sawyer.lef

CiscoAnyConnect Active Sessions

Recommended Posts

Datasource to monitor active SSL Cisco AnyConnect sessions on a Cisco ASA

 

LM Exchange Locator: RWLRW2

Share this post


Link to post
Share on other sites

Unable to download, states it is "LogicModule is Private, Cannot Read" - is this because LM are vetting it?

Share this post


Link to post
Share on other sites

This is due to the new changes that are soon to be released regarding the exchange. All non-LM (i.e. non-core) datasources in the exchange are marked as private. Once the exchange features are released, the module owner will be able to flip the switch to make it public.

If the original poster wants, he can publish the XML or the scripts themselves to github, pastebin, etc. and link from here to there. 

How urgently did you want to look at it @Nick?

Share this post


Link to post
Share on other sites

@Stuart Weenig it would be good to have this anyconnect sessions module asap, my company use the cisco anyconnect for vpn and due to corvid19 have just been told to all work from home so this would be useful to track VPN connection usage etc

 

thanks

Share this post


Link to post
Share on other sites

I don't see the need to post the XML unless you really want to. Anyone who wants it can get it from the exchange.

As far as when it will come out: sooner than soon but later than now?

Share this post


Link to post
Share on other sites
On 3/17/2020 at 4:20 PM, Stuart Weenig said:

Check now. It should be good to go.

Thanks for getting this pushed through, with all that's going on at the moment it saved a little time in putting something like this together.

& Thanks to @Sawer.lef for publishing in the first place

  • Like 2

Share this post


Link to post
Share on other sites

As an FYI - 

I have added the following OID to the datasource I have downloaded so that we can see the Maximum Session count (Raw Data) - this may be of use to others as well.

alSslStatsMaxSessions  - 1.3.6.1.4.1.3076.2.1.2.26.1.3.0 
Description - "The maximum number current of active sessions at any one time."

  • Like 1
  • Upvote 1

Share this post


Link to post
Share on other sites

I have been seeing session numbers much higher than I would expect.  When I looked closer the numbers are not matching the output from manually checking using the CLI.  This is across a few dozen devices with different setups.  I think the OID may be different I found the following ones that I am testing. I will post back if I get better results:

crasSVCNumSessions 1.3.6.1.4.1.9.9.392.1.3.35.0
crasWebvpnNumSessions 1.3.6.1.4.1.9.9.392.1.3.38.0
 
The OID being used I think may be used for total SSL sessions and not specifically anyconnect users? Not sure, just a thought.
 

 

Share this post


Link to post
Share on other sites

I was able to get accurate results changing the OID polled to:

1.3.6.1.4.1.9.9.392.1.3.35 under the properties, and 1.3.6.1.4.1.9.9.392.1.3.35.0 under the data source.

  • Like 1

Share this post


Link to post
Share on other sites

Awesome and thank you, it's working great for my ASAs in the system.  Anyone have one to monitor the same thing on the Cisco FPR devices?

Share this post


Link to post
Share on other sites
Posted (edited)

You can use this same OID to monitor on FPR devices.  Just adjust your applies too to include fire power devices (if you are using the the OID's I posted about).  I don't believe the original OIDs worked for firepower for me but the one I updated with did.

Edited by Matt M.

Share this post


Link to post
Share on other sites

Thank you Matt.  I'm confused about where to actually change the OID's that you posted. Are you changing on the datasource and then under parameters?  Or somewhere else?  Basically i changed what it was in that location to 1.3.6.1.4.1.9.9.392.1.3.35.0 and applied to a FTD but it didn't seem to work.  I'm not sure that i did incorrectly.

Share this post


Link to post
Share on other sites
Posted (edited)

I can't export mine and share it that way because the Exchange is being re-worked.  Here is a copy of my XML (https://pastebin.com/GErayzCE) -- you can save that locally as a XML file and then add it to your tenant by doing DataSources -> Add -> From a file, and selecting your created file.

Note -- I added a category to the "applies to" called CiscoFirePower.  You have to add that to any firepower device that you want this to apply to, and then run another active discovery.

Edited by Matt M.
  • Like 1

Share this post


Link to post
Share on other sites

I've uploaded but it doesn't seem to be working for any of the 2100 or 4100 series devices in my system.  I'm still playing with it a little.  I did have to change your appliesto to hasCategory("CiscoFirepowerSNMP").  None of my devices have CiscoFirepower as a category. 

Share this post


Link to post
Share on other sites

Let me know how you make out.  I can confirm that its working for us at least with two different 2110 devices.  The documentation for the 2110s actually says they still use ASA SNMP OIDs and that you can still use the same entries.  I just added my devices to my Applies To and it worked great.

 

Share this post


Link to post
Share on other sites

What you'll need to do is make sure that the datasource is getting "applied" to the additional devices. It sounds like the OIDs and stuff are probably the same between the two, so you would only need to change the "AppliesTo". You can do that manually by adding " || displayName == '[the display name of an additional device]'" to the current applies to. If that gets you data on the 2110, you'll need to further adjust the AppliesTo so that the datasource is trying to collect data for the additional devices. You can do this with a system.category, or a sysOID mapping, or a property source. 

Share this post


Link to post
Share on other sites

Thank you Matt and Stuart.  Unfortunately even after setting the displayName in the appliesto isn't working.  I'm having one of the guys take a look as i just noticed that NetFlow is working but we aren't getting any SNMP info...

Share this post


Link to post
Share on other sites

You can check that your appliesto is working properly (click test applies to and click the link to view the results and ensure your new device is in there). If that's successful, that part is done.

Then you can test the active discovery to see if it's discovering anything. If that part's not working, there's a problem with SNMP or the OIDs specified in discovery aren't there on the version of the device you have (doesn't sounds like the latter should be the case).

If all that works, you can test the polling by going to the device, browsing to the datasource, then the raw data tab. Click poll now to see if you're getting data back.  If that doesn't work, then there's a problem with SNMP (permissions maybe, v3?) or the OIDs specified in the "Datapoints" section of the DS aren't correct.

Share this post


Link to post
Share on other sites

That's just it....I see that the appliesto is working, SNMP is now polling correctly, but on the FP devices I'm not seeing the new "Cisco" datasource under the devices....but I do on the ASAs.

Share this post


Link to post
Share on other sites

I had that issue when I was testing different OIDs to find the right one.  Usually it was when I was polling a OID incorrectly or the OID didn't exist on the device.  You can try to manually poll that OID and see if you get any value returned.  If you get the anyconnect user count you are expecting you know the issue is on your logicmonitor datasource config side.  If not -- then you know the issue is on your SNMP/OID side.  These 2110 FTDs are running the latest version as they are fairly new so I am not sure if that has anything to do with it.

If you do not get the expected variable returned I would try some other OIDs for your specific firmware, or open a TAC case and ask them what OID to use or why the OID given here isnt working as intended.

  • Like 1

Share this post


Link to post
Share on other sites

I'm going to check out the version we are  on.  In our sandbox we have 1 FPPR, but in our prod system we have 15-20.....I'm assuming that the versions are spread out but going to do some investigating.  Thanks again Matt and Stuart!

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.