Collection of CheckMK checks (see https://checkmk.com/). All checks and plugins are provided as is. Absolutely no warranty. Send any comments to thl-cmk[at]outlook[dot]com

Skip to content
Snippets Groups Projects
Commit e0c42a18 authored by thl-cmk's avatar thl-cmk :flag_na:
Browse files

Delete cisco_vpn_tunnel

parent fa9817d0
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 0 additions and 403 deletions
checks/cisco_vpn_tunnel deleted 100644 → 0
+ 0
403
View file @ fa9817d0
#!/usr/bin/python
# -*- encoding: utf-8; py-indent-offset: 4 -*-
#
#
# Cisco VPN tunnel rewrite
#
# Author: Th.L.
# Date : 2017-12-28
#
# Monitor status of Cisco VPN tunnel phase 1 and 2
#
# 10.01.2018: Th.L.: added handling for tunnel not found
# 23.01.2018: Th.L.: removed unnecessary counters
# 15.02.2018: Th.L.: removed ipsec tunnel status, changed ike ipv4 check
# 16.02.2018: Th.L.: readded tunnel alias
# 11.07.2018: Th.L.: added parameter for missing IPSec SA, changed 'parsed' to use peer ip as index
#
# snmpwalk sample
#
#
# {'state': 0, 'tunnels': [('192.168.1.2', u'tnnel-aliias', 1)]}
factory_settings['vpn_tunnel_defaults'] = {
# 'state': 3, # default state for tunnel not found
# 'tunnels': [] # list of tunnel specific not found states ('<ip-address>', '<alias>', <state>)
}
###########################################################################
#
# DATA Parser function
#
###########################################################################
def parse_cisco_vpn_tunnel(info):
ipsectunnelsummary = {}
vpntunnel = {}
cikeTunnelEntry, cipSecTunnelEntry = info
def cisco_vpn_tunnel_render_ipv4_address(bytestring):
return ".".join(["%s" % ord(m) for m in bytestring])
# summarize IPSec SAs, ASSUMPTION: except for counters all SA attributes are identical per IKE index
for entry in cipSecTunnelEntry:
if not saveint(entry[0]) == 0:
if int(entry[0]) in ipsectunnelsummary.keys(): # summarize IPSec SA values for IKE tunnel index
ipsecsa = ipsectunnelsummary.get(int(entry[0]))
ipsecsa.update({'ipsecsacount': ipsecsa.get('ipsecsacount') + 1})
ipsecsa.update({'cipSecTunHcInOctets': ipsecsa.get('cipSecTunHcInOctets') + int(entry[3])})
ipsecsa.update({'cipSecTunInPkts': ipsecsa.get('cipSecTunInPkts') + int(entry[4])})
ipsecsa.update({'cipSecTunInDropPkts': ipsecsa.get('cipSecTunInDropPkts') + int(entry[5])})
ipsecsa.update({'cipSecTunHcOutOctets': ipsecsa.get('cipSecTunHcOutOctets') + int(entry[6])})
ipsecsa.update({'cipSecTunOutPkts': ipsecsa.get('cipSecTunOutPkts') + int(entry[7])})
ipsecsa.update({'cipSecTunOutDropPkts': ipsecsa.get('cipSecTunOutDropPkts') + int(entry[8])})
if int(entry[2]) / 100 > ipsecsa.get('cipSecTunActiveTime'):
ipsecsa.update({'cipSecTunActiveTime': int(entry[2]) / 100})
else: # new IKE tunnel index
ipsecsa = {}
ipsecsa.update({'ipsecsacount': 1})
ipsecsa.update({'cipSecTunIkeTunnelAlive': entry[1]})
ipsecsa.update({'cipSecTunActiveTime': int(entry[2]) / 100})
ipsecsa.update({'cipSecTunHcInOctets': int(entry[3])})
ipsecsa.update({'cipSecTunInPkts': int(entry[4])})
ipsecsa.update({'cipSecTunInDropPkts': int(entry[5])})
ipsecsa.update({'cipSecTunHcOutOctets': int(entry[6])})
ipsecsa.update({'cipSecTunOutPkts': int(entry[7])})
ipsecsa.update({'cipSecTunOutDropPkts': int(entry[8])})
ipsectunnelsummary.update({int(entry[0]): ipsecsa})
# IKE tunnel index
for entry in cikeTunnelEntry:
tunnel = {}
if not saveint(entry[0]) == 0:
# if int(entry[17]) == 2: # drop agressive mode tunnel, likely Remote Access
tunnel.update({'cikeTunRemoteAddr': cisco_vpn_tunnel_render_ipv4_address(entry[7])})
if len(tunnel.get('cikeTunRemoteAddr').split('.')) != 4:
