LMS 4.0 support for ASA firewall

jennyjohn · ‎06-12-2011

I need to add ASA 5520 to LMS 4.0, mainly for configuration archiving. ASA seems to be supported on LMS 3.2 as per the below link.

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.2/device_support/table/lms32sdt.html

I had directly added the ASA to the DCR, with the right login credentials and SNMPv3 strings , but still LMS fails to detect the ASA.

Thanks in advance.

Nael Mohammad · ‎06-19-2011

Can you post your snmp config and show ver? What errors are you getting? Post a screenshot of the error.

jennyjohn · ‎06-20-2011

Thanks Nael for the reply, please find below the SNMP configuration on the ASA

snmp-server group SNMPGRP v3 auth
snmp-server user SNMPUSR SNMPGRP v3 encrypted auth md5 a9:ba:79:44:5b:b0:98:65:88:30:a1:8b:7b:69:a2:9c
snmp-server host inside 10.88.80.11 trap version 3 SNMPGRP
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

The show version is given below.

ASA5520# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(3)

Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "startup-config"

ASA5520 up 8 days 19 hours
failover cluster up 25 days 14 hours

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 001f.9e50.8a24, irq 9
1: Ext: GigabitEthernet0/1 : address is 001f.9e50.8a25, irq 9
2: Ext: GigabitEthernet0/2 : address is 001f.9e50.8a26, irq 9
3: Ext: GigabitEthernet0/3 : address is 001f.9e50.8a27, irq 9
4: Ext: Management0/0 : address is 001f.9e50.8a28, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMXXXXX

Running Activation Key: XX
Configuration register is 0x1
Configuration last modified by enable_1 at 15:05:29.268 AST Sun Jun 12 2011

When I add the ASA to the LMS using SNMPv3, the Device Management shows a blue box with a question mark(shown below).

Is ASA supported on LMS 4.0 with SNMPv3? Doing a troubleshooting on the LMS shows that LMS might only support SNMPv1 & v2.

Nael Mohammad · ‎06-28-2011

Its supported, this just means you don't have the correct community strings configured in the DCR as indicated by the failed message for the reachablity status. You're doing AuthNoPriv with Encryption and that's not supported by LMS. It's either AuthNoPriv without encryption or AuthPriv with Encryption.

LMS only supports the following SNMP V3 settings:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guide/inventory_mgmt/dcr.html#wp1053316

Also ensure that your pass phrase does not contain any special characters such "@, #, $, %, ^, &, *".