from another application.

So we have a bunch of people logging into our2 load balanced vpn concentrators. You can see session information by logging into the concentrators via the web/ssh/etc... and then going to the session list. But this is a pain in the ass because you have to login every time and go to two places to view it all.

What I'd like to do is be able to view the session information in a seperate application. Like have a servlet login to the concentrators, grab the session info, and then display it all in a table. I know we have some cisco people here, so do you guys have any ideas?

SNMP might work, but i have no idea what the session variables would be.

Theres also an XML Management protocol listed in the system settings, but from what little documentation i've found about it, its for cisco's own management tools which I imagine use a proprietary protocol.

Any ideas or suggestions would be appreciated.

5/12/2008 1:58:36 PM

unless you can figure out the XML service info

i'd say your best bet is to code up something in php that grabs the page/processes it w/ regex, then logs in over ssh and greps the command's output.

5/12/2008 4:59:08 PM

you should be able to grab this info via snmp. There is most likely some sort of object referenced in some documentation out there which you need to grab from both concentrators, and then output it to one file on your server.

If I knew concentrators at all, I would help you out, but I have honestly never logged in to one.

5/12/2008 8:19:39 PM

have you tried just snmp walking it? I would start there

I have setup a php web script to login to cisco routers and grab some info to display on the page. i used the utilities that come with rancid to do it ( http://www.shrubbery.net/rancid/ )

5/12/2008 8:29:30 PM

snmp seems like the right way to go. I found this: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094494.shtml while looking arround. 1.3.6.1.4.1.3076.2.1.2.17 seems to have a bunch of info, but the tables seem to be out of order or something. I grabbed the MIBs for it and theirs weird stuff like ip addresses getting mixed into the username column.

I dunno. I guess i'll keep looking. Maybe theres another set of MIBs i can use that have what I want.

I know 0 about php. Maybe I should get into it over the summer. Thanks for the suggestions.

5/12/2008 10:10:33 PM

pointed it at a differnent concentrator and it seemed to work fine.

They're clustered together, but have different revisions of the software it seems.
The one that doesn't work is vpn3000-4.7.2.L-k9.bin and the one that works is vpn3000-4.7.2.N-k9.bin. Probably not worth upgrading just for SNMP

5/12/2008 10:30:59 PM

do you have a linux box? just fucken snmpwalk it.

5/12/2008 11:21:04 PM

Not sure what you need but I tried a few things on a concentrator: (1.1.1.1 is a fake concentrator ip)


Active logins:

snmpwalk -c community 1.1.1.1 1.3.6.1.4.1.3076.2.1.2.17.2.1.3
SNMPv2-SMI::enterprises.3076.2.1.2.17.2.1.3.1 = STRING: "fakelogin1"
SNMPv2-SMI::enterprises.3076.2.1.2.17.2.1.3.2 = STRING: "fakelogin2"
SNMPv2-SMI::enterprises.3076.2.1.2.17.2.1.3.3 = STRING: "fakelogin3"
SNMPv2-SMI::enterprises.3076.2.1.2.17.2.1.3.4 = STRING: "fakelogin4"


Number of active sessions:

snmpwalk -c community 1.1.1.1 1.3.6.1.4.1.9.9.171.1.3.1.1
SNMPv2-SMI::enterprises.9.9.171.1.3.1.1.0 = Gauge32: 68


Active peers:

snmpwalk -c community 1.1.1.1 1.3.6.1.4.1.9.9.171.1.2.3.1.7
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.7962 = STRING: "2.2.2.2"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.11025 = STRING: "3.3.3.3"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.11781 = STRING: "4.4.4.4"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.11812 = STRING: "5.5.5.5"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.12014 = STRING: "6.6.6.6"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.12087 = STRING: "7.7.7.7"

5/13/2008 7:45:23 AM

I was using getif + the Altiga session stats MIB (enterprises.3076.2.1.2.17). Its just a gui based snmp browser. Pretty nice one actually.

I tried the 1.3.6.1.4.1.9.9.171.1.2.3.1.1 and .7 and they return properly on the concentrator that returns the session stats properly, but not on the one with the older software rev. We're going to upgrade it to the same version as the other for consistancies sake.

After I get the VPN sessions stats I'm going to try to combine them with stats from our terminal services cluster :-).

5/13/2008 9:57:45 AM

So using mibble and snmp4j I wrote a servlet to grab all the sessions and put them into a table along with a link to launch a VNC java applet to view each session.

next step is to add RDP support.

5/23/2008 12:41:52 PM