tunnel.update({'cikeTunRemoteAddr': entry[6]}) # IP address (hopefully)
if len(tunnel.get('cikeTunRemoteAddr').split('.')) == 4:
tunnel.update({'cikeTunIndex': int(entry[0])})
tunnel.update({'cikeTunLocalType': int (entry[1])})
tunnel.update({'cikeTunLocalValue': entry[2]})
tunnel.update({'cikeTunLocalAddr': cisco_vpn_tunnel_render_ipv4_address(entry[3])})
tunnel.update({'cikeTunLocalName': entry[4]})
tunnel.update({'cikeTunRemoteType': int(entry[5])})
tunnel.update({'cikeTunRemoteValue': entry[6]})
tunnel.update({'cikeTunRemoteName': entry[8]})
tunnel.update({'cikeTunActiveTime': int(entry[9]) / 100})
tunnel.update({'cikeTunInOctets': int(entry[10])})
tunnel.update({'cikeTunInPkts': int(entry[11])})
tunnel.update({'cikeTunInDropPkts': int(entry[12])})
tunnel.update({'cikeTunOutOctets': int(entry[13])})
tunnel.update({'cikeTunOutPkts': int(entry[14])})
tunnel.update({'cikeTunOutDropPkts': int(entry[15])})
tunnel.update({'cikeTunStatus': int(entry[16])})
# add IPSec SA summary for IKE tunnel index
tunnel.update({'ipsecsummary': ipsectunnelsummary.get(tunnel.get('cikeTunIndex'))})
vpntunnel.update({tunnel.get('cikeTunRemoteAddr'):tunnel})
return vpntunnel
###########################################################################
#
# Inventory function
#
###########################################################################
def inventory_cisco_vpn_tunnel(parsed):
for cikeTunRemoteAddr in parsed.keys():
yield cikeTunRemoteAddr, {}
###########################################################################
#
# Check function
#
###########################################################################
def check_cisco_vpn_tunnel(item, params, parsed):
infotext = ''
longoutput = ''
alias = ''
tunnel_not_found_state = params.get('state', 3)
missing_ipsec_sa_state = params.get('missing_ipsec_sa_state', 1)
perfdata = []
state = 0
def ikepeertype(type):
name = {
1: 'ipAddrPeer',
2: 'namePeer',
}
if type in name.keys():
return name.get(type)
else:
return 'unknown (%s)' % type
def ikenegomode(mode):
name = {1: 'main',
2: 'aggressive',
3: 'IKEv2 main([3]?)'
}
if mode in name.keys():
return name.get(mode)
else:
return 'unknown (%s)' % mode
def diffhellmangrp(group):
name = {1: 'none',
2: 'DH1 (768bit)',
3: 'DH2 (1024bit)',
4: 'DH5 (1536bit) [4]?',
5: 'DH14 (2048bit)[5]?',
6: 'DH15 (3072bit) [6]?',
7: 'DH16 (4096bit) [7]?',
8: 'ECDH19 (256bit) [8]?',
9: 'ECDH20 (384bit) [9]?',
10: 'DH/DSA24 (2048bit) [10]?',
}
if group in name.keys():
return name.get(group)
else:
return 'unknown (%s)' % group
def encryptalgo(algo):
name = {1: 'none',
2: 'des',
3: 'des3',
4: 'aes-128 [4]?',
5: 'aes-192 [5]?',
6: 'aes-256 [6]?',
7: 'aes-gcm-128 [7]?',
8: 'aes-gcm-191 [8]?',
9: 'aes-gcm-256 [9]?',
}
if algo in name.keys():
return name.get(algo)
else:
return 'unknown (%s)' % algo
def ikehashalgo(algo):
name = {
1: 'none',
2: 'md5',
3: 'sha',
7: 'sha2-256 [7]?',
8: 'sha2-384 [8]?',
9: 'sha2-512 [9]?',
}
if algo in name.keys():
return name.get(algo)
else:
return 'unknown (%s)' % algo
def ikeauthmethod(method):
name = {
1: 'none',
2: 'preSharedKey',
3: 'rsaSig',
4: 'rsaEncrypt',
5: 'revPublicKey',
}
if method in name.keys():
return name.get(method)
else:
return 'unknown (%s)' % method
def tunnelstatus(status):
name = {
1: 'active',
2: 'destroy',
}
if status in name.keys():
return name.get(status)
else:
return 'unknown (%s)' % status
def ipsec_keytype(type):
name = {
1: 'ike',
2: 'manual',
}
if type in name.keys():
return name.get(type)
else:
return 'unknown (%s)' % type
def ipsec_encapmode(mode):
name = {
1: 'tunnel',
2: 'transport',
}
if mode in name.keys():
return name.get(mode)
else:
return 'unknown (%s)' % mode
