Monitoring Cisco ASA VPN Firewall with SNMP

Based on the check process script from Centreon:
check_asa_vpn.pl.txt
#! /usr/bin/perl -w

# Modified by Michael Fung  http://www.3open.org/
# to check Cisco ASA VPN tunnels
# Updated: 2011-03-17 

################################################################################
# Copyright 2004-2010 MERETHIS
# Centreon is developped by : Julien Mathis and Romain Le Merlus under
# GPL Licence 2.0.
# 
# This program is free software; you can redistribute it and/or modify it under 
# the terms of the GNU General Public License as published by the Free Software 
# Foundation ; either version 2 of the License.
# 
# This program is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A 
# PARTICULAR PURPOSE. See the GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License along with 
# this program; if not, see <http://www.gnu.org/licenses>.
# 
# Linking this program statically or dynamically with other modules is making a 
# combined work based on this program. Thus, the terms and conditions of the GNU 
# General Public License cover the whole combination.
# 
# As a special exception, the copyright holders of this program give MERETHIS 
# permission to link this program with independent modules to produce an executable, 
# regardless of the license terms of these independent modules, and to copy and 
# distribute the resulting executable under terms of MERETHIS choice, provided that 
# MERETHIS also meet, for each linked independent module, the terms  and conditions 
# of the license of that module. An independent module is a module which is not 
# derived from this program. If you modify this program, you may extend this 
# exception to your version of the program, but you are not obliged to do so. If you
# do not wish to do so, delete this exception statement from your version.
# 
# For more information : contact@centreon.com
# 
# SVN : $URL: http://svn.centreon.com/trunk/plugins-2.x/src/check_centreon_snmp_process $
# SVN : $Id: check_centreon_snmp_process 10069 2010-02-24 11:05:19Z jmathis $
#
####################################################################################
#
# Script init
#

use strict;
use Net::SNMP qw(:snmp oid_lex_sort);
use FindBin;
use lib "$FindBin::Bin";
use lib "/usr/lib/nagios/plugins";
use utils qw($TIMEOUT %ERRORS &print_revision &support);
if (eval "require centreon" ) {
    use centreon qw(get_parameters);
    use vars qw($VERSION %centreon);
    %centreon = get_parameters();
} else {
	print "Unable to load centreon perl module\n";
    exit $ERRORS{'UNKNOWN'};
}

use vars qw($PROGNAME);
use Getopt::Long;
use vars qw($opt_V $opt_h $opt_v $opt_C $opt_p $opt_H $opt_n $opt_k $opt_u $opt_x $opt_w $opt_c $result @result %process_list %STATUS);

# Plugin var init

my($proc, $proc_run);

$PROGNAME = $0;
sub print_help ();
sub print_usage ();

%STATUS=(1=>'running',2=>'runnable',3=>'notRunnable',4=>'invalid');

Getopt::Long::Configure('bundling');
GetOptions
    ("h"   => \$opt_h, "help"         => \$opt_h,
     "u=s"   => \$opt_u, "username=s" => \$opt_u,
     "x=s"   => \$opt_x, "password=s" => \$opt_x,
     "k=s"   => \$opt_k, "key=s"      => \$opt_k,
     "V"   => \$opt_V, "version"      => \$opt_V,
     "n"   => \$opt_n, "number"       => \$opt_n,
     "v=s" => \$opt_v, "snmp=s"       => \$opt_v,
     "C=s" => \$opt_C, "community=s"  => \$opt_C,
     "p=s" => \$opt_p, "peer-ip=s"    => \$opt_p,
     "H=s" => \$opt_H, "hostname=s"   => \$opt_H
);

if ($opt_V) {
    print_revision($PROGNAME,'$Revision: 1.0 $');
 	exit $ERRORS{'OK'};
}

if ($opt_h) {
  	print_help();
 	exit $ERRORS{'OK'};
}

if (!$opt_H) {
	print_usage();
	exit $ERRORS{'OK'};
}

my $snmp = "1";
$snmp = $opt_v if ($opt_v && $opt_v =~ /^[0-9]$/);

if ($snmp eq "3") {
	if (!$opt_u) {
		print "Option -u (--username) is required for snmpV3\n";
		exit $ERRORS{'OK'};
	}
	if (!$opt_x && !$opt_k) {
		print "Option -k (--key) or -x (--password) is required for snmpV3\n";
		exit $ERRORS{'OK'};
	} elsif ($opt_x && $opt_k) {
		print "Only option -k (--key) or -x (--password) is needed for snmpV3\n";
		exit $ERRORS{'OK'};
	}
}

