cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4242
Views
25
Helpful
8
Replies

Monitor ASA Firewall failover state using SNMP

ronit
Level 1
Level 1

Team, I researched about this and couldn't find a straight forward answer for this. Is there a simple OID to poll which firewall hardware unit in a firewall failover pair is Active and which one is standby?

 

I found OIDs to poll the state of the firewalls, but since the IP address from the Active transfers to the Standby during failover, there's no easy way for the NMS to know which unit it is.

1 Accepted Solution

Accepted Solutions

ASA management addresses can be uniquely assigned per member in an HA pair. They don't change when a failover event occurs (unlike how  the dataplane interfaces do).

View solution in original post

8 Replies 8

Dinesh Moudgil
Cisco Employee
Cisco Employee
HI Ronit,

This will be helpful
https://community.cisco.com/t5/security-documents/snmp-mibs-and-traps-on-the-asa-additional-information/ta-p/3116514

Please look for OID cfwHardwareStatusValue

Thanks and Regards,
Dinesh Moudgil

P.S.Please rate helpful posts.
Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Thanks, but there's a problem with this approach. Let's assume Primary Unit has an IP of 192.168.1.1 and the Secondary Unit has an IP of 192.168.1.2.

 

In the normal state, things are good. 192.168.1.1 reports Active, 192.168.1.2 reports Standby

When Unit-2 fails, things are good then, too - 192.168.1.1 reports Active, 192.168.1.2 doesn't report anything

 

However, when Unit-1 fails is the problem, because the IP 192.168.1.1 shifts to the secondary unit and 192.168.1.2 stops responding. Because of this, the NMS would still think that 192.168.1.1 (Which it thinks is the Primary unit) is active, which doesn't match reality.

ASA management addresses can be uniquely assigned per member in an HA pair. They don't change when a failover event occurs (unlike how  the dataplane interfaces do).

Nice one @Marvin Rhoads I did not know that. learn something new today.

 

@ronit you question was very good.

please do not forget to rate.

@Sheraz.Salim You're welcome.

Note that if you use FTD the management interfaces are similarly separately configured in an HA pair. However if you try to use the diagnostic interfaces they work more like normal routed dataplane interfaces. This is a shortcoming as of 6.7 - I am told 7.0 will remedy the situation.

I tried configuring uniquely assigned IPs on our FPR1120s running ASA 9.14, however, even without the "standby" keyword, the interface config is copied over to the secondary ASA. Any idea what I could be doing wrong?

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi Ronit,

 

This will be helpful

https://community.cisco.com/t5/security-documents/snmp-mibs-and-traps-on-the-asa-additional-information/ta-p/3116514

 

Please look for OID cfwHardwareStatusValue

 

Thanks and Regards,
Dinesh Moudgil

P.S.Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

As friend suggest, 
Using the SNMP OID is solve issue, 

do you check management interface because as I read this interface also change from active to standby and hence you cannot use for SNMP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: