02-05-2020 11:45 AM - edited 02-21-2020 09:53 AM
Hi Experts,
We are configuring SNMP on our Firepower-2130 from Firepower management Center(FMC) GUI for Integration with NMS tool.
--> Configured SNMP receiver (i.e. NMS Server IP) , SNMP Version : 2 , TRAPs, Assigned a Interface as well.
All details are accepted and showing properly on GUI.
But while checking and verifying the configuration on Firepower CLI, i can't find any SNMP configuration which was configured there on FMC GUI. on CLI there is nothing about snmp-server.
Don't understand what & where i missed.
Please advise.
02-10-2020 09:53 AM
Hello All,
We have configured diagnostic interface with the same IP which is configured on the FPR management interface for testing.
Now we have the same IP on Management Interface and Diagnostic Interface(Recently configured). below are the observation:
Just for Eg : IP : 10.10.100.20
1- Diagnostic Interface and IP address is now visible on FPR CLI, however actual management interface is still not.
2- Can see the snmp-server configuration on FPR CLI now which were pushed from FMC, earlier they were not available.
3- Diagnostic Interface IP (Recently configured) is not pinging from FPR itself.
4- On executing "show route 10.10.100.20" on FPR . it's showing no subnet available however IP is there on same FPR. beleive this is due to Management Interface.
5- No change in device status at NMS end.
Rgds
02-10-2020 10:09 AM
To show the management address on an FTD device drop to expert mode from the clish and run:
ifconfig management0
To show the routes used by it, use:
route | grep management
02-17-2020 04:31 AM - edited 02-17-2020 04:32 AM
Hi Marvin/All,
We have successfully polled FTD with new IP configured on diagnostic interface(LINA). but a new observation now is ....only Stand-by unit is sending SNMP traps PDU to monitoring server , whereas no Trap PDU from ACTIVE.
We checked everything, Like Failover State , SNMP Host , SNMP version or other related SNMP configuration.. All are fine.
Active Unit :
firepower# sh snmp-server statistics
3032 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
19877 Number of requested variables
0 Number of altered variables
4354 Get-request PDUs
0 Get-next PDUs
374 Get-bulk PDUs
0 Set-request PDUs (Not supported)
3032 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
3032 Response PDUs
0 Trap PDUs
Stand-By Unit
firepower# sh snmp-server statistics
3716 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
19935 Number of requested variables
0 Number of altered variables
4362 Get-request PDUs
0 Get-next PDUs
374 Get-bulk PDUs
0 Set-request PDUs (Not supported)
4028 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
3716 Response PDUs
312 Trap PDUs
firepower#
Regards
***
02-17-2020 07:23 PM
Have there been events on the primary FTD appliance that should have caused traps to be generated?
If so, you might want to open a TAC case. There was a bug (not sure of the BugID) with respect to SNMP on HA pairs that only created an SNMPv3 user on the secondary firewall.
02-17-2020 11:56 PM - edited 02-18-2020 04:06 AM
Hi Marvin,
We are using SNMP version 2.
Thought to add very important information here, The purpose of doing all this exercise [i.e Integrating FTD with monitoring server via SNMP ] is to get VPN IPSec tunnel up/down TRAP notification on monitoring server and that notification event should be convert to ticket further.
02-20-2020 04:34 AM
Hello All,
Would like to share that we have raised ticket with Cisco for their suggestion on IPSec-VPN Tunnel status trap from FTD (which is integrated and managed from FMC) on external monitoring server.
Cisco confirmed that as of now there is no provision on FTD for monitoring VPN/IPSec tunnel status on external monitoring server (via snmp). There is already a enhancement filled for this. Workaround is to enable "VPN STATUS" alert on FMC (note here this is FMC) and further call that alert under "Monitor Alert" option in System. this is in global mode.
We have done with above configuration, but problem does'nt end here........further point is ,whenever any IPSec Tunnel trap generated from FTD how the flow of that trap would be towards external NMS. i mean ...as we have successfuly Integrated FTD (through FTD diagnostic IP) with external NMS server but "VPN status" alert is enabled on FMC and FMC is not integrated with monitoring server.
what would be source of tunnel status trap on NMS server. will it be FTD or FMC only. if FTD then fine because we have polling enabled for FTD on NMS. If FMC then there would be issue as FMC is not integrated on NMS.
Rgds
02-21-2020 03:33 AM - edited 02-21-2020 03:39 AM
You can use an SNMP query to return the number of IPsec tunnels. I don't know the OID off the top of my head but it's the ASA (LINA code) in FTD that responds. I think (but haven't verified) it is:
Number of IPSec VPN tunnels : 1.3.6.1.4.1.9.9.171.1.3.1.1.0
Another user was able to do that for SVC (SSL VPN Client = Anyconnect) sessions using:
crasSVCNumSessions = 1.3.6.1.4.1.9.9.392.1.3.35.0.
See this thread:
05-12-2020 04:23 AM
Hi All,
Still this matter is going on (IPSec Tunnel Status monitoring on Firepower).
FPR version : Version 6.4.0.7 (Build 53) - [Cisco Firepower 2130]
Tried all the combination as per suggestion from Cisco. and looks they are now also not sure about the solution. Initially we tried to do on FPR(FTD) but Cisco confirmed that as of now FTD is not supporting IPSec monitoring feature with current code. Then we implemented workaround and configured health events on Cisco FMC(intergrated with FTD for which IPSec tunnels has to be monitored).....We don't see any alerts in couple on months. Cisco also confirmed that this workaround is also not working in their Lab environment.
Overall, we are back to point from where we started....:-(
Can anyone please advise further on this if have any clue on solution.
Rgds
***
05-12-2020 05:11 AM
Have you configured the diagnostic interface as required? The LINA code (which responds on the diagnostic interface) supports the legacy ASA OIDs.
More details are in the link I posted previously.
05-12-2020 08:57 AM
yes Marvin,
We have configured diagnostic interface, infact can able to poll FTD now with that new IP but still no luck on IPsec tunnel status snmp monitoring.
05-12-2020 11:16 PM
What SNMP OID are you using? I believe it should be:
1.3.6.1.4.1.9.9.392.1.3.26 | crasIPSecNumSessions | 1 | 1 | The number of currently active IPSec sessions. |
05-13-2020 03:37 AM
Hi Marvin,
No, we have not yet checked OID: 1.3.6.1.4.1.9.9.392.1.3.26 for IPSec monitoring on Cisco FTD.
We have used some 6-7 different OIDs as per suggestion for Cisco Support.
I beleieve OID which you shared (1.3.6.1.4.1.9.9.392.1.3.26) is for Cisco ASA and not for FTD.
05-13-2020 03:45 AM
As I noted earlier, "The LINA code (which responds on the diagnostic interface) supports the legacy ASA OIDs."
07-01-2020 09:39 AM
Hello All,
Here again to share that we are stucked with this case.
To refresh the requirement, lemme brief the same here.
We have FPR version : Version 6.4.0.7 (Build 53) - [Cisco Firepower 2130] , managed by FMC. There are multiple IPSec tunnel configured on the same, and requirement is to monitor status of IPSec tunnel by NMS (Solarwinds).
We have already done with configuration of DIAGNOSTIC Interface IP on FTD due to LINA concept. But things are still not moving. We have checked almost all combinations .
If anyone have faced and sorted out the same problem, please share your experience.
Rgds
***
07-03-2020 01:31 AM
It can be done even without using the diagnostic interface.
See my reply to your other post asking the same thing:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: