If we are looking to get the username/ip/tunnel-group of the cisco ipsec ra vpn users connected to the ASA using SNMP

 

then we need to use this MIB "CISCO-REMOTE-ACCESS-MONITOR-MIB".

 

 

crasUsername (1.3.6.1.4.1.9.9.392.1.3.21.1.1) is the OID that can be used to fetch the username.

 

But if we closely check our ASA we don’t have any such OID in the built-in database of the ASA.

 

ASA-5510-8x(config)# sh snmp-server oidlist | in crasU

 

So we don’t have

1.3.6.1.4.1.9.9.392.1.3.21.1.1(crasUsername).

 

 

But if we explore this OID tree on the ASA, then we have a other OID’s which can fetch information about the VPN clients connected to the ASA.

 

 

1.3.6.1.4.1.9.9.392.1.3.21.1.2.          crasGroup

1.3.6.1.4.1.9.9.392.1.3.21.1.4.          crasAuthenMethod

1.3.6.1.4.1.9.9.392.1.3.21.1.5.          crasAuthorMethod

1.3.6.1.4.1.9.9.392.1.3.21.1.6.          crasSessionDuration

1.3.6.1.4.1.9.9.392.1.3.21.1.7.          crasLocalAddressType

1.3.6.1.4.1.9.9.392.1.3.21.1.8.          crasLocalAddress

1.3.6.1.4.1.9.9.392.1.3.21.1.9.          crasISPAddressType

1.3.6.1.4.1.9.9.392.1.3.21.1.10.        crasISPAddress

1.3.6.1.4.1.9.9.392.1.3.21.1.11.        crasSessionProtocol

1.3.6.1.4.1.9.9.392.1.3.21.1.12.        crasProtocolElement

1.3.6.1.4.1.9.9.392.1.3.21.1.13.        crasSessionEncryptionAlgo

1.3.6.1.4.1.9.9.392.1.3.21.1.14.        crasSessionPktAuthenAlgo

1.3.6.1.4.1.9.9.392.1.3.21.1.15.        crasSessionCompressionAlgo

1.3.6.1.4.1.9.9.392.1.3.21.1.16.        crasHeartbeatInterval

1.3.6.1.4.1.9.9.392.1.3.21.1.17.        crasClientVendorString

1.3.6.1.4.1.9.9.392.1.3.21.1.18.        crasClientVersionString

1.3.6.1.4.1.9.9.392.1.3.21.1.19.        crasClientOSVendorString

1.3.6.1.4.1.9.9.392.1.3.21.1.20.        crasClientOSVersionString

1.3.6.1.4.1.9.9.392.1.3.21.1.21.        crasPrimWINSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.22.        crasPrimWINSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.23.        crasSecWINSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.24.        crasSecWINSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.25.        crasPrimDNSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.26.        crasPrimDNSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.27.        crasSecDNSServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.28.        crasSecDNSServer

1.3.6.1.4.1.9.9.392.1.3.21.1.29.        crasDHCPServerAddrType

1.3.6.1.4.1.9.9.392.1.3.21.1.30.        crasDHCPServer

1.3.6.1.4.1.9.9.392.1.3.21.1.31.        crasSessionInPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.32.        crasSessionOutPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.33.        crasSessionInDropPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.34.        crasSessionOutDropPkts

1.3.6.1.4.1.9.9.392.1.3.21.1.35.        crasSessionInOctets

1.3.6.1.4.1.9.9.392.1.3.21.1.36.        crasSessionOutOctets

1.3.6.1.4.1.9.9.392.1.3.21.1.37.        crasSessionState

 

 

 

ASA as of now doesn’t provides us the username of the VPN user in *clear text* and we have couple of bugs filed for it.

 

 

One of them being

 

CSCtc36391    ASA snmp object crasUsername should be readable

 

 

But we can follow this to get other useful information

 

 

 

snmpwalk.exe -c public -v 2c 192.168.16.xx "1.3.6.1.4.1.9.9.392.1.3.21.1.2"

 

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.2.8.97.115.116.114.105.112.97.116.290817 = STRING: "puneet"

 

 

This tells us the name of "tunnel-group" and the "username" used to connect to the ASA.

 

 

In this output “puneet” is the name of the tunnel-group.

 
Now we need to Convert name from ASCII based indexing

 

 

 

 

9.9.392.1.3.21.1.2.8.97.115.116.114.105.112.97.116.290817

                                     a      s      t      r     i       p      a      t

 

 

 
ASCII translation:

 

  97 = a

115 = s

116 = t

114 = r

105 = i

112 = p

  97 = a

116 = t

 

 

Check the hex to character table at this website

http://www.asciitable.com/

 

 

Compare this with the simultaneous output from the ASA

 

 

ASA-5510-8x(config)# sh vpn-sessiondb remote

Session Type: IPsec

Username     : astripat               Index        : 71

Assigned IP  : 3.3.3.5                Public IP    : 10.78.167.32

Protocol     : IKE IPsec

License      : IPsec

Encryption   : 3DES                   Hashing      : MD5 SHA1

Bytes Tx     : 0                           Bytes Rx     : 0

Group Policy : puneet                Tunnel Group : puneet

Login Time   : 12:43:47 MST Thu Jan 14 1993

Duration     : 0h:22m:28s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

 

 

These OID's can give us some more information

 

 

Client's local ip address (crasISPAddress)

****************************************

snmpwalk.exe -c public -v 2c 192.168.16.xx 1.3.6.1.4.1.9.9.392.1.3.21.1.10

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.10.8.97.115.116.114.105.112.97.116.290817 = STRING: "10.78.167.32"

 

 

IP address assigned to the vpn client(crasLocalAddress)

********************************************************

snmpwalk.exe -c public -v 2c 192.168.16.xx 1.3.6.1.4.1.9.9.392.1.3.21.1.8

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.8.8.97.115.116.114.105.112.97.116.290817 = STRING: "3.3.3.5"

 

 

Another example:-

 

 

snmpwalk.exe -c public -v 2c 192.168.16.xx 1.3.6.1.4.1.9.9.392.1.3.21.1.2

 

SNMPv2-SMI::enterprises.9.9.392.1.3.21.1.2.6.103.97.117.114.97.118.90113 =STRING: "puneet"

 

 

9.9.392.1.3.21.1.2.6.103.97.117.114.97.118.81921

                                     g      a      u      r     a     v 

 
ASCII translation:

 

103 = g

97  = a

117 = u

114 = r

97 =  a

118 = v

 

 

Compare this with the simultaneous output from the ASA

 

 

ASA-5510-8x# sh vpn-sessiondb remote

 

Session Type: IPsec

 

Username     : gaurav                 Index        : 22

Assigned IP  : 3.3.3.3                Public IP    : 10.78.167.68

Protocol     : IKE IPsec

License      : IPsec

Encryption   : 3DES                   Hashing      : SHA1

Bytes Tx     : 0                           Bytes Rx     : 0

Group Policy : puneet                 Tunnel Group : puneet

Login Time   : 17:13:51 MST Sat Jan 2 1993

Duration     : 0h:03m:11s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

 

 

Scenario 2:

Problem:

User is trying to add one of our 5525-X into our solarwinds orion. just wanted to know if temperature OID is supported? i tried to list "resources" for the ASA but it's only giving me CPU, memory, interfaces, etc. but there's no option to monitor its temperature.

 

 

Solution:


Try under "CISCO-FIREWALL-MIB" and OID:- 1.3.6.1.4.1.9.9.147.1.2.1.1 or 1.3.6.1.4.1.9.9.147.1.2.1.1.1.3.{cfwHardwareStatusValue}

 

-Puneet Seth