Monitoring Internet Availability using Cisco ASA

jc84_ · ‎09-27-2011

Just a general question to the group on how one monitors Internet availability/reachability via an ASA.

The scenario right now is we have a number of offices with Internet feeds (primarily DSL/Cable/T1) connected to ASAs and we have the goal of being able to monitor if the Internet connected to the ASA is UP or DOWN. My first thought was to configure an IP SLA and monitor the reachability of an upstream IP; however, all documentation I’ve read suggests that the ASA doesn’t support the SLA MIBs yet. So I won’t be able to use SNMP to track its availability.

Just throwing the feeler out there for comments and seeing how everyone else monitors Internet availability via the ASA platform.

Thanks everyone.

mirober2 · ‎10-01-2011

Hi Jeff,

Assuming you want to track failures upstream of the ASA and not the ASA's interface itself, SLA monitoring is probably your best bet. To be notified when the monitor fails, you can watch for syslog ID %ASA-6-622001. You can setup a custom logging list and have this syslog sent to an SNMP server like this:

logging enable

logging list sla-list message 622001

logging history sla-list

This will send %ASA-6-622001 messages to the SNMP server you have configured. Alternatively, you can also send it to a syslog server (logging trap sla-list) or to an email address (logging mail sla-list). Other than that, you'd have to have an internal server send pings out through the firewall and report back if they failed.

Hope that helps.

-Mike