Monitor site to site tunneling health for Cisco ASA using Zabbix

Monitor site to site tunneling health for Cisco ASA using Zabbix

On zabbix

I'm getting troubled when it comes to monitor tunnel health using OID checking.
The problem was:
- On Cisco Devices, each tunnel session has different OID
- When tunnel disconnected, OID will disappear
- When tunnel reconnected, the previous OID will be gone and recreated with different OID
- By that case, we can't monitor the tunnel health using SNMP OID since the OID will be randomly changed. We don't want to change the OID manually each time the tunnel disconnect, do you?

In this post, I will show you how to monitor the VPN Tunnel Session health and alert us when the tunnel is disconnected. I'm importing script from cacti.

Requirement :

- Zabbix server ( I'm using Zabbix 2.4 in this post, I love vintage :p )
- Cisco ASA with tunnel site to site configured
- S2S Perl Script, download this one query_asa_S2S.pl (link edited, sorry if previous link was unable to view)

Here we go

1. Login to your Zabbix server, make sure your server installed with Net::SNMP module, if not you must install the package first. Use yum or anything and install Perl-Net-SNMP.

Eg: yum install Perl-Net-SNMP

2. Create new directory "externalscripts" on your /etc/zabbix

3. Copy the perl script to /etc/zabbix/externalscripts

4. Make sure the script is owned by user zabbix so zabbix server can use it

chown zabbix:zabbix /etc/zabbix/externalscripts/query_asa_s2s.pl

5. Lets test the script first to make sure the script is work well

Usage :

query_asa_S2S.pl <community> <host> {ASA,CONCENTRATOR} index

Give you the list of vpn connected session IP

query_asa_S2S.pl <community> <host> {ASA,CONCENTRATOR} query {RX,TX}

Give you the list of vpn connected session along with TX/RX Traffic

query_asa_S2S.pl community host {ASA,CONCENTRATOR} get {RX,TX} <peer>

Give you the TX/RX of the single session

6. If there is no error, its time to implement the result to Zabbix.

- On your server console, open zabbix-server.conf
- Uncomment the line ExternalScripts=/etc/Zabbix/externalscripts and point it to your externalscripts directory (2)
- Restart the Zabbix-server services if needed

7. Open zabbix web console, create new Template "Template S2S ASA"

8. Create new item on that template "IPSec Tunnel <your session> - Inbound"

Set the value like this, key format should be " query_asa_s2s.pl[{$SNMP_COMMUNITY},{HOST.CONN},ASA,get,RX,<session ip>]

9. Create second item "IPSec Tunnel <your session> - Outbound"

Set the value like this, key format should be " query_asa_s2s.pl[{$SNMP_COMMUNITY},{HOST.CONN},ASA,get,TX,<session ip>]

10. Create 3rd item "IPSec Tunnel Status" This item give us the list of connected session

Set the value like this, the key format should be " query_asa_s2s.pl[{$SNMP_COMMUNITY},{HOST.CONN},ASA,index]

11. Attach the Template to your Firewall ASA host, you need to have one and make sure its reachable by Zabbix.

11. Wait for 5 minutes, and lets see the on the Latest Data, if the script work well, the value will comes up.

12. Setup the trigger depend on your needs. In my cases, I need to monitor the one of the session. If that session is down, the trigger will send to me.

- Create new Trigger " S2S to <your session ip> Disconnected
- Add Expression, Select Item on point (10)
- Set Function = " Find string V in last (most recent) value. N = 1 - if found, 0 - otherwise "
- Set V = < your session ip > ( the one you want need to be monitored )
- Last of (T) = 30 ( let say it's 30 seconds"
- N = 0
- Insert

Let me explain you a bit about this trigger. Item (10) gather value the ( List of connected session )  so I set the trigger " If within 30 seconds, last value doesn't have the string < V / session IP > in the result, the trigger will activate"

Install Zabbix Agent on Debian

Install Zabbix Agent on Debian

On zabbix

• Install repository configuration package

get the suitable package for your machine

#cat /etc/debian_version
download from repo.zabbix.com based from your version.
example,my debian version is wheezy

# wget http://repo.zabbix.com/zabbix/2.0/debian/pool/main/z/zabbix-release/zabbix-release_2.0-
1wheezy_all.deb

#dpkg -i zabbix-release_2.0-1wheezy_all.deb

#apt-get update

• Install zabbix agent

#apt-get install zabbix-agent

• edit configuration file

#nano /etc/zabbix/zabbix_agentd.conf

Basic configuration file

PidFile=/var/run/zabbix/zabbix_agentd.pid

LogFile=/var/log/zabbix/zabbix_agentd.log

LogFileSize=0

# zabbix server

Server=yourzabbixserverip

ServerActive=yourzabbixserverip

Hostname=zabbixagenthostname

#DisablePassive=1

#DisableActive=0

#DebugLevel=4

restart the agent service

#/etc/init.d/zabbix-agent restart

check the startup config

#ls /etc/rc*.d

DONE !

How to Add Raid Monitoring to Zabbix Agent

How to Add Raid Monitoring to Zabbix Agent

On zabbix

In this case,we need to add raid monitoring to notify us if there is an error with the raid.
note: i'm using MegaCli for this

• Login to zabbix server web interface
• add new template,name Template_LSI_RAID_Active
• add new application into it,name RAID
• add item,set value similar with this

• add trigger,set value like this 

Back to template list,and select you new LSI Template,

• add Macro 

{$EXPECTED_OPTIMAL_LDS} set value to 1

 *you should have new template now,it can be used to another host

• Link your host with LSI Template,it should have new triggers about Raid Status

• Login to your linux agent,
• edit your conf 

nano /etc/zabbix/zabbix_agentd.conf

- add this to end of configuration line

UserParameter=raid.lsimegaraid.numoptimallds,sudo /opt/MegaRAID/MegaCli/MegaCli64 -LDInfo -Lall -aALL -NoLog | grep  '^State[[:space:]]\+:[[:space:]]\\*Optimal' | wc -l

• save file and restart agent

/etc/init.d/zabbix-agent restart

- It should be done.

