Smart Call Home is a feature introduced into the ASA firewalls in version 8.2 that allows for periodic monitoring of the firewall device. This document how to leverage this feature to monitor and troubleshoot network issues.
Configuring Smart Call Home
To configure Smart Call Home, use the following document:
The configuration alert-group (as configured above with the export full, non-default option) includes the commands: - show call-home registered-module status | exclude disabled
- show running-config
- show startup-config
- show access-list | include elements
In the above example, the firewall will send these outputs to the email address firstname.lastname@example.org monthly.
Network Profiling using Snapshots
Network profiling is an important process that allows a network administrator to understand current utilization levels of their network. This is important for monitoring current load, feature usage as well as anamolous behaviour. Having good archived historical network profile data helps to troubleshoot the most complex networking problems such as oversubscription and load issues. Additionally, it provides an early warning system to help net admins to understand when their network is reaching capacity.
Snapshots are a Smart Call Home feature that allows the user to customize which commands are sent by the ASA.
In the below example, the network administrator is interested in understanding the network utilization of their ASA. As a result, the snapshot profile is built to gather outputs relevant to network utilization:
These outputs will be gathered periodically every 120 minutes as emails, which the network adminstrator can then parse and format into graphs or charts. In the above example, the network administrator will be able to graph the current traffic rate through all the interfaces, the current rate of connection as well as the current connection and xlate counts. Additionally, the net admin was interested in knowing how much traffic through the firewall was being sent through the service-policy, which is the last output included in the snapshot.
Device Oversubscription Issues
Networking profiling is very useful to monitor the current status of a network. But, when there is a network load related issue, snapshots can be used to more efficiently isolate the problem.
When a network adminsitrator suspects that the firewall is reaching a load limit, they can leverage Smart Call Home and the snapshot feature to provide very specific data that helps to isolate the oversubscription related issues. For more information regarding this specific issue, please refer to the following document: https://supportforums.cisco.com/docs/DOC-12439
Specific to Smart Call Home, the following snapshot profile will help to gather the necessary data:
By using the document linked above, the net admin understands that oversubscription can be primarily caused by cpu utilization and network load. Since the net admin is already gathering network profile information, the only additional information required is with regards to device level utilization. The snapshot profile above gathers information regarding cpu utilization, interface oversubscription and memory levels.
The Smart Call Home information gathered in both the network profiling and device oversubscription can be graphed to better understand whether the oversubscription behaviour is periodic or consistent. A consistent problem may indicate a network attack or infected host, while a periodic behaviour tends to be caused by network load.
Since VPN features are licensed on the ASA platforms, it is important for a network administrator to understand utilization levels of the VPN deployment. This will help to forecast VPN expansion requirements to accomodate network growth.
Below is a profile that provides the necessary VPN information:
Hello Guys, Today we just experienced an ambiguous behavior. We've a Cisco IPS 7120 sensor from the old days just after rebooting, it freezed that is, all interfaces are up, ping is working fine from the sensor to FMC and vice versa but c...
i work on différents ways of how to implement remote access vpn1-for anyconnect ssl, i don't very understand in "deep" this NAT exempt on ASA for vpn traffic.of course, for internal network, it need NAT dynamic or PAT usually to access internet, but...
ASA9.1(5)ASDM 771I used vpn wizards to configure ssl vpn client ( AnyConnect)1- when i try to transfer operations on the asa device, i see this "big list" of commands called AnyConnect_Client_Local_Print ACL !!I couldn't not cancel it and i don't und...
Hi All, Would like some configuration guide on the attached setup for the cisco asa anyconnect behind another firewall. The perimeter firewall will have public IP address natted to the cisco asa interface (using private ip address). However, in this ...
Hello All, I am facing issue in Cisco ISE for Wired Users and would like to get your help. Below are the details 1. We are using ISE version 2.7. 2. Two different series of Cisco Switches 2960x and 9200 3. No issue faced by users who a...