Monitor ASA VPN sessions via SNMP

This took me way too long to research so I’m putting this here in case anyone can use it.

I have an ASA 5520 that is used for IPSEC, Anyconnect, and Clientless WebVPN vpn clients. I was asked to track total # of sessions for the migration of licenses. Since there was a Nagios Monitor onsite, I hoped to add an snmp check for the total number of WebVPN sessions (Anyconnect and clientless).

Cisco has the ASA MIBs located here:
ftp://ftp.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html

The oid values you need are as follows:

crasIPSecNumSessions .1.3.6.1.4.1.9.9.392.1.3.26.
crasWebvpnNumSessions .1.3.6.1.4.1.9.9.392.1.3.35.

Drop the MIB into the shared mib folder on the nagios host in usrsharesnmpmibs
I had some issues with the Cisco MIB, I haven’t tried on another nagios host yet, but the OID values worked just fine for my purposes.

In nagios, create the check_snmp lookup, I opted for a new command:

 define command{
        command_name    check_snmp_cisco_oid
        command_line    $USER1$/check_snmp -H $HOSTADDRESS$ -P 2c -C communityname -o $ARG1$ -w $ARG2$ -c $ARG3$
        }

Then define the services for the host:


define service{
        use                     generic-service
        host_name               ASA5520
        service_description     Total Number of Web SSL VPN sessions
        check_command           check_snmp_cisco_oid!.1.3.6.1.4.1.9.9.392.1.3.35.0!50!75
        }
define service{
        use                     generic-service
        host_name               ASA5520
        service_description     Total Number of IPSEC VPN sessions  
        check_command           check_snmp_cisco_oid!.1.3.6.1.4.1.9.9.392.1.3.26.0      
        }
Tagged , , . Bookmark the permalink.

3 Responses to Monitor ASA VPN sessions via SNMP

  1. Ben says:

    Unfortunately the first OID only works for IKEv1 IPSEC sessions. So far I haven’t seen any OID that works for IKEv2 IPSEC sessions. Still hunting around, but that would be a good addition.

  2. Lucas Possamai says:

    Is there a way to monitor IKEv2 IPSEC sessions? Couldn’t find it online. Cheers!

  3. VPNTTG says:

    Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for monitoring Cisco ASA IPSec Tunnel traffic.

    Advantage of VPNTTG over other SNMP based monitoring software’s is following: Other (commonly used) software’s are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer’s IP address and it stores for each VPN tunnel historical monitoring data into the Database.

    For more information about VPNTTG please visit http://www.vpnttg.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
30 + 9 =