Monitor site to site tunneling health for Cisco ASA using Zabbix


Requirement :

– Zabbix server ( Zabbix 2.4 in this post)
– Cisco ASA with tunnel site to site configured
– S2S Perl Script, download this one


1. Login to your Zabbix server, make sure your server installed with Net::SNMP module, if not you must install the package first. Use yum or anything and install Perl-Net-SNMP.

Eg: yum install Perl-Net-SNMP

2. Create new directory “externalscripts” on your /etc/zabbix

3. Copy the perl script to /etc/zabbix/externalscripts

4. Make sure the script is owned by user zabbix so zabbix server can use it

chown zabbix:zabbix /etc/zabbix/externalscripts/

5. Lets test the script first to make sure the script is work well

Usage : <community> <host> {ASA,CONCENTRATOR} index

Give you the list of vpn connected session IP <community> <host> {ASA,CONCENTRATOR} query {RX,TX}

Give you the list of vpn connected session along with TX/RX Traffic community host {ASA,CONCENTRATOR} get {RX,TX} <peer>

Give you the TX/RX of the single session

6. If there is no error, its time to implement the result to Zabbix.

– On your server console, open zabbix-server.conf
– Uncomment the line ExternalScripts=/etc/Zabbix/externalscripts and point it to your externalscripts directory (2)
– Restart the Zabbix-server services if needed

7. Open zabbix web console, create new Template “Template S2S ASA”

8. Create new item on that template “IPSec Tunnel <your session> – Inbound”

Set the value like this, key format should be "[{$SNMP_COMMUNITY},{HOST.CONN},ASA,get,RX,<session ip>]

9. Create second item “IPSec Tunnel <your session> – Outbound”

Set the value like this, key format should be "[{$SNMP_COMMUNITY},{HOST.CONN},ASA,get,TX,<session ip>]

10. Create 3rd item “IPSec Tunnel Status” This item give us the list of connected session

Set the value like this, the key format should be "[{$SNMP_COMMUNITY},{HOST.CONN},ASA,index]

11. Attach the Template to your Firewall ASA host, you need to have one and make sure its reachable by Zabbix.

12. Wait for 5 minutes, and lets see the on the Latest Data, if the script work well, the value will comes up.

13. Setup the trigger depend on your needs. In my cases, I need to monitor the one of the session. If that session is down, the trigger will send to me.

– Create new Trigger ” S2S to <your session ip> Disconnected
– Add Expression, Select Item on point (10)
– Set Function = ” Find string V in last (most recent) value. N = 1 – if found, 0 – otherwise “
– Set V = < your session ip > ( the one you want need to be monitored )
– Last of (T) = 30 ( let say it’s 30 seconds”
– N = 0
– Insert


It works properly at CISCO-ASA5525x and Cisco version below 9.1(7)6


Please enter your comment!
Please enter your name here