$opt_C = "public" if (!$opt_C);

my $name = $0;
$name =~ s/\.pl.*//g;

# Plugin snmp requests
my $OID_cikeTunRemoteValue = '1.3.6.1.4.1.9.9.171.1.2.3.1.7';
my $OID_cikeTunStatus = '1.3.6.1.4.1.9.9.171.1.2.3.1.35';

my ($session, $error);
if ($snmp eq "1" || $snmp eq "2") {
	($session, $error) = Net::SNMP->session(-hostname => $opt_H, -community => $opt_C, -version => $snmp);
	if (!defined($session)) {
	    print("UNKNOWN: SNMP Session : $error\n");
	    exit $ERRORS{'UNKNOWN'};
	}
} elsif ($opt_k) {
    ($session, $error) = Net::SNMP->session(-hostname => $opt_H, -version => $snmp, -username => $opt_u, -authkey => $opt_k);
	if (!defined($session)) {
    	print("UNKNOWN: SNMP Session : $error\n");
    	exit $ERRORS{'UNKNOWN'};
	}
} elsif ($opt_x) {
	($session, $error) = Net::SNMP->session(-hostname => $opt_H, -version => $snmp,  -username => $opt_u, -authpassword => $opt_x);
	if (!defined($session)) {
    	print("UNKNOWN: SNMP Session : $error\n");
    	exit $ERRORS{'UNKNOWN'};
	}
}

$result = $session->get_table(-baseoid => $OID_cikeTunRemoteValue);
if (!defined($result)) {
    printf("UNKNOWN - SNMP Error: %s.\n", $session->error);
    $session->close;
    exit $ERRORS{'UNKNOWN'};
}

my $found = 0;
LOOP: foreach my $key (oid_lex_sort(keys %$result)) {
    my @oid_list = split (/\./,$key);
    my $instance_num =  pop (@oid_list);
    if ($$result{$key} eq $opt_p) {
	#$found = 1;
	#get instance id:
	my @oid_list = split (/\./,$key);
	my $instance_id =  pop (@oid_list);
	
	# get Tunnel Status
	$OID_cikeTunStatus = "$OID_cikeTunStatus.$instance_id";
	my $result2 = $session->get_request(-varbindlist => [ $OID_cikeTunStatus ],);
	if (!defined($result2)) {
	    printf("UNKNOWN - SNMP Error: %s.\n", $session->error);
	    $session->close;
	    exit $ERRORS{'UNKNOWN'};
	}		

	if ($result2->{$OID_cikeTunStatus} == 1) {
		$found = 1;
   	} 

		   last LOOP;
    }
}


# Plugin return code
my $status;
if ($found){
    print "OK - VPN Tunnel to $opt_p is Up\n";
    exit $ERRORS{'OK'};
} else {
        print "CRITICAL - VPN Tunnel to $opt_p is Down\n";
        exit $ERRORS{'CRITICAL'};

}

sub print_usage () {
    print "\nUsage:\n";
    print "$PROGNAME\n";
    print "   -H (--hostname)   Hostname to query (required)\n";
    print "   -C (--community)  SNMP read community (defaults to public,\n";
    print "                     used with SNMP v1 and v2c)\n";
    print "   -v (--snmp_version)  1 for SNMP v1 (default)\n";
    print "                        2 for SNMP v2c\n";
    print "   -p (--peer-ip)    Set the ip address of the remote side of the VPN tunnel (required)\n";
    print "   -k (--key)        snmp V3 key\n";
    print "   -x (--password)   snmp V3 password\n";
    print "   -u (--username)   snmp v3 username \n";
    print "   -V (--version)    Plugin version\n";
    print "   -h (--help)       usage help\n";
}
sub print_help () {
    print "##############################################\n";
    print "#    Copyright (c) 2004-2010 Centreon        #\n";
    print "#    Bugs to http://forge.centreon.com/      #\n";
    print "##############################################\n";
    print_usage();
    print "\n";
}
nagios/monitoring_cisco_asa_vpn_firewall_with_snmp.txt · Last modified: 2011-03-17 16:32 by admin
Back to top