search

lausser / check_nwc_health

nwc = network component. This plugin checks lots of aspects of routers, switches, wlan controllers, firewalls,.....
http://labs.consol.de/nagios/check_nwc_health
GNU General Public License v2.0
146 stars 88 forks source link

Feature Request: License Check for Cisco Smart Licensing does not honor SLR Licenses #288

Open onkelbeh opened 2 years ago

onkelbeh commented 2 years ago

Hi,

first thanks for your great work. Today I accidentally found one of our routers with a faulty license, and my first thought was to implement a check for that. All my routers running IOS XE with Smart Licensing have a reserved license. It seems that check_nwc_health's license check does not honor this type of license:

Plugin Output (on a ISR4000 Series):

CRITICAL - compliance status is AUTHORIZED - RESERVED, authorization will expire in 0 days, entitlement ISR_4321_Application for feature ISR_4321_Application mode is authorized, entitlement ISR_4321_Security for feature ISR_4321_Security mode is authorized
checking keys
entitlement ISR_4321_Application for feature ISR_4321_Application mode is authorized
entitlement ISR_4321_Security for feature ISR_4321_Security mode is authorized
compliance status is AUTHORIZED - RESERVED
authorization will expire in 0 days | 'sla_remaining_days'=0;7:;2:;;

SNMP Walk of CISCO-SMART-LIC-MIB (ISR4000):

SNMPv2-SMI::enterprises.9.9.831.0.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.2.0 = STRING: "PID:ISR4431/K9,SN:xxxxxxxxxxxxxxx"
SNMPv2-SMI::enterprises.9.9.831.0.3.0 = STRING: "4.8.14_rel/75"
SNMPv2-SMI::enterprises.9.9.831.0.4.0 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.1 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.2 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.3 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.1 = STRING: "ISR_4400_Application"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.2 = STRING: "ISR_4400_Security"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.3 = STRING: "ISR_4400_Hsec"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.1 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.2 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.3 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.1 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.2 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.3 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.1 = STRING: "AppX License for Cisco ISR 4400 Series"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.2 = STRING: "Security License for Cisco ISR 4400 Series"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.3 = STRING: "Export Controlled Feature hseck9"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.1 = STRING: "ISR_4400_Application"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.2 = STRING: "ISR_4400_Security"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.3 = STRING: "hseck9"
SNMPv2-SMI::enterprises.9.9.831.0.6.1.0 = INTEGER: 5
SNMPv2-SMI::enterprises.9.9.831.0.6.2.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.6.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.6.4.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.7.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.2.0 = STRING: "AUTHORIZED - RESERVED"
SNMPv2-SMI::enterprises.9.9.831.0.7.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.1.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.7.4.2.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.3.0 = Gauge32: 5074936
SNMPv2-SMI::enterprises.9.9.831.0.8.1.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.8.2.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.9.1.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.831.0.9.2.0 = STRING: "DeRegistration failure message is not persisted."
SNMPv2-SMI::enterprises.9.9.831.0.10.1.0 = STRING: "Utility failure messages are not persisted."

Plugin Output (on a ISR1100):

CRITICAL - compliance status is AUTHORIZED - RESERVED, authorization will expire in 0 days, entitlement ISR_1100_4P_Application for feature Cisco 1100 Series with 4 LAN Ports, AppX License mode is authorized, entitlement ISR_1100_4P_Security for feature Cisco 1100 Series with 4 LAN Ports , Security License mode is authorized
checking keys
entitlement ISR_1100_4P_Application for feature Cisco 1100 Series with 4 LAN Ports, AppX License mode is authorized
entitlement ISR_1100_4P_Security for feature Cisco 1100 Series with 4 LAN Ports , Security License mode is authorized
compliance status is AUTHORIZED - RESERVED
authorization will expire in 0 days | 'sla_remaining_days'=0;7:;2:;;

Snmp-Walk (on a ISR1100):

