From e0c42a18841f6ac0b82e80866c7670414da313ea Mon Sep 17 00:00:00 2001
From: thl-cmk <thl-cmk@outlook.com>
Date: Tue, 3 Aug 2021 19:15:42 +0000
Subject: [PATCH] Delete cisco_vpn_tunnel
---
checks/cisco_vpn_tunnel | 403 ----------------------------------------
1 file changed, 403 deletions(-)
delete mode 100644 checks/cisco_vpn_tunnel
diff --git a/checks/cisco_vpn_tunnel b/checks/cisco_vpn_tunnel
deleted file mode 100644
index 705ac30..0000000
--- a/checks/cisco_vpn_tunnel
+++ /dev/null
@@ -1,403 +0,0 @@
-#!/usr/bin/python
-# -*- encoding: utf-8; py-indent-offset: 4 -*-
-#
-#
-# Cisco VPN tunnel rewrite
-#
-# Author: Th.L.
-# Date : 2017-12-28
-#
-# Monitor status of Cisco VPN tunnel phase 1 and 2
-#
-# 10.01.2018: Th.L.: added handling for tunnel not found
-# 23.01.2018: Th.L.: removed unnecessary counters
-# 15.02.2018: Th.L.: removed ipsec tunnel status, changed ike ipv4 check
-# 16.02.2018: Th.L.: readded tunnel alias
-# 11.07.2018: Th.L.: added parameter for missing IPSec SA, changed 'parsed' to use peer ip as index
-#
-# snmpwalk sample
-#
-#
-# {'state': 0, 'tunnels': [('192.168.1.2', u'tnnel-aliias', 1)]}
-factory_settings['vpn_tunnel_defaults'] = {
- # 'state': 3, # default state for tunnel not found
- # 'tunnels': [] # list of tunnel specific not found states ('<ip-address>', '<alias>', <state>)
-}
-
-
-###########################################################################
-#
-# DATA Parser function
-#
-###########################################################################
-
-
-def parse_cisco_vpn_tunnel(info):
- ipsectunnelsummary = {}
- vpntunnel = {}
- cikeTunnelEntry, cipSecTunnelEntry = info
-
- def cisco_vpn_tunnel_render_ipv4_address(bytestring):
- return ".".join(["%s" % ord(m) for m in bytestring])
-
- # summarize IPSec SAs, ASSUMPTION: except for counters all SA attributes are identical per IKE index
- for entry in cipSecTunnelEntry:
- if not saveint(entry[0]) == 0:
- if int(entry[0]) in ipsectunnelsummary.keys(): # summarize IPSec SA values for IKE tunnel index
- ipsecsa = ipsectunnelsummary.get(int(entry[0]))
- ipsecsa.update({'ipsecsacount': ipsecsa.get('ipsecsacount') + 1})
- ipsecsa.update({'cipSecTunHcInOctets': ipsecsa.get('cipSecTunHcInOctets') + int(entry[3])})
- ipsecsa.update({'cipSecTunInPkts': ipsecsa.get('cipSecTunInPkts') + int(entry[4])})
- ipsecsa.update({'cipSecTunInDropPkts': ipsecsa.get('cipSecTunInDropPkts') + int(entry[5])})
- ipsecsa.update({'cipSecTunHcOutOctets': ipsecsa.get('cipSecTunHcOutOctets') + int(entry[6])})
- ipsecsa.update({'cipSecTunOutPkts': ipsecsa.get('cipSecTunOutPkts') + int(entry[7])})
- ipsecsa.update({'cipSecTunOutDropPkts': ipsecsa.get('cipSecTunOutDropPkts') + int(entry[8])})
- if int(entry[2]) / 100 > ipsecsa.get('cipSecTunActiveTime'):
- ipsecsa.update({'cipSecTunActiveTime': int(entry[2]) / 100})
-
- else: # new IKE tunnel index
- ipsecsa = {}
- ipsecsa.update({'ipsecsacount': 1})
- ipsecsa.update({'cipSecTunIkeTunnelAlive': entry[1]})
