[NDMII-3540] Collect metrics and options data for Cisco IPsec VPN tunnels (#38467)

Co-authored-by: Bryce Eadie <[email protected]>

Author: 2 people

pkg/collector/corechecks/snmp/internal/checkconfig/buildprofile.go

@@ -71,6 +71,7 @@ func (c *CheckConfig) BuildProfile(sysObjectID string) (profiledefinition.Profil
 		profile.Device.Vendor = rootProfile.Device.Vendor
 	}
 	profile.Metadata = updateMetadataDefinitionWithDefaults(profile.Metadata, c.CollectTopology, c.CollectVPN)
+	profile.Metrics = updateMetricsDefinitionWithDefaults(profile.Metrics, c.CollectVPN)
 
 	return profile, profileErr
 }

pkg/collector/corechecks/snmp/internal/checkconfig/buildprofile_test.go

@@ -92,6 +92,14 @@ func TestBuildProfile(t *testing.T) {
 	mergeMetadata(mergedMetadata, profile1.Metadata)
 	mergedMetadata["ip_addresses"] = LegacyMetadataConfig["ip_addresses"]
 
+	vpnTunnelsMergedMetadata := make(profiledefinition.MetadataConfig)
+	for k, v := range mergedMetadata {
+		vpnTunnelsMergedMetadata[k] = v
+	}
+	mergeMetadata(vpnTunnelsMergedMetadata, VPNTunnelMetadataConfig)
+	mergeMetadata(vpnTunnelsMergedMetadata, RouteMetadataConfig)
+	mergeMetadata(vpnTunnelsMergedMetadata, TunnelMetadataConfig)
+
 	mockProfiles := profile.StaticProvider(profile.ProfileConfigMap{
 		"profile1": profile.ProfileConfig{
 			Definition: profile1,
@@ -123,7 +131,8 @@ func TestBuildProfile(t *testing.T) {
 				},
 				Metadata: LegacyMetadataConfig,
 			},
-		}, {
+		},
+		{
 			name: "static",
 			config: &CheckConfig{
 				IPAddress:       "1.2.3.4",
@@ -140,7 +149,8 @@ func TestBuildProfile(t *testing.T) {
 				StaticTags: []string{"snmp_profile:profile1"},
 				Metadata:   mergedMetadata,
 			},
-		}, {
+		},
+		{
 			name: "dynamic",
 			config: &CheckConfig{
 				IPAddress:       "1.2.3.4",
@@ -158,7 +168,8 @@ func TestBuildProfile(t *testing.T) {
 				StaticTags: []string{"snmp_profile:profile1"},
 				Metadata:   mergedMetadata,
 			},
-		}, {
+		},
+		{
 			name: "static with requested metrics",
 			config: &CheckConfig{
 				IPAddress:             "1.2.3.4",
@@ -185,15 +196,17 @@ func TestBuildProfile(t *testing.T) {
 				Metadata:   mergedMetadata,
 				StaticTags: []string{"snmp_profile:profile1"},
 			},
-		}, {
+		},
+		{
 			name: "static unknown",
 			config: &CheckConfig{
 				IPAddress:       "1.2.3.4",
 				ProfileProvider: mockProfiles,
 				ProfileName:     "f5",
 			},
 			expectedError: "unknown profile \"f5\"",
-		}, {
+		},
+		{
 			name: "dynamic unknown",
 			config: &CheckConfig{
 				IPAddress:       "1.2.3.4",
@@ -204,6 +217,25 @@ func TestBuildProfile(t *testing.T) {
 			expectedError: "failed to get profile for sysObjectID \"3.3.3.3\": no profiles found for sysObjectID \"3." +
 				"3.3.3\"",
 		},
+		{
+			name: "VPN tunnels metadata and metrics",
+			config: &CheckConfig{
+				IPAddress:       "1.2.3.4",
+				ProfileProvider: mockProfiles,
+				ProfileName:     "profile1",
+				CollectVPN:      true,
+			},
+			expected: profiledefinition.ProfileDefinition{
+				Name:    "profile1",
+				Version: 12,
+				Metrics: append(metrics, VPNTunnelMetrics...),
+				MetricTags: []profiledefinition.MetricTagConfig{
+					{Tag: "location", Symbol: profiledefinition.SymbolConfigCompat{OID: "1.3.6.1.2.1.1.6.0", Name: "sysLocation"}},
+				},
+				StaticTags: []string{"snmp_profile:profile1"},
+				Metadata:   vpnTunnelsMergedMetadata,
+			},
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			profile, err := tc.config.BuildProfile(tc.sysObjectID)

pkg/collector/corechecks/snmp/internal/checkconfig/config_metadata.go

@@ -247,8 +247,8 @@ var TopologyMetadataConfig = profiledefinition.MetadataConfig{
 	},
 }
 
-// VPNMetadataConfig contains VPN tunnels metadata
-var VPNMetadataConfig = profiledefinition.MetadataConfig{
+// VPNTunnelMetadataConfig contains VPN tunnels metadata
+var VPNTunnelMetadataConfig = profiledefinition.MetadataConfig{
 	"cisco_ipsec_tunnel": {
 		Fields: map[string]profiledefinition.MetadataField{
 			"local_outside_ip": {
@@ -263,6 +263,24 @@ var VPNMetadataConfig = profiledefinition.MetadataConfig{
 					Name: "cipSecTunRemoteAddr",
 				},
 			},
+			"status": {
+				Symbol: profiledefinition.SymbolConfig{
+					OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.51",
+					Name: "cipSecTunStatus",
+				},
+			},
+			"life_size": {
+				Symbol: profiledefinition.SymbolConfig{
+					OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.8",
+					Name: "cipSecTunLifeSize",
+				},
+			},
+			"life_time": {
+				Symbol: profiledefinition.SymbolConfig{
+					OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.9",
+					Name: "cipSecTunLifeTime",
+				},
+			},
 		},
 	},
 }
@@ -337,7 +355,7 @@ func updateMetadataDefinitionWithDefaults(metadataConfig profiledefinition.Metad
 		mergeMetadata(newConfig, TopologyMetadataConfig)
 	}
 	if collectVPN {
-		mergeMetadata(newConfig, VPNMetadataConfig)
+		mergeMetadata(newConfig, VPNTunnelMetadataConfig)
 		mergeMetadata(newConfig, RouteMetadataConfig)
 		mergeMetadata(newConfig, TunnelMetadataConfig)
 	}

pkg/collector/corechecks/snmp/internal/checkconfig/config_metric.go

@@ -76,3 +76,79 @@ func GetMappedValue(index string, mapping map[string]string) (string, error) {
 	}
 	return index, nil
 }
+
+// VPNTunnelMetrics contains VPN tunnels metrics
+var VPNTunnelMetrics = []profiledefinition.MetricsConfig{
+	{
+		MIB: "CISCO-IPSEC-FLOW-MONITOR-MIB",
+		Table: profiledefinition.SymbolConfig{
+			OID:  "1.3.6.1.4.1.9.9.171.1.3.2",
+			Name: "cipSecTunnelTable",
+		},
+		Symbols: []profiledefinition.SymbolConfig{
+			{
+				OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.10",
+				Name: "cipSecTunActiveTime",
+			},
+			{
+				OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.27",
+				Name: "cipSecTunHcInOctets",
+			},
+			{
+				OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.40",
+				Name: "cipSecTunHcOutOctets",
+			},
+			{
+				OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.32",
+				Name: "cipSecTunInPkts",
+			},
+			{
+				OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.45",
+				Name: "cipSecTunOutPkts",
+			},
+			{
+				OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.36",
+				Name: "cipSecTunInAuthFails",
+			},
+			{
+				OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.48",
+				Name: "cipSecTunOutAuthFails",
+			},
+			{
+				OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.38",
+				Name: "cipSecTunInDecryptFails",
+			},
+			{
+				OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.50",
+				Name: "cipSecTunOutEncryptFails",
+			},
+		},
+		MetricTags: profiledefinition.MetricTagConfigList{
+			{
+				Tag:   "tunnel_index",
+				Index: 1,
+			},
+			{
+				Tag: "local_outside_ip",
+				Symbol: profiledefinition.SymbolConfigCompat{
+					OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.4",
+					Name: "cipSecTunLocalAddr",
+				},
+			},
+			{
+				Tag: "remote_outside_ip",
+				Symbol: profiledefinition.SymbolConfigCompat{
+					OID:  "1.3.6.1.4.1.9.9.171.1.3.2.1.5",
+					Name: "cipSecTunRemoteAddr",
+				},
+			},
+		},
+	},
+}
+
+func updateMetricsDefinitionWithDefaults(metrics []profiledefinition.MetricsConfig, collectVPN bool) []profiledefinition.MetricsConfig {
+	if collectVPN {
+		metrics = append(metrics, VPNTunnelMetrics...)
+	}
+	return metrics
+}

