Integrating with Cisco FirePower/ASA VPN

The integration between IBM® NS1 Connect® and Cisco FirePower/Adaptive Security Appliance (ASA) VPN allows enterprises to distribute VPN sessions (for example, from an AnyConnect client) intelligently to your Cisco VPNs.

It uses the powerful NS1 Connect API and data collected from Cisco VPN appliances to route VPN sessions to the best available Cisco ASA or VPN endpoint. As a Cisco ASA reaches maximum capacity, NS1 Connect automatically steers traffic away from that endpoint to avoid reaching maximum licensed capacity.

How it works

A DNS host record (domain or subdomain) contains one or more answers representing each individual endpoint (that is, appliance/device). In addition to the IP address of an individual endpoint, NS1 Connect allows users to associate metadata with the answer — such as geographic location, up/down status, load average, active sessions, cost metrics, and more.

To achieve configurations like automatic failover or automatic load shedding, users can create a data feed that allows a native or third-party data source (such as a Cisco VPN appliance) to automatically update the answer metadata values. In NS1 Connect, the Filter Chain references the answer metadata values when it is making traffic routing decisions. For example,

  • The Up filter uses the up/down status listed in the answer metadata to determine which endpoints (answers) are available.
  • The Shed Load filter analyzes either the number of active connections, load average, or active requests to determine the best endpoint (answer) at the time of each query.

The Cisco VPN appliance has an SNMP interface through which users can request reports for certain metrics, including the number of active sessions initiated by a web client (crasSVCNumSessions) or by a VPN client (crasSVCNumSessions).

During configuration, you create a data feed from the VPN appliance and connect it to the corresponding answer via the answer metadata. You configure the metadata to ensure that the value for the number of active sessions is updated automatically by the data feed connected to the VPN appliance. Also, you set low and high watermarks to indicate when the system should slow down or completely stop sending traffic to that endpoint. Finally, you create a Filter Chain for the record that includes the Shed Load filter with “number of active sessions” selected as the key metric to consider. You can use the Shed Load filter in conjunction with other filters to create custom traffic routing policies.

Once this is configured, each DNS query is processed through the Filter Chain at which point the Shed Load filter analyzes all the answers and selects the VPN appliance with the lowest number of active sessions.

Prerequisites

Before implementing the integration, ensure you have the following:

  • At least two Cisco FirePower or ASA VPN appliances.
  • An active NS1 Connect account with the following user permissions settings enabled:
    • Manage API keys
    • Allow zone management
    • Push to data feeds
    • Manage data sources
    • Manage data feeds
  • A valid NS1 Connect API key generated and configured with the following permissions:
    • Push to data feeds

Procedure

Step 1: Configure SNMP on the VPN appliance

Refer to the relevant Cisco documentation for configuring SNMP based on the specific VPN appliance model. The SNMP object IDs (OID) for metrics related to active sessions are:

OID

Description

crasWEBVPNNumSessions

(1.3.6.1.4.1.9.9.392.1.3.38)

The number of active VPN sessions initiated via the web portal.

crasSVCNumSessions

(1.3.6.1.4.1.9.9.392.1.3.35)

The number of active VPN sessions initiated via the VPN client.

In the following examples, we use the SNMP OIDs as the source of data pushed to the data feeds.

Step 2: Configure the NS1 Connect records and feeds

Refer to Configuring automatic load shedding for instructions on how to configure DNS records with answers that represent each VPN appliance as well as the data feeds to guide traffic.

The following guidelines are important to consider when configuring this integration:

  • Setting a low record TTL value (for example, 30 seconds) may prevent users from getting cached values.
  • In each answer’s metadata, set the low and high watermarks such that they can effectively distribute load. For example, if you set a low watermark of around 75% and a high watermark of around 90%, then when the load reaches 75% of the device’s maximum capacity for active connections, NS1 Connect starts to shift traffic away from this device. When the number of active sessions reaches 90% of full capacity, NS1 Connect stops directing traffic to that endpoint completely.
  • Typically, you create a single data source that represents incoming VPN data, and then add a feed for each VPN appliance. Labeling data feeds using a location name or region could help you differentiate the data feeds.
  • As you create data sources, record the data source ID for each. You will need this later.
  • After applying the Shed Load filter to the record’s Filter Chain configuration, ensure that the filter is configured to use the connections metadata.
Step 3: Sending the session count from the VPN appliance to NS1 Connect

In this step, you connect the SNMP output from the Cisco VPN appliance and connect it to NS1 Connect—applying the load shedding configuration done in step 2. You do this by creating a script to poll the appliance and push metrics to the NS1 Connect data feeds.

NS1 Connect offers several SDK’s that can be used in conjunction with SNMP modules. For this example, a simple Bash script called asa.sh is used, which combines snmpget and cURL.

Run the following script for each site where a VPN appliance is present:

#!/bin/bash
CISCO_IP=$1
CISCO_COMMUNITY=$2
NS1_SOURCE_ID=$3
NS1_FEED_LABEL=$4
NS1_KEY=$5

WEB_OID=1.3.6.1.4.1.9.9.392.1.3.38.0

WEB_CONNS=$(snmpget -Oqv -v2c -c ${CISCO_COMMUNITY} ${CISCO_IP} ${WEB_OID})
curl -X POST -H "X-NSONE-Key: ${NS1_KEY}" -d "{\"${NS1_FEED_LABEL}\":{\"connections\":${WEB_CONNS}}}" https://api.nsone.net/v1/feed/${NS1_SOURCE_ID}

This script can then be run as:

./asa.sh <CISCO_IP> <CISCO_COMMUNITY> <NS1_SOURCE_ID> <NS1_FEED_LABEL> <NS1_KEY>
Parameter Description
CISCO_IP This is the IP address of the Cisco appliance to poll.
CISCO_COMMUNITY This is the SNMP community configured in step 1.
NS1_SOURCE_ID This is the data source ID for the data source you created in step 2.
NS1_FEED_LABEL This is the region applied to answer metadata in step 2.
NS1_KEY This is a unique API key created from within the NS1 platform.

This script can be run as a cron job in a region to periodically poll the VPN appliance and push the connection data to the corresponding feed. The polling frequency is critical to ensure NS1 Connect can make intelligent traffic-routing decisions based on the latest information.

This script is meant to be used as a starting point to develop more elaborate scripts, including but not limited to using health checks to drive the data for the Up filter, considering other load metrics, or even centralizing the polling of many devices within a single script.