topic Re: Monitor ASA Firewall failover state using SNMP in Network Security

Monitor ASA Firewall failover state using SNMP

ronit — Fri, 19 Feb 2021 06:45:25 GMT

Team, I researched about this and couldn't find a straight forward answer for this. Is there a simple OID to poll which firewall hardware unit in a firewall failover pair is Active and which one is standby?

I found OIDs to poll the state of the firewalls, but since the IP address from the Active transfers to the Standby during failover, there's no easy way for the NMS to know which unit it is.

Re: Monitor ASA Firewall failover state using SNMP

Dinesh Moudgil — Fri, 19 Feb 2021 07:33:39 GMT

HI Ronit,

This will be helpful
https://community.cisco.com/t5/security-documents/snmp-mibs-and-traps-on-the-asa-additional-information/ta-p/3116514

Please look for OID cfwHardwareStatusValue

Thanks and Regards,
Dinesh Moudgil

P.S.Please rate helpful posts.

Re: Monitor ASA Firewall failover state using SNMP

Dinesh Moudgil — Fri, 19 Feb 2021 07:33:47 GMT

Hi Ronit,

This will be helpful

https://community.cisco.com/t5/security-documents/snmp-mibs-and-traps-on-the-asa-additional-information/ta-p/3116514

Please look for OID cfwHardwareStatusValue

Thanks and Regards,
Dinesh Moudgil

P.S.Please rate helpful posts.

Re: Monitor ASA Firewall failover state using SNMP

ronit — Fri, 19 Feb 2021 07:44:07 GMT

Thanks, but there's a problem with this approach. Let's assume Primary Unit has an IP of 192.168.1.1 and the Secondary Unit has an IP of 192.168.1.2.

In the normal state, things are good. 192.168.1.1 reports Active, 192.168.1.2 reports Standby

When Unit-2 fails, things are good then, too - 192.168.1.1 reports Active, 192.168.1.2 doesn't report anything

However, when Unit-1 fails is the problem, because the IP 192.168.1.1 shifts to the secondary unit and 192.168.1.2 stops responding. Because of this, the NMS would still think that 192.168.1.1 (Which it thinks is the Primary unit) is active, which doesn't match reality.

Re: Monitor ASA Firewall failover state using SNMP

Marvin Rhoads — Fri, 19 Feb 2021 08:12:42 GMT

ASA management addresses can be uniquely assigned per member in an HA pair. They don't change when a failover event occurs (unlike how the dataplane interfaces do).

Re: Monitor ASA Firewall failover state using SNMP

MHM Cisco World — Sat, 20 Feb 2021 12:57:11 GMT

As friend suggest,
Using the SNMP OID is solve issue,

do you check management interface because as I read this interface also change from active to standby and hence you cannot use for SNMP.

Re: Monitor ASA Firewall failover state using SNMP

Sheraz.Salim — Mon, 22 Feb 2021 08:57:35 GMT

Nice one @Marvin Rhoads I did not know that. learn something new today.

@ronit you question was very good.

Re: Monitor ASA Firewall failover state using SNMP

Marvin Rhoads — Mon, 22 Feb 2021 14:57:07 GMT

@Sheraz.Salim You're welcome.

Note that if you use FTD the management interfaces are similarly separately configured in an HA pair. However if you try to use the diagnostic interfaces they work more like normal routed dataplane interfaces. This is a shortcoming as of 6.7 - I am told 7.0 will remedy the situation.

Re: Monitor ASA Firewall failover state using SNMP

ronit — Tue, 18 Oct 2022 06:29:32 GMT

I tried configuring uniquely assigned IPs on our FPR1120s running ASA 9.14, however, even without the "standby" keyword, the interface config is copied over to the secondary ASA. Any idea what I could be doing wrong?