This took me way too long to research so I’m putting this here in case anyone can use it.
I have an ASA 5520 that is used for IPSEC, Anyconnect, and Clientless WebVPN vpn clients. I was asked to track total # of sessions for the migration of licenses. Since there was a Nagios Monitor onsite, I hoped to add an snmp check for the total number of WebVPN sessions (Anyconnect and clientless).
Cisco has the ASA MIBs located here:
ftp://ftp.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html
The oid values you need are as follows:
crasIPSecNumSessions .1.3.6.1.4.1.9.9.392.1.3.26. crasWebvpnNumSessions .1.3.6.1.4.1.9.9.392.1.3.35.
Drop the MIB into the shared mib folder on the nagios host in usrsharesnmpmibs
I had some issues with the Cisco MIB, I haven’t tried on another nagios host yet, but the OID values worked just fine for my purposes.
In nagios, create the check_snmp lookup, I opted for a new command:
define command{ command_name check_snmp_cisco_oid command_line $USER1$/check_snmp -H $HOSTADDRESS$ -P 2c -C communityname -o $ARG1$ -w $ARG2$ -c $ARG3$ }
Then define the services for the host:
define service{ use generic-service host_name ASA5520 service_description Total Number of Web SSL VPN sessions check_command check_snmp_cisco_oid!.1.3.6.1.4.1.9.9.392.1.3.35.0!50!75 } define service{ use generic-service host_name ASA5520 service_description Total Number of IPSEC VPN sessions check_command check_snmp_cisco_oid!.1.3.6.1.4.1.9.9.392.1.3.26.0 }
Unfortunately the first OID only works for IKEv1 IPSEC sessions. So far I haven’t seen any OID that works for IKEv2 IPSEC sessions. Still hunting around, but that would be a good addition.
Is there a way to monitor IKEv2 IPSEC sessions? Couldn’t find it online. Cheers!