Let me explain about this .conf new value :

• UserParameter=raid.lsimegaraid.numoptimallds = used to add new task for agent,in this case it will run trigger match up with "key" raid.lsimegaraid.numoptimallds (your LSI key)
• sudo /opt/MegaRAID/MegaCli/MegaCli64 -LDInfo -Lall -aALL -NoLog = this is command to check the status of RAID,you can run this on the console

[root@linux ~]# /opt/MegaRAID/MegaCli/MegaCli64 -LDInfo -Lall -aALL -NoLog

Adapter 0 -- Virtual Drive Information:Virtual Drive: 0 (Target Id: 0)Name                :RAID Level          : Primary-1, Secondary-0, RAID Level Qualifier-0Size                : 456.175 GBMirror Data         : 456.175 GBState               : OptimalStrip Size          : 64 KBNumber Of Drives    : 2Span Depth          : 1Default Cache Policy: WriteBack, ReadAheadNone, Direct, No Write Cache if Bad BBUCurrent Cache Policy: WriteBack, ReadAheadNone, Direct, No Write Cache if Bad BBUDefault Access Policy: Read/WriteCurrent Access Policy: Read/WriteDisk Cache Policy   : Disk's DefaultEncryption Type     : NoneIs VD Cached: No

• grep  '^State[[:space:]]\+:[[:space:]]\\*Optimal' = used to find character inside the result of above command,this is regexp related.
• wc -l = to give us the count of character found by above command.

If we combine all of that command,we will find this
[root@linux ~]# /opt/MegaRAID/MegaCli/MegaCli64 -LDInfo -Lall -aALL -NoLog | grep  '^State[[:space:]]\+:[[:space:]]\\*Optimal' | wc -l
1

That mean,by running that raid check command,we find 1 variable that says "Optimal" and wc -l tell us by number
we got a conclusion that our raid was no error.Got this ?

Here is the process :

• Agent send the data
• Zabbix server will have that "1" value,match up with macros {$EXPECTED_OPTIMAL_LDS}

*If raid was error,macro should get "0" value instead of "1",because wc - l doesnt find any "Optimal" variable.
because of "0" doesn't match up with macros value,they will give alert regarding to this.

I hope you got my explanation
Cheers !

Install Zabbix Agent on Windows

Install Zabbix Agent on Windows

On zabbix

How To add zabbix agent to windows (all windows platform)

·         Download windows agent’s file here

http://www.zabbix.com/downloads/1.8.19/zabbix_agents_1.8.19.win.zip

·         Create new folder ‘zabbix’ in drive C:\
·         Copy file inside win32/win64 (depend on your OS) to folder zabbix
·         Create new zabbix_agentd.conf file using notepad save to folder zabbix,write this :

LogFile=C:\zabbix\zabbix_agentd.log

LogFileSize=0

Hostname=changethiswithwinhostname

Server=yourzabbixserverip

DisablePassive=1

DisableActive=0

·         Open command prompt,execute this command

cd /zabbix

C:\zabbix>zabbix_agentd.exe --config c:\zabbix\zabbix_agentd.conf --install

·         Start the service

Open windows services,find Zabbix Agent at the bottom and Start it

It should have been to Automatic start up by default,so no need to change it

·         Make sure zabbix server are open port 10051 to agent’s ip,if not we need to allow it first by adding below rule to zabbix server’s iptables

-A INPUT -s agent-ip -p tcp -m state --state NEW -m tcp --dport 10051 -m comment --comment "windows-host" -j ACCEPT

·         New host need to be enabled via zabbix web interface.

It can be done via Configuration – host – Groups (Discovered hosts) – click status to activate it

·         DONE !

Install Zabbix Agent on Linux

Install Zabbix Agent on Linux

On zabbix

Note : I'm using zabbix server 1.8,for another version it should be same.

·         Add zabbix repository to linux host

rpm -Uvh http://repo.zabbix.com/zabbix/1.8/rhel/5/x86_64/zabbix-release-1.8-1.el5.noarch.rpm for Rhel5

rpm -Uvh http://repo.zabbix.com/zabbix/1.8/rhel/6/x86_64/zabbix-release-1.8-1.el6.noarch.rpm for Rhel6

·         Install zabbix agent

yum install zabbix zabbix-agent

·         Configure zabbix-agent.conf (Active check)

Edit file with nano /etc/zabbix/zabbix_agent.conf

Our zabbix server use active check configuration (server doesn’t request data,but agent),so set this :

Server=yourzabbixserverip

ServerActive=yourzabbixserverip

·         Start zabbix-agent service

/etc/init.d/zabbix-agent start

·         set zabbix-agent as startup

chkconfigzabbix-agent on

·        Make sure zabbix server are open port 10051 to agent’s ip,if not we need to allow it first by adding below rule to zabbix server’s iptables

-A INPUT -s agent-ip -p tcp -m state --state NEW -m tcp --dport 10051 -m comment --comment "linux-host" -j ACCEPT

·         New host need to be enabled via zabbix web interface.

It can be done via Configuration – host –Groups (Discovered hosts) – click status to activate it

Voila its done !