ASA VPN Users by group

user@server:~/scripts$ cat asascript.sh
	#!/bin/bash
		community=communitystring
	while IFS='' read -r line || [[ -n "$line" ]]; do
	GROUP1=$(snmpwalk -v 2c -c $community -O v -L n $line 1.3.6.1.4.1.9.9.392.1.3.21.1.2 | sed 's/^.*://g' | sed 's/"//g' | grep -oc 'GROUP1')
	GROUP2=$(snmpwalk -v 2c -c $community -O v -L n $line 1.3.6.1.4.1.9.9.392.1.3.21.1.2 | sed 's/^.*://g' | sed 's/"//g' | grep -oc 'GROUP2')
	echo "IP is" $line
	echo "users group1 is" $GROUP1
	echo "users group2 is" $GROUP2
	done < "$1"
	user@server:~/scripts$

Hi,

The default PRTG sensor SNMP Cisco ASA VPN Connections is only giving you how many groups are active and how many users in total are connected.

What you want is a split up users per group active.

Looking at the SNMP data against an ASA I see that this might be challenging - I did not read in to the SNMP documentation from Cisco for this - but what I got back so far looks a lot like you might need a custom script executing the SNMP query and summarizing the multiple lines that you get back from a SNMP walk rather then a single value from 1.3.6.1.4.1.9.9.392.1.3.21.1.2 cause it does not seem to work this way - I actually even see IPs in those results as part of the SNMP OID.

There might be a parallel OID that would list you some information - but that's something to read up in the Cisco documentation.

Since you already have some kind of a script, possibly a PowerShell script using an SNMP library (found this in a very brief search: https://www.powershellgallery.com/packages/SNMP/1.0.0.1) etc...

You then count the sub-keys similar to the script you posted and respond it to PRTG as XML data. Keep in mind that there is a channel maximum of I think 10 (if I am not mistaken) that could limit you.

Hope this helps, regards

Florian Rossmark

www.it-admins.com

Aug, 2018 - Permalink

Thanks for chiming in, Florian! Always a pleasure to see active community members helping each other :)

---

Kind regards,
Stephan Linke, Tech Support Team

Aug, 2018 - Permalink