SNMPv2-SMI::enterprises.9.9.831.0.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.2.0 = STRING: "PID:C1116-4P,SN:FCZ2308C0TF"
SNMPv2-SMI::enterprises.9.9.831.0.3.0 = STRING: "4.8.14_rel/75"
SNMPv2-SMI::enterprises.9.9.831.0.4.0 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.1 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.2 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.1 = STRING: "ISR_1100_4P_Application"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.2 = STRING: "ISR_1100_4P_Security"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.1 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.2 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.1 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.2 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.1 = STRING: "Cisco 1100 Series with 4 LAN Ports, AppX License"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.2 = STRING: "Cisco 1100 Series with 4 LAN Ports , Security License"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.1 = STRING: "Cisco 1100 Series with 4 LAN Ports, AppX License"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.2 = STRING: "Cisco 1100 Series with 4 LAN Ports , Security License"
SNMPv2-SMI::enterprises.9.9.831.0.6.1.0 = INTEGER: 5
SNMPv2-SMI::enterprises.9.9.831.0.6.2.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.6.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.6.4.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.7.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.2.0 = STRING: "AUTHORIZED - RESERVED"
SNMPv2-SMI::enterprises.9.9.831.0.7.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.1.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.7.4.2.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.3.0 = Gauge32: 7775849
SNMPv2-SMI::enterprises.9.9.831.0.8.1.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.8.2.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.9.1.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.831.0.9.2.0 = STRING: "DeRegistration failure message is not persisted."
SNMPv2-SMI::enterprises.9.9.831.0.10.1.0 = STRING: "Utility failure messages are not persisted."

Would it be possible to add this as a new feature?

Thanks in advance

\B.

onkelbeh commented 2 years ago

Have sent the full SNMP walks in an email to Mr. Lausser, here's a Walk of the router affected with the 'lost the reservation' Problem, it runs in Eval Mode, although it had/has (or should have) a valid license reservation installed:

SNMPv2-SMI::enterprises.9.9.831.0.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.2.0 = STRING: "PID:ISR4321/K9,SN:xxxxxxxxxxx"
SNMPv2-SMI::enterprises.9.9.831.0.3.0 = STRING: "4.8.14_rel/75"
SNMPv2-SMI::enterprises.9.9.831.0.4.0 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.1 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.2.2 = Gauge32: 1
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.1 = STRING: "ISR_4321_Application"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.3.2 = STRING: "ISR_4321_Security"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.1 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.4.2 = STRING: "1.0"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.1 = INTEGER: 6
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.5.2 = INTEGER: 6
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.1 = STRING: "AppX License for Cisco 4320 ISR Series"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.6.2 = STRING: "Security License for Cisco ISR 4320 Series"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.1 = STRING: "ISR_4321_Application"
SNMPv2-SMI::enterprises.9.9.831.0.5.1.1.7.2 = STRING: "ISR_4321_Security"
SNMPv2-SMI::enterprises.9.9.831.0.6.1.0 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.831.0.6.2.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.6.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.6.4.0 = ""
SNMPv2-SMI::enterprises.9.9.831.0.7.1.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.2.0 = STRING: "EVAL MODE"
SNMPv2-SMI::enterprises.9.9.831.0.7.3.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.1.0 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.831.0.7.4.2.0 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.831.0.7.4.3.0 = Gauge32: 5171531
SNMPv2-SMI::enterprises.9.9.831.0.8.1.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.8.2.0 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.831.0.9.1.0 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.831.0.9.2.0 = STRING: "DeRegistration failure message is not persisted."
SNMPv2-SMI::enterprises.9.9.831.0.10.1.0 = STRING: "Utility failure messages are not persisted."

on the router, this looks like:

isr-xxxx1#sh license all
Smart Licensing Status
======================

Smart Licensing is ENABLED
License Reservation is ENABLED

Registration:
  Status: UNREGISTERED
  Export-Controlled Functionality: NOT ALLOWED

License Authorization:
  Status: EVAL MODE
  Evaluation Period Remaining: 59 days, 20 hours, 29 minutes, 9 seconds

License Conversion:
  Automatic Conversion Enabled: False
  Status: Waiting for response on Oct 20 17:02:21 2020 MET
  Next response check: Oct 20 18:02:25 2020 MET