- ipsecsa.update({'cipSecTunActiveTime': int(entry[2]) / 100})
- ipsecsa.update({'cipSecTunHcInOctets': int(entry[3])})
- ipsecsa.update({'cipSecTunInPkts': int(entry[4])})
- ipsecsa.update({'cipSecTunInDropPkts': int(entry[5])})
- ipsecsa.update({'cipSecTunHcOutOctets': int(entry[6])})
- ipsecsa.update({'cipSecTunOutPkts': int(entry[7])})
- ipsecsa.update({'cipSecTunOutDropPkts': int(entry[8])})
-
- ipsectunnelsummary.update({int(entry[0]): ipsecsa})
-
- # IKE tunnel index
- for entry in cikeTunnelEntry:
- tunnel = {}
- if not saveint(entry[0]) == 0:
- # if int(entry[17]) == 2: # drop agressive mode tunnel, likely Remote Access
- tunnel.update({'cikeTunRemoteAddr': cisco_vpn_tunnel_render_ipv4_address(entry[7])})
- if len(tunnel.get('cikeTunRemoteAddr').split('.')) != 4:
- tunnel.update({'cikeTunRemoteAddr': entry[6]}) # IP address (hopefully)
- if len(tunnel.get('cikeTunRemoteAddr').split('.')) == 4:
- tunnel.update({'cikeTunIndex': int(entry[0])})
- tunnel.update({'cikeTunLocalType': int (entry[1])})
- tunnel.update({'cikeTunLocalValue': entry[2]})
- tunnel.update({'cikeTunLocalAddr': cisco_vpn_tunnel_render_ipv4_address(entry[3])})
- tunnel.update({'cikeTunLocalName': entry[4]})
- tunnel.update({'cikeTunRemoteType': int(entry[5])})
- tunnel.update({'cikeTunRemoteValue': entry[6]})
-
- tunnel.update({'cikeTunRemoteName': entry[8]})
- tunnel.update({'cikeTunActiveTime': int(entry[9]) / 100})
- tunnel.update({'cikeTunInOctets': int(entry[10])})
- tunnel.update({'cikeTunInPkts': int(entry[11])})
- tunnel.update({'cikeTunInDropPkts': int(entry[12])})
- tunnel.update({'cikeTunOutOctets': int(entry[13])})
- tunnel.update({'cikeTunOutPkts': int(entry[14])})
- tunnel.update({'cikeTunOutDropPkts': int(entry[15])})
- tunnel.update({'cikeTunStatus': int(entry[16])})
-
- # add IPSec SA summary for IKE tunnel index
- tunnel.update({'ipsecsummary': ipsectunnelsummary.get(tunnel.get('cikeTunIndex'))})
-
- vpntunnel.update({tunnel.get('cikeTunRemoteAddr'):tunnel})
- return vpntunnel
-
-###########################################################################
-#
-# Inventory function
-#
-###########################################################################
-
-
-def inventory_cisco_vpn_tunnel(parsed):
- for cikeTunRemoteAddr in parsed.keys():
- yield cikeTunRemoteAddr, {}
-
-
-###########################################################################
-#
-# Check function
-#
-###########################################################################
-
-
-def check_cisco_vpn_tunnel(item, params, parsed):
- infotext = ''
- longoutput = ''
- alias = ''
- tunnel_not_found_state = params.get('state', 3)
- missing_ipsec_sa_state = params.get('missing_ipsec_sa_state', 1)
- perfdata = []
- state = 0
-
- def ikepeertype(type):
- name = {
- 1: 'ipAddrPeer',
- 2: 'namePeer',
- }
- if type in name.keys():
- return name.get(type)
- else:
- return 'unknown (%s)' % type
-
- def ikenegomode(mode):
- name = {1: 'main',
- 2: 'aggressive',
- 3: 'IKEv2 main([3]?)'