pkg/collector/corechecks/snmp/internal/report/report_device_metadata.go

@@ -35,9 +35,15 @@ const topologyLinkSourceTypeLLDP = "lldp"
 const topologyLinkSourceTypeCDP = "cdp"
 const ciscoNetworkProtocolIPv4 = "1"
 const ciscoNetworkProtocolIPv6 = "20"
+
 const inetAddressUnknown = "0"
 const inetAddressIPv4 = "1"
 
+var ciscoIPsecStatusByValue = map[string]string{
+	"1": "active",
+	"2": "destroy",
+}
+
 var supportedDeviceTypes = map[string]bool{
 	"access_point":  true,
 	"firewall":      true,
@@ -609,10 +615,15 @@ func buildVPNTunnelsMetadata(deviceID string, store *metadata.Store) []devicemet
 	}
 
 	vpnTunnelIndexes := store.GetColumnIndexes("cisco_ipsec_tunnel.local_outside_ip")
-	if len(vpnTunnelIndexes) == 0 {
-		log.Debugf("Unable to build VPN tunnels metadata: no cisco_ipsec_tunnel.local_outside_ip found")
-		return nil
+	if len(vpnTunnelIndexes) > 0 {
+		return buildCiscoIPsecVPNTunnelsMetadata(vpnTunnelIndexes, deviceID, store)
 	}
+
+	log.Debugf("Unable to build VPN tunnels metadata: no indexes found")
+	return nil
+}
+
+func buildCiscoIPsecVPNTunnelsMetadata(vpnTunnelIndexes []string, deviceID string, store *metadata.Store) []devicemetadata.VPNTunnelMetadata {
 	sort.Strings(vpnTunnelIndexes)
 
 	vpnTunnelStore := NewVPNTunnelStore()
@@ -628,11 +639,34 @@ func buildVPNTunnelsMetadata(deviceID string, store *metadata.Store) []devicemet
 		localOutsideIP := net.IP(store.GetColumnAsByteArray("cisco_ipsec_tunnel.local_outside_ip", strIndex)).String()
 		remoteOutsideIP := net.IP(store.GetColumnAsByteArray("cisco_ipsec_tunnel.remote_outside_ip", strIndex)).String()
 
+		statusValue := store.GetColumnAsString("cisco_ipsec_tunnel.status", strIndex)
+		status, exists := ciscoIPsecStatusByValue[statusValue]
+		if !exists {
+			status = "unknown"
+		}
+
+		lifeSize, err := strconv.ParseInt(store.GetColumnAsString("cisco_ipsec_tunnel.life_size", strIndex), 10, 32)
+		if err != nil {
+			lifeSize = 0
+		}
+		lifeTime, err := strconv.ParseInt(store.GetColumnAsString("cisco_ipsec_tunnel.life_time", strIndex), 10, 32)
+		if err != nil {
+			lifeTime = 0
+		}
+
 		vpnTunnelStore.AddTunnel(devicemetadata.VPNTunnelMetadata{
 			DeviceID:        deviceID,
 			LocalOutsideIP:  localOutsideIP,
 			RemoteOutsideIP: remoteOutsideIP,
-			Protocol:        "ipsec",
+			Status:          status,
+			Protocol:        devicemetadata.IPsec,
+			RouteAddresses:  []string{},
+			Options: devicemetadata.VPNTunnelOptions{
+				IPsecOptions: devicemetadata.IPsecOptions{
+					LifeSize: int32(lifeSize),
+					LifeTime: int32(lifeTime),
+				},
+			},
 		})
 	}