Export Authorization Key:
  Features Authorized:
    <none>

Utility:
  Status: DISABLED

Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED

Transport:
  Type: Callhome

License Usage
==============

ISR_4321_Application (ISR_4321_Application):
  Description: AppX License for Cisco 4320 ISR Series
  Count: 1
  Version: 1.0
  Status: EVAL MODE
  Export status: NOT RESTRICTED
  Reservation:
    Reservation status: NOT INSTALLED

ISR_4321_Security (ISR_4321_Security):
  Description: Security License for Cisco ISR 4320 Series
  Count: 1
  Version: 1.0
  Status: EVAL MODE
  Export status: NOT RESTRICTED
  Reservation:
    Reservation status: NOT INSTALLED

Product Information
===================
UDI: PID:ISR4321/K9,SN:xxxxxxxxxxx

Agent Version
=============
Smart Agent for Licensing: 4.8.14_rel/75

Reservation Info
================
License reservation: ENABLED

Overall status:
  Active: PID:ISR4321/K9,SN:xxxxxxxxxxx
      Reservation status: SPECIFIC INSTALLED on Oct 20 17:06:49 2020 MET
      Export-Controlled Functionality: NOT ALLOWED
      Last Confirmation code: xxxxxxxxx

Specified license reservations:
  ISR_4321_Application (ISR_4321_Application):
    Description: AppX License for Cisco 4320 ISR Series
    Total reserved count: 1
    Term information:
      Active: PID:ISR4321/K9,SN:xxxxxxxxxxx
        License type: PERPETUAL
          Term Count: 1
  ISR_4321_Security (ISR_4321_Security):
    Description: Security License for Cisco ISR 4320 Series
    Total reserved count: 1
    Term information:
      Active: PID:ISR4321/K9,SN:xxxxxxxxxxxx
        License type: PERPETUAL
          Term Count: 1
onkelbeh commented 2 years ago

Hi,

just tried 9.0.1, here's how it looks now:

root@lnx-monitoring:~ # time sudo -u icinga '/usr/lib64/nagios/plugins/contrib/check_nwc_health' --hostname isr-deg01.router --mode check-licenses --community xxxxxxxxx
Use of uninitialized value in string ne at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70824.
Use of uninitialized value in sprintf at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70825.
Redundant argument in sprintf at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70879.
CRITICAL - authorization has expired, registration failed with , entitlement ISR_4400_Application for feature ISR_4400_Application mode is authorized, entitlement ISR_4400_Security for feature ISR_4400_Security mode is authorized, entitlement ISR_4400_Hsec for feature hseck9 mode is authorized, compliance status is AUTHORIZED - RESERVED | 'sla_remaining_days'=0;7:;2:;;

real    0m0,687s
user    0m0,436s
sys     0m0,035s

   [2]   root@lnx-monitoring:~ # time sudo -u icinga '/usr/lib64/nagios/plugins/contrib/check_nwc_health' --hostname isr-deg01.router --mode check-licenses --community xxxxxxxxx  --critical 0 --warning 0
Use of uninitialized value in string ne at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70824.
Use of uninitialized value in sprintf at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70825.
Redundant argument in sprintf at /usr/lib64/nagios/plugins/contrib/check_nwc_health line 70879.
WARNING - registration failed with , entitlement ISR_4400_Application for feature ISR_4400_Application mode is authorized, entitlement ISR_4400_Security for feature ISR_4400_Security mode is authorized, entitlement ISR_4400_Hsec for feature hseck9 mode is authorized, compliance status is AUTHORIZED - RESERVED, authorization has expired | 'sla_remaining_days'=0;0;0;;

real    0m0,692s
user    0m0,387s
sys     0m0,051s
   [1]   root@lnx-monitoring:~ #
lausser commented 2 years ago

I was waiting for an snmpwalk output, sent an email on sept. 2nd, but didn't even receive a reply.

onkelbeh commented 2 years ago

Sorry, missed that mail. Reply is on the way.

onkelbeh commented 2 years ago

This time I made sure: