update project

9aa09dfc · thl-cmk · 6fb4857b · 9aa09dfc · 9aa09dfc · 9aa09dfc
Commit 9aa09dfc authored 3 years ago by thl-cmk
--- a/agent_based/cisco_vpn_tunnel.py
+++ b/agent_based/cisco_vpn_tunnel.py
@@ -16,13 +16,16 @@
 # 2018-07-11: added parameter for missing IPSec SA, changed 'parsed' to use peer ip as index
 # 2021-08-03: rewritten for CMK 2.0
 # 2021-11-03: fix negative vpn active tine
+# 2022-01-19: added workaround for not matching IKE_OID_end and cipSecTunIkeTunnelIndexfor not matching
+#             IKE_OID_end and cipSecTunIkeTunnelIndex, try to match IPSec nad IKE sa by remote address
 #
+
 # snmpwalk sample
 #
 #
 import time
 from dataclasses import dataclass
-from typing import List, Dict
+from typing import List, Dict, Optional

 from cmk.base.plugins.agent_based.agent_based_api.v1 import (
    register,
@@ -60,6 +63,7 @@ class IpsecSa:
    hc_out_octets: int
    out_pkts: int
    out_drop_pkts: int
+    tun_remote_addr: str


 @dataclass
@@ -119,6 +123,25 @@ def _cisco_vpn_tunnel_render_ipv4_address(bytestring):
    return '.'.join([f'{ord(m)}' for m in bytestring])


+def _get_ipsec_sa_by_remote_address(ike_remote_address: str, ipsec_sa_summary: Dict[str, IpsecSa]) -> Optional[IpsecSa]:
+    found_ipsec_sa = False
+    ipsec_sa = IpsecSa(0, 0, 0, 0, 0, 0, 0, 0, 0, '')
+    for ipsec_sa_to_check in ipsec_sa_summary.values():
+        if ipsec_sa_to_check.tun_remote_addr == ike_remote_address:
+            found_ipsec_sa = True
+            ipsec_sa.sa_count += 1
+            ipsec_sa.hc_in_octets += ipsec_sa_to_check.hc_in_octets
+            ipsec_sa.in_pkts += ipsec_sa_to_check.in_pkts
+            ipsec_sa.in_drop_pkts += ipsec_sa_to_check.in_drop_pkts
+            ipsec_sa.hc_out_octets += ipsec_sa_to_check.hc_out_octets
+            ipsec_sa.out_pkts += ipsec_sa_to_check.out_pkts
+            ipsec_sa.out_drop_pkts += ipsec_sa_to_check.out_drop_pkts
+            if ipsec_sa_to_check.active_time > ipsec_sa.active_time:
+                ipsec_sa.active_time = ipsec_sa_to_check.active_time
+    if found_ipsec_sa:
+        return ipsec_sa
+
+
 ###########################################################################
 #
 #  DATA Parser function
@@ -132,13 +155,13 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
    ike_tunnel_entry, ipsec_tunnel_entry = string_table

    # summarize IPSec SAs, ASSUMPTION: except for counters all SA attributes are identical per IKE index
-    for ike_tunnel_index, ike_tunnel_alive, active_time, hc_in_octets, in_pkts, in_drop_pkts, hc_out_octets, \
-            out_pkts, out_drop_pkts in ipsec_tunnel_entry:
+    for ike_tunnel_index, ike_tunnel_alive, tun_remote_addr, active_time, hc_in_octets, in_pkts, in_drop_pkts, \
+        hc_out_octets, out_pkts, out_drop_pkts in ipsec_tunnel_entry:

        if ike_tunnel_index.isdigit():
            ipsec_sa = ipsec_sa_summary.setdefault(
                ike_tunnel_index,
-                IpsecSa(0, 0, 0, 0, 0, 0, 0, 0, 0)
+                IpsecSa(0, 0, 0, 0, 0, 0, 0, 0, 0, tun_remote_addr)
            )
            ipsec_sa.sa_count += 1
            ipsec_sa.hc_in_octets += int(hc_in_octets)
@@ -156,6 +179,7 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
            nego_mode in ike_tunnel_entry:

        if index.isdigit():
+            save_remote_addr = remote_addr
            remote_addr = _cisco_vpn_tunnel_render_ipv4_address(remote_addr)
            if remote_addr.split('.') != 4:
                remote_addr = remote_value
@@ -178,7 +202,9 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
                    out_drop_pkts=int(out_droppkts),
                    status=int(status),
                    nego_mode=int(nego_mode),
-                    ipsec_summary=ipsec_sa_summary.get(index)
+                    # if/else is workaround for not matching IKE_OID_end and cipSecTunIkeTunnelIndex
+                    # try to match IPSec sa by remote address
+                    ipsec_summary=ipsec_sa_summary.get(index) if ipsec_sa_summary.get(index) is not None else _get_ipsec_sa_by_remote_address(save_remote_addr, ipsec_sa_summary)
                )
                vpntunnel.update({remote_addr: ike_sa})

@@ -352,8 +378,9 @@ register.snmp_section(
        SNMPTree(
            base='.1.3.6.1.4.1.9.9.171.1.3.2.1',  # CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunnelEntry
            oids=[
-                '2',  # ike tunnel index
+                '2',  # cipSecTunIkeTunnelIndex/ ike tunnel index
                '3',  # cipSecTunIkeTunnelAlive
+                '5',  # cipSecTunRemoteAddr (needed as workaround if if cipSecTunIkeTunnelIndex and IKE OID don't match)
                '10',  # cipSecTunActiveTime
                '27',  # cipSecTunHcInOctets
                '32',  # cipSecTunInPkts

--- a/cisco_vpn_tunnel.mkp
+++ b/cisco_vpn_tunnel.mkp
--- a/packages/cisco_vpn_tunnel
+++ b/packages/cisco_vpn_tunnel
@@ -11,7 +11,7 @@
 'name': 'cisco_vpn_tunnel',
 'num_files': 3,
 'title': 'Monitor Cisco VPN Tunnel',
- 'version': '20210803.v0.2',
+ 'version': '20220119.v0.3',
 'version.min_required': '2.0.0',
 'version.packaged': '2021.09.20',
 'version.usable_until': None}
\ No newline at end of file