont work well as the vpn session changes between connections and you cant easily track sessiond because the snmp mib keeps changing.

New Member

Re: VPN monitoring solution

I have to say we do not use SSL. Only IPSec. But I am looking for OID and how to configure Cacti for SSL as well. I will post / let you know what I find.

New Member

Re: VPN monitoring solution

Nobody has found anything for SSL Statistics on Cacti?? I'm trying to do it myself but I'm not getting any results...

New Member

Re: VPN monitoring solution

Finally I've done it myself on Cacti:

http://forums.cacti.net/viewtopic.php?p=174500#174500

Hope it will work for you :)!

New Member

Re: VPN monitoring solution

Thanks, I am going to try it on for size. Good work,

2551
Views
16
Helpful
30
Replies