- }
- if mode in name.keys():
- return name.get(mode)
- else:
- return 'unknown (%s)' % mode
-
- def diffhellmangrp(group):
- name = {1: 'none',
- 2: 'DH1 (768bit)',
- 3: 'DH2 (1024bit)',
- 4: 'DH5 (1536bit) [4]?',
- 5: 'DH14 (2048bit)[5]?',
- 6: 'DH15 (3072bit) [6]?',
- 7: 'DH16 (4096bit) [7]?',
- 8: 'ECDH19 (256bit) [8]?',
- 9: 'ECDH20 (384bit) [9]?',
- 10: 'DH/DSA24 (2048bit) [10]?',
- }
- if group in name.keys():
- return name.get(group)
- else:
- return 'unknown (%s)' % group
-
- def encryptalgo(algo):
- name = {1: 'none',
- 2: 'des',
- 3: 'des3',
- 4: 'aes-128 [4]?',
- 5: 'aes-192 [5]?',
- 6: 'aes-256 [6]?',
- 7: 'aes-gcm-128 [7]?',
- 8: 'aes-gcm-191 [8]?',
- 9: 'aes-gcm-256 [9]?',
- }
- if algo in name.keys():
- return name.get(algo)
- else:
- return 'unknown (%s)' % algo
-
- def ikehashalgo(algo):
- name = {
- 1: 'none',
- 2: 'md5',
- 3: 'sha',
- 7: 'sha2-256 [7]?',
- 8: 'sha2-384 [8]?',
- 9: 'sha2-512 [9]?',
-
- }
- if algo in name.keys():
- return name.get(algo)
- else:
- return 'unknown (%s)' % algo
-
- def ikeauthmethod(method):
- name = {
- 1: 'none',
- 2: 'preSharedKey',
- 3: 'rsaSig',
- 4: 'rsaEncrypt',
- 5: 'revPublicKey',
- }
- if method in name.keys():
- return name.get(method)
- else:
- return 'unknown (%s)' % method
-
- def tunnelstatus(status):
- name = {
- 1: 'active',
- 2: 'destroy',
- }
- if status in name.keys():
- return name.get(status)
- else:
- return 'unknown (%s)' % status
-
- def ipsec_keytype(type):
- name = {
- 1: 'ike',
- 2: 'manual',
- }
- if type in name.keys():
- return name.get(type)
- else:
- return 'unknown (%s)' % type
-
- def ipsec_encapmode(mode):
- name = {
- 1: 'tunnel',
- 2: 'transport',
- }
- if mode in name.keys():
- return name.get(mode)
- else:
- return 'unknown (%s)' % mode
-
- def ipsec_authalgo(algo):
- name = {
- 1: 'none',
- 2: 'hmacMd5',
- 3: 'hmacSha',
- }
- if algo in name.keys():
- return name.get(algo)
- else:
- return 'unknown (%s)' % algo
-
- def ipsec_compalgo(algo):
- name = {
- 1: 'none',
- 2: 'ldf',
- }
- if algo in name.keys():
- return name.get(algo)
- else:
- return 'unknown (%s)' % algo
-
- def cisco_vpn_tunnel_time(uptime): # expects time in seconds
- m, s = divmod(uptime, 60) # break in seconds / minutes
- h, m = divmod(m, 60) # break in mintes / hours
- if h >= 24: # more then one day
- d, h = divmod(h, 24) # break in hours / days
- else:
- return '%02d:%02d:%02d' % (h, m, s)
- if d >= 365: # more the one year
- y, d = divmod(d, 365) # break in days / years
- return '%dy %dd %02d:%02d:%02d' % (y, d, h, m, s)
- else:
- return '%dd %02d:%02d:%02d' % (d, h, m, s)
-
- for tunnel_ip, tunnel_alias, not_found_state, ipsec_sa_state in params.get('tunnels', []):
- if item == tunnel_ip:
- alias = tunnel_alias
- tunnel_not_found_state = not_found_state
- missing_ipsec_sa_state = ipsec_sa_state
-
- if item in parsed.keys():
- tunnel = parsed.get(item)
-
- if item == tunnel.get('cikeTunRemoteAddr'):
- state = 0
-
- ipsecsummary = tunnel.get('ipsecsummary')
-
- if alias != '':
- infotext = 'Alias: %s: ' % alias
-