def ipsec_authalgo(algo):
name = {
1: 'none',
2: 'hmacMd5',
3: 'hmacSha',
}
if algo in name.keys():
return name.get(algo)
else:
return 'unknown (%s)' % algo
def ipsec_compalgo(algo):
name = {
1: 'none',
2: 'ldf',
}
if algo in name.keys():
return name.get(algo)
else:
return 'unknown (%s)' % algo
def cisco_vpn_tunnel_time(uptime): # expects time in seconds
m, s = divmod(uptime, 60) # break in seconds / minutes
h, m = divmod(m, 60) # break in mintes / hours
if h >= 24: # more then one day
d, h = divmod(h, 24) # break in hours / days
else:
return '%02d:%02d:%02d' % (h, m, s)
if d >= 365: # more the one year
y, d = divmod(d, 365) # break in days / years
return '%dy %dd %02d:%02d:%02d' % (y, d, h, m, s)
else:
return '%dd %02d:%02d:%02d' % (d, h, m, s)
for tunnel_ip, tunnel_alias, not_found_state, ipsec_sa_state in params.get('tunnels', []):
if item == tunnel_ip:
alias = tunnel_alias
tunnel_not_found_state = not_found_state
missing_ipsec_sa_state = ipsec_sa_state
if item in parsed.keys():
tunnel = parsed.get(item)
if item == tunnel.get('cikeTunRemoteAddr'):
state = 0
ipsecsummary = tunnel.get('ipsecsummary')
if alias != '':
infotext = 'Alias: %s: ' % alias
infotext += 'IKE active time: %s' % (cisco_vpn_tunnel_time(tunnel.get('cikeTunActiveTime')))
now_time = time.time()
# convert to octets/packets per second
tunnel.update({'cikeTunInOctets' : get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunInOctets', item), now_time, tunnel.get('cikeTunInOctets'), onwrap=SKIP)})
tunnel.update({'cikeTunOutOctets' : get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunOutOctets', item), now_time, tunnel.get('cikeTunInPkts'), onwrap=SKIP)})
tunnel.update({'cikeTunInPkts' : get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunInPkts', item), now_time, tunnel.get('cikeTunOutOctets'), onwrap=SKIP)})
tunnel.update({'cikeTunOutPkts' : get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunOutPkts', item), now_time, tunnel.get('cikeTunOutPkts'), onwrap=SKIP)})
tunnel.update({'cikeTunInDropPkts' : get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunInDropPkts', item), now_time, tunnel.get('cikeTunInDropPkts'), onwrap=SKIP)})
tunnel.update({'cikeTunOutDropPkts': get_rate('cisco_vpn_tunnel.%s.%s' % ('cikeTunOutDropPkts', item), now_time, tunnel.get('cikeTunOutDropPkts'), onwrap=SKIP)})
longoutput += '\nIKE Status : %s' % tunnelstatus(tunnel.get('cikeTunStatus'))
longoutput += '\nTunnel address local : %s' % tunnel.get('cikeTunLocalAddr')
longoutput += '\nTunnel address remote : %s' % tunnel.get('cikeTunRemoteAddr')
# 'unit', <value>, <warn-at>, <crit-at>, <min value>, <max value>
perfdata.append(('cikeTunInOctets', tunnel.get('cikeTunInOctets')))
perfdata.append(('cikeTunOutOctets', tunnel.get('cikeTunOutOctets')))
perfdata.append(('cikeTunInPkts', tunnel.get('cikeTunInPkts')))
perfdata.append(('cikeTunOutPkts', tunnel.get('cikeTunOutPkts')))
perfdata.append(('cikeTunInDropPkts', tunnel.get('cikeTunInDropPkts')))
perfdata.append(('cikeTunOutDropPkts', tunnel.get('cikeTunOutDropPkts')))
perfdata.append(('cikeTunActiveTime', tunnel.get('cikeTunActiveTime')))
if not ipsecsummary == None:
# convert to octets/packets per second
ipsecsummary.update({'cipSecTunHcInOctets': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunHcInOctets', item), now_time, ipsecsummary.get('cipSecTunHcInOctets'), onwrap=SKIP)})
ipsecsummary.update({'cipSecTunHcOutOctets': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunHcOutOctets', item), now_time, ipsecsummary.get('cipSecTunHcOutOctets'), onwrap=SKIP)})
