Solved: Monitor ASA Firewall failover state using SNMP

ronit · ‎02-18-2021

Team, I researched about this and couldn't find a straight forward answer for this. Is there a simple OID to poll which firewall hardware unit in a firewall failover pair is Active and which one is standby?

I found OIDs to poll the state of the firewalls, but since the IP address from the Active transfers to the Standby during failover, there's no easy way for the NMS to know which unit it is.

Marvin Rhoads · ‎02-19-2021

ASA management addresses can be uniquely assigned per member in an HA pair. They don't change when a failover event occurs (unlike how the dataplane interfaces do).

View solution in original post

Dinesh Moudgil · ‎02-18-2021

HI Ronit,

This will be helpful
https://community.cisco.com/t5/security-documents/snmp-mibs-and-traps-on-the-asa-additional-information/ta-p/3116514

Please look for OID cfwHardwareStatusValue

Thanks and Regards,
Dinesh Moudgil

P.S.Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

ronit · ‎02-18-2021

Thanks, but there's a problem with this approach. Let's assume Primary Unit has an IP of 192.168.1.1 and the Secondary Unit has an IP of 192.168.1.2.

In the normal state, things are good. 192.168.1.1 reports Active, 192.168.1.2 reports Standby

When Unit-2 fails, things are good then, too - 192.168.1.1 reports Active, 192.168.1.2 doesn't report anything

However, when Unit-1 fails is the problem, because the IP 192.168.1.1 shifts to the secondary unit and 192.168.1.2 stops responding. Because of this, the NMS would still think that 192.168.1.1 (Which it thinks is the Primary unit) is active, which doesn't match reality.

Marvin Rhoads · ‎02-19-2021

ASA management addresses can be uniquely assigned per member in an HA pair. They don't change when a failover event occurs (unlike how the dataplane interfaces do).

Sheraz.Salim · ‎02-22-2021

Nice one @Marvin Rhoads I did not know that. learn something new today.

@ronit you question was very good.

please do not forget to rate.

Marvin Rhoads · ‎02-22-2021

@Sheraz.Salim You're welcome.

Note that if you use FTD the management interfaces are similarly separately configured in an HA pair. However if you try to use the diagnostic interfaces they work more like normal routed dataplane interfaces. This is a shortcoming as of 6.7 - I am told 7.0 will remedy the situation.

ronit · ‎10-17-2022

I tried configuring uniquely assigned IPs on our FPR1120s running ASA 9.14, however, even without the "standby" keyword, the interface config is copied over to the secondary ASA. Any idea what I could be doing wrong?

Dinesh Moudgil · ‎02-18-2021

Hi Ronit,

This will be helpful

https://community.cisco.com/t5/security-documents/snmp-mibs-and-traps-on-the-asa-additional-information/ta-p/3116514

Please look for OID cfwHardwareStatusValue

Thanks and Regards,
Dinesh Moudgil

P.S.Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

MHM Cisco World · ‎02-20-2021

As friend suggest,
Using the SNMP OID is solve issue,

do you check management interface because as I read this interface also change from active to standby and hence you cannot use for SNMP.

Monitor ASA Firewall failover state using SNMP

Firewall: ASA Failover，FTD HA の 'Negotiation' ステータスについて

ASA: 冗長機能と、Failoverのトリガー、Health Monitoringについて

Cisco Secure Firewall (FTD) - How To

ASA: Failover 構成時における ASA の Smart License の扱いについて

ASA: ASA FirewallのFailover構成におけるSTPの設定について