- infotext += 'IKE active time: %s' % (cisco_vpn_tunnel_time(tunnel.get('cikeTunActiveTime')))
-
- now_time = time.time()
- # convert to octets/packets per second
- tunnel.update({'cikeTunInOctets' : get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunInOctets', item), now_time, tunnel.get('cikeTunInOctets'), onwrap=SKIP)})
- tunnel.update({'cikeTunOutOctets' : get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunOutOctets', item), now_time, tunnel.get('cikeTunInPkts'), onwrap=SKIP)})
- tunnel.update({'cikeTunInPkts' : get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunInPkts', item), now_time, tunnel.get('cikeTunOutOctets'), onwrap=SKIP)})
- tunnel.update({'cikeTunOutPkts' : get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunOutPkts', item), now_time, tunnel.get('cikeTunOutPkts'), onwrap=SKIP)})
- tunnel.update({'cikeTunInDropPkts' : get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunInDropPkts', item), now_time, tunnel.get('cikeTunInDropPkts'), onwrap=SKIP)})
- tunnel.update({'cikeTunOutDropPkts': get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunOutDropPkts', item), now_time, tunnel.get('cikeTunOutDropPkts'), onwrap=SKIP)})
-
- longoutput += '\nIKE Status : %s' % tunnelstatus(tunnel.get('cikeTunStatus'))
- longoutput += '\nTunnel address local : %s' % tunnel.get('cikeTunLocalAddr')
- longoutput += '\nTunnel address remote : %s' % tunnel.get('cikeTunRemoteAddr')
-
- # 'unit', <value>, <warn-at>, <crit-at>, <min value>, <max value>
- perfdata.append(('cikeTunInOctets', tunnel.get('cikeTunInOctets')))
- perfdata.append(('cikeTunOutOctets', tunnel.get('cikeTunOutOctets')))
- perfdata.append(('cikeTunInPkts', tunnel.get('cikeTunInPkts')))
- perfdata.append(('cikeTunOutPkts', tunnel.get('cikeTunOutPkts')))
- perfdata.append(('cikeTunInDropPkts', tunnel.get('cikeTunInDropPkts')))
- perfdata.append(('cikeTunOutDropPkts', tunnel.get('cikeTunOutDropPkts')))
- perfdata.append(('cikeTunActiveTime', tunnel.get('cikeTunActiveTime')))
-
- if not ipsecsummary == None:
- # convert to octets/packets per second
- ipsecsummary.update({'cipSecTunHcInOctets': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunHcInOctets', item), now_time, ipsecsummary.get('cipSecTunHcInOctets'), onwrap=SKIP)})
- ipsecsummary.update({'cipSecTunHcOutOctets': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunHcOutOctets', item), now_time, ipsecsummary.get('cipSecTunHcOutOctets'), onwrap=SKIP)})
- ipsecsummary.update({'cipSecTunInPkts': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunInPkts', item), now_time, ipsecsummary.get('cipSecTunInPkts'), onwrap=SKIP)})
- ipsecsummary.update({'cipSecTunOutPkts': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunOutPkts', item), now_time, ipsecsummary.get('cipSecTunOutPkts'), onwrap=SKIP)})
- ipsecsummary.update({'cipSecTunInDropPkts': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunInDropPkts', item), now_time, ipsecsummary.get('cipSecTunInDropPkts'), onwrap=SKIP)})