ipsecsummary.update({'cipSecTunInPkts': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunInPkts', item), now_time, ipsecsummary.get('cipSecTunInPkts'), onwrap=SKIP)})
ipsecsummary.update({'cipSecTunOutPkts': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunOutPkts', item), now_time, ipsecsummary.get('cipSecTunOutPkts'), onwrap=SKIP)})
ipsecsummary.update({'cipSecTunInDropPkts': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunInDropPkts', item), now_time, ipsecsummary.get('cipSecTunInDropPkts'), onwrap=SKIP)})
ipsecsummary.update({'cipSecTunOutDropPkts': get_rate('cisco_vpn_tunnel.%s.%s' % ('cipSecTunOutDropPkts', item), now_time, ipsecsummary.get('cipSecTunOutDropPkts'), onwrap=SKIP)})
infotext += ', IPSec active time: %s, IPSec SAs: %s, IPSec (in/out) %01.0d/%01.0d bytes/s' \
% (cisco_vpn_tunnel_time(ipsecsummary.get('cipSecTunActiveTime')),
ipsecsummary.get('ipsecsacount'),
ipsecsummary.get('cipSecTunHcInOctets'),
ipsecsummary.get('cipSecTunHcOutOctets'))
# 'unit', <value>, <warn-at>, <crit-at>, <min value>, <max value>
perfdata.append(('cipSecTunHcInOctets', ipsecsummary.get('cipSecTunHcInOctets')))
perfdata.append(('cipSecTunHcOutOctets', ipsecsummary.get('cipSecTunHcOutOctets')))
perfdata.append(('cipSecTunInPkts', ipsecsummary.get('cipSecTunInPkts')))
perfdata.append(('cipSecTunOutPkts', ipsecsummary.get('cipSecTunOutPkts')))
perfdata.append(('cipSecTunInDropPkts', ipsecsummary.get('cipSecTunInDropPkts')))
perfdata.append(('cipSecTunOutDropPkts', ipsecsummary.get('cipSecTunOutDropPkts')))
perfdata.append(('cipSecTunActiveTime', ipsecsummary.get('cipSecTunActiveTime')))
else:
yield missing_ipsec_sa_state, 'No IPSec sa found'
# tunnel not found
else:
yield tunnel_not_found_state, 'VPN Tunnel %s not found' % alias
state = tunnel_not_found_state
yield state, infotext + longoutput, perfdata
###########################################################################
#
# Check info
#
###########################################################################
check_info['cisco_vpn_tunnel'] = {
'check_function' : check_cisco_vpn_tunnel,
'inventory_function' : inventory_cisco_vpn_tunnel,
'service_description' : 'VPN Tunnel %s',
'group' : 'vpn_tunnel',
'default_levels_variable': 'vpn_tunnel_defaults',
'has_perfdata' : True,
'parse_function' : parse_cisco_vpn_tunnel,
'snmp_scan_function' : lambda oid: oid('.1.3.6.1.2.1.1.1.0').lower().find('cisco') != -1 and
oid('.1.3.6.1.4.1.9.9.171.1.2.3.1.*'), # CISCO-IPSEC-FLOW-MONITOR-MIB::cikeTunnelEntry
'snmp_info' : [
('.1.3.6.1.4.1.9.9.171.1.2.3.1', [
OID_END, # TunnelIndex (0)
'2', # cikeTunLocalType (1)
'3', # cikeTunLocalValue (2)
'4', # cikeTunLocalAddr (3)
'5', # cikeTunLocalName (4)
'6', # cikeTunRemoteType (5)
'7', # cikeTunRemoteValue (6)
'8', # cikeTunRemoteAddr (7)
'9', # cikeTunRemoteName (8)
'16', # cikeTunActiveTime (9)
'19', # cikeTunInOctets (10)
'20', # cikeTunInPkts (11)
'21', # cikeTunInDropPkts (12)
'27', # cikeTunOutOctets (13)
'28', # cikeTunOutPkts (14)
'29', # cikeTunOutDropPkts (15)
'35', # cikeTunStatus (16)
'10', # cikeTunNegoMode (17)
]),
('.1.3.6.1.4.1.9.9.171.1.3.2.1', [ # CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunnelEntry
'2', # cipSecTunIkeTunnelIndex (0)
'3', # cipSecTunIkeTunnelAlive (1)
'10', # cipSecTunActiveTime (2)
'27', # cipSecTunHcInOctets (3)
'32', # cipSecTunInPkts (4)
'33', # cipSecTunInDropPkts (5)
'40', # cipSecTunHcOutOctets (6)
'45', # cipSecTunOutPkts (7)
'46', # cipSecTunOutDropPkts (8)
]),
],
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Collection of CheckMK checks (see https://checkmk.com/). All checks and plugins are provided as is. Absolutely no warranty. Send any comments to thl-cmk[at]outlook[dot]com