11-07-2011 06:22 AM - edited 03-11-2019 02:47 PM
I need to be able to report on a count of Accepted and Dropped connections due to policy on the Outside interface on a monthly basis.
The outside interface is ifIndex.3 .
Support gave me the below OID, but I'm not convinced its correct. I also cant see how to change it per interface.
Any help would be greatly appreciated.
Object cfwBasicConnectionEventType
OID 1.3.6.1.4.1.9.9.147.1.1.1.2.1.5
Type ConnectionEvent
1:other
2:accept
3:error
4:drop
5:close
6:timeout
7:refused
8:reset
9:noResp
"The type of connection-related event that this row contains.
If the event is not connection-related this object will not
be instantiated." "The type of connection-related event that this row contains.
If the event is not connection-related this object will not
be instantiated."
11-30-2011 06:02 AM
Hi Justin,
When you say you want to see accepted and dropped connections due to a policy on the outside interface, what exactly do you mean? Connections can be build and torn down for many reasons so defining which policy your referring to will help. Is there a particular counter or 'show' output on the CLI that you're looking to poll via SNMP?
cfwBasicConnectionEventType will probably be your best bet, though it's global for the ASA so you'll need to do some filtering after the data is received.
-Mike
11-30-2011 06:06 AM
Thanks for the response.
I guess counters on the outside_acl would make the most sense.
11-30-2011 06:09 AM
Hi Justin,
Unfortunately, the ASA doesn't have an OID that can poll ACL hits. You can log the ACL hits to a syslog and then redirect the syslog via SNMP to a server, but this would be a trap rather than a poll.
If you want an automated way to query the hits every month, you might want to look into Smart Call Home which is more suited for this type of monitoring. You can configure a profile to check the ACL hits and have it email them to you or HTTPS POST it to a web server once a month. You can find some config examples here:
https://supportforums.cisco.com/docs/DOC-14958
-Mike
11-30-2011 06:28 AM
Thanks again.
"Log the ACL Hits to syslog"
Would that show each hit in detail or just a counter like object?
Could I just clear the counters on the ACL monthly I wonder ?
Justin
11-30-2011 06:36 AM
Hi Justin,
The logs will look like this:
Permitted:
%ASA-6-106100: access-list outside_in permitted tcp outside/192.168.1.100(60270) -> inside/10.1.1.10(443) hit-cnt 1 first hit [0x8545f26e, 0x0]
Denied:
%ASA-6-106100: access-list outside_in denied tcp outside/192.168.1.100(60290) -> inside/10.1.1.10(80) hit-cnt 1 first hit [0x6c9e7133, 0x0]
That will be a lot more information than you probably want. If you just want to see the aggregate hits each month, my suggestion would be to use Smart Call Home (or maybe an Expect script via SSH) to pull the ACL hits (something like 'show access-list | ex hitcnt=0') once a month and then immediately clear them ('clear access-list
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide