[mrtg] Re: Graphing VPN SAs from Sonicwall

Peter Erickson lists at redlamb.net
Tue Mar 4 05:02:45 MET 2003


To answer your question, yes, I have been able to pull stats out of the sonicwall. Im not sure if its the stats that you are looking for, but hopefully this will at least help get you moving in the right direction. One thing that I did notice that bugs me though is that the Sonicwall does not save the information that MRTG graphs by default. Meaning that it does not record the ifInOctets and ifOutOctets, which is extremely frusterating.

I didnt originally setup the Sonicwall, but I can try to explain what I did to get as far as I did. The first thing that I did was to log into the router and went to the management page. (Im not looking at the router right now, since I cant get to it from home. If this doesnt work, let me know and Ill help as much as i can). I enabled SNMP and set the community phrase, system location, and contact values. I did not fill in the trap host or anything like that.

After setting this stuff up, I needed to either load the MIBs into mrtg or determine the numeric OID. I found that determining the numeric OID to be the easiest route. So to determine the numeric value I used the snmptranslate command from the net-snmp pkg. I created the ~/.snmp/mibs directory and copied all the sonicwall MIBS to that dir. (sonic_stats.MIB, SW-SMI.MIB, SW-FIREWALL-TRAP.MIB) I then created the file ~/.snmp/snmp.conf and added the following line:

mibs +ALL

After adding this line, I was able to get access to the values that I wanted. The first thing that I did was to determine which OIDs I wanted to graph. I found the list of stats by either looking at the MIB file or using snmpwalk.

snmpwalk -c public -v 2c 172.20.1.2 sonicSAStatEntry

This listed all the stats that the sonicwall stores per SA. (There might be more stats, but these were the ones that I was interested in graphing) After it listed all the OIDs, I selected the ones that I wanted which were the sonicSAStatEncryptByteCount and sonicSAStatDecryptByteCount. Now, I used snmptranslate to determine the numeric OID.

% snmptranslate -IR -On sonicSAStatEncryptByteCount
.1.3.6.1.4.1.8741.1.3.2.1.1.1.9
% snmptranslate -IR -On sonicSAStatDecryptByteCount
.1.3.6.1.4.1.8741.1.3.2.1.1.1.11

By using this numeric value and the indicies of the SAs from the snmpwalk command, I was able to modify the mrtg.cfg file which is shown below. Which brings me to the problem that I am currently having. Since the sonicwall only stores the stats sorted by the SA index, I need to add all the EncryptByteCounts and DecryptByteCounts together and as SAs are added and torn down, I get errors bcause the index number doesnt exist or something like that.
 
One last thing that I forgot to mention. When I setup the mib folder and ran snmpwalk, I got a ton of errors about the Counter type variable being specified in the MIB file was incorrect and should be Counter32 instead. So I modified the MIB file (only sonic_stats.MIB) and changed all occurances of Counter to Counter32. I have no idea if this caused me to start getting values, but i figured that I would throw it out just in case.

I hope that this helps you all out. Good luck. If you have any other questions, feel free to email me and I will try to help as much as possible. If I figure out a script that will add all the ByteCountes together without having to worry about the changing indicies, I will post that.

On Mon, Mar 03, 2003 at 02:24:39PM -0800, Andrew Davis said:
> Peter... I am sorry that I cannot help you with your VPN issue, however 
> I couldn't help but note that you have a Sonicwall Pro100. There are 
> many people on this list that have tried to use the SW MIBs to get 
> SNMP/MRTG working, but haven't been able to. I noticed the ... after 
> your MIB entry. Are you able to get stats out of your WAN/LAN/DMZ 
> interfaces? Would you mind sharing your entire sonicwall config to help 
> out the rest of us?
> 
> AD
> 
> Peter Erickson wrote:
> >I am trying to graph the amount of information that is encrypted from our 
> >vpn gateway, but am running into a problem. Within the sonicwall, there is 
> >an index into a table for each SA. Since the sonicwall doest have a OID 
> >for all info encrypted and decrypted, im taking each SA and adding them 
> >all together. So currently, the cfg file looks like:
> >
> >Target[Sonic_vpn]:    
> >1.3.6.1.4.1.8741.1.3.2.1.1.1.9.38&1.3.6.1.4.1.8741.1.3.2.1.1.1.11.38:user at 172.20.1.2
> >                    + 
> >                    1.3.6.1.4.1.8741.1.3.2.1.1.1.9.39&1.3.6.1.4.1.8741.1.3.2.1.1.1.11.39:user at 172.20.1.2
> >                    + ...
> >SetEnv[Sonic_vpn]: MRTG_INT_IP="172.20.1.2" MRTG_INT_DESCR="eth0"
> >Options[Sonic_vpn]: noinfo,nopercent
> >MaxBytes[Sonic_vpn]: 1250000
> >Title[Sonic_vpn]: VPN Traffic Analysis for SonicWALL PRO/100
> >PageTop[Sonic_vpn]: <H1>VPN Traffic Analysis for SonicWALL PRO/100</H1>
> > <TABLE>
> >   <TR><TD>System:</TD>     <TD>PRO/100 in Edina</TD></TR>
> >   <TR><TD>Maintainer:</TD> <TD>hostmaster at evalumed.com</TD></TR>
> >   <TR><TD>Description:</TD><TD>eth0  </TD></TR>
> >   <TR><TD>ifType:</TD>     <TD>ethernetCsmacd (6)</TD></TR>
> >   <TR><TD>ifName:</TD>     <TD></TD></TR>
> >   <TR><TD>Max Speed:</TD>  <TD>1250.0 kBytes/s</TD></TR>
> >   <TR><TD>Ip:</TD>         <TD>172.20.1.2</TD></TR>
> > </TABLE>
> >
> >As I was running MRTG, I just realized that as these SAs are created and 
> >torn down, the index into the tables change and when an SA goes away,. 
> >MRTG stops graphing an starts emailing me all these errors. The first 
> >value of the target is EncryptedByteCount and the second is 
> >DecryptedByteCount. The question that I have is this. Is there a way to 
> >setup the target so that it goes through all possible values within the 
> >ByteCount arrays and adds the values or do I need to write a custom script 
> >that will do this for me and set the target to that value? And if I need 
> >to write a script, can someone point me in the right direction for finding 
> >out how to do this?
> >
> >I really appreciate any help on this one. Im on a short timeline. Thanks.
> 

-- 
Peter Erickson

--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi



More information about the mrtg mailing list