Hi,

I have a seed device on this subnet (a 2600 router) I try to discover via ARP. I can see the ASA firewalls in the ARP table in the seed device, but as mentioned, I can't for some reson not discover all the ASA firewalls I have on this subnet.

Cheers,

Jesper

If the ASA ip's are indeed in the ARP thable of your seed device, then the discovery will show the ASA's in the discovery report.

Either as reachble or unreachable.

It's up to you to see why this fails.

Start checking the droped packets on these ASA's.

Cheers,

Michel

They are not shown in the device discovery summary, not even as unreachable, and I can't figure out why. I have 5 sets of ASA firewall on this subnet which I can discover, and 2 sets i can't discover

But when you do a show arp on the seed device, the ip addresses of the other ASA's are shown?

Cheers,

Michel

If I ping the firewalls, then I can see all the firewalls in the ARP table, including the firewalls I can't discover.

Below is a part of the ARP table from the seed device

Internet  x.x.x..21         172   7081.05d3.91ea  ARPA   Ethernet0/0 (can't disover)

Internet  x.x.x..20          17   7081.05d3.a158  ARPA   Ethernet0/0 (can't disover)

Internet  x.x.x.13          12   001a.6dea.51cb  ARPA   Ethernet0/0 (can't discover)

Internet  x.x.x.14          12   30e4.db7b.7021  ARPA   Ethernet0/0 (can't discover)

Internet  x.x.x.19           0   68ef.bdb1.6227  ARPA   Ethernet0/0

Internet  x.x.x.18           0   5475.d0c3.9827  ARPA   Ethernet0/0

Internet  x.x.x.7            0   001e.f762.d405  ARPA   Ethernet0/0

Internet  x.x.x.8            0   001e.f762.d3e1  ARPA   Ethernet0/0

Internet  x.x.x..33           0   0012.d94f.c1b4  ARPA   Ethernet0/0

Internet  x.x.x..34           0   0012.0182.d82e  ARPA   Ethernet0/0

Internet  x.x.x.107          0   0015.c695.b879  ARPA   Ethernet0/0

Internet  x.x.x.108          2   0015.fac8.15b3  ARPA   Ethernet0/0

You have to test SNMP on the failing devices

You can do this sing NMSROOT\objects\jt\bin\snmpwalk.exe -v 2c -c public  1.3.6.1.2.1.1.5.0

I'm not sure why the missing ASA's are not in the discovery report since the ARP discovery module should pick them up. Well at least if the router has seen packtets from that ASA in the last 4 hours.

Try to add one failing ASA as a seed device.

Cheers,

Michel

I already had tried to do a snmp-walk from at snmp tool on the Cisco Works server and it worked fine.

If I add the ASA firewalls as seed devices, then it works fine, and all 4 firewalls can be discovered. This is a workaround and not a solution.

Depending on how your network is setup the seed device may or may not have an ARP entry for all ASA's.

If it doesn't have an ARP entry when you run the discovery then a pingscan of the IP range is the only option.

If the seed device does have an ARP entry and it does not appear in the discovery report then the ARP module may have a bug. Best open a TAC case then.

But why is it so important that these devices are discovered?

Do you think they will dissapear from the devicelist if they are not re-discovered?  That is not the case.

Once they are in the DCR they stay there

You may also want to consider using all devices in the DCR as seed. I always do that.

Cheers,

Michel

Message was edited by: Michel Hegeraat

have you configured any kind of discovery filters? (if yes, which one)

if not, after a completed discovery, open the "Total Devices  Discovered" from the discovery summary page; go down to the page, change  the "rows displayed" to 500,  click "Crtl+F" to search on this HTML  page and enter the IP Address of one of the devices in question into the  search field.

Do you find the IP address on one of the sites? If yes, as neighbor device? and/or as a discovered device (first column)?

If not, add the ASA as a seed device re-run discovery and do the same; is the IP listed, now?

The problem is that theses ASA's didn't show in the device list. I tried to add all 4 ASA's as seed devices, and now they are shown in the device list and is discovered as they should.

I didn't try to make a ping sweep on the IP range before the discovery as it wasn't necesseary to discover the other ASA's on this subnet. They where discovered without any problems.