- ipsecsummary.update({'cipSecTunOutDropPkts': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunOutDropPkts', item), now_time, ipsecsummary.get('cipSecTunOutDropPkts'), onwrap=SKIP)})
-
- infotext += ', IPSec active time: %s, IPSec SAs: %s, IPSec (in/out) %01.0d/%01.0d bytes/s' \
- % (cisco_vpn_tunnel_time(ipsecsummary.get('cipSecTunActiveTime')),
- ipsecsummary.get('ipsecsacount'),
- ipsecsummary.get('cipSecTunHcInOctets'),
- ipsecsummary.get('cipSecTunHcOutOctets'))
-
- # 'unit', <value>, <warn-at>, <crit-at>, <min value>, <max value>
- perfdata.append(('cipSecTunHcInOctets', ipsecsummary.get('cipSecTunHcInOctets')))
- perfdata.append(('cipSecTunHcOutOctets', ipsecsummary.get('cipSecTunHcOutOctets')))
- perfdata.append(('cipSecTunInPkts', ipsecsummary.get('cipSecTunInPkts')))
- perfdata.append(('cipSecTunOutPkts', ipsecsummary.get('cipSecTunOutPkts')))
- perfdata.append(('cipSecTunInDropPkts', ipsecsummary.get('cipSecTunInDropPkts')))
- perfdata.append(('cipSecTunOutDropPkts', ipsecsummary.get('cipSecTunOutDropPkts')))
- perfdata.append(('cipSecTunActiveTime', ipsecsummary.get('cipSecTunActiveTime')))
-
- else:
- yield missing_ipsec_sa_state, 'No IPSec sa found'
-
- # tunnel not found
- else:
- yield tunnel_not_found_state, 'VPN Tunnel %s not found' % alias
- state = tunnel_not_found_state
-
- yield state, infotext + longoutput, perfdata
-
-###########################################################################
-#
-# Check info
-#
-###########################################################################
-
-
-check_info['cisco_vpn_tunnel'] = {
- 'check_function' : check_cisco_vpn_tunnel,
- 'inventory_function' : inventory_cisco_vpn_tunnel,
- 'service_description' : 'VPN Tunnel %s',
- 'group' : 'vpn_tunnel',
- 'default_levels_variable': 'vpn_tunnel_defaults',
- 'has_perfdata' : True,
- 'parse_function' : parse_cisco_vpn_tunnel,
- 'snmp_scan_function' : lambda oid: oid('.1.3.6.1.2.1.1.1.0').lower().find('cisco') != -1 and
- oid('.1.3.6.1.4.1.9.9.171.1.2.3.1.*'), # CISCO-IPSEC-FLOW-MONITOR-MIB::cikeTunnelEntry
- 'snmp_info' : [
- ('.1.3.6.1.4.1.9.9.171.1.2.3.1', [
- OID_END, # TunnelIndex (0)
- '2', # cikeTunLocalType (1)
- '3', # cikeTunLocalValue (2)
- '4', # cikeTunLocalAddr (3)
- '5', # cikeTunLocalName (4)
- '6', # cikeTunRemoteType (5)
- '7', # cikeTunRemoteValue (6)
- '8', # cikeTunRemoteAddr (7)
- '9', # cikeTunRemoteName (8)
- '16', # cikeTunActiveTime (9)
- '19', # cikeTunInOctets (10)
- '20', # cikeTunInPkts (11)
- '21', # cikeTunInDropPkts (12)
- '27', # cikeTunOutOctets (13)
- '28', # cikeTunOutPkts (14)
- '29', # cikeTunOutDropPkts (15)
- '35', # cikeTunStatus (16)
- '10', # cikeTunNegoMode (17)
- ]),
- ('.1.3.6.1.4.1.9.9.171.1.3.2.1', [ # CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunnelEntry
- '2', # cipSecTunIkeTunnelIndex (0)
- '3', # cipSecTunIkeTunnelAlive (1)
- '10', # cipSecTunActiveTime (2)
- '27', # cipSecTunHcInOctets (3)
- '32', # cipSecTunInPkts (4)
- '33', # cipSecTunInDropPkts (5)
- '40', # cipSecTunHcOutOctets (6)
- '45', # cipSecTunOutPkts (7)
- '46', # cipSecTunOutDropPkts (8)
- ]),
- ],
-}
--
GitLab