Smart Call Home is a feature introduced into the ASA firewalls in version 8.2 that allows for periodic monitoring of the firewall device. This document how to leverage this feature to monitor and troubleshoot network issues.
Configuring Smart Call Home
To configure Smart Call Home, use the following document:
The configuration alert-group (as configured above with the export full, non-default option) includes the commands: - show call-home registered-module status | exclude disabled
- show running-config
- show startup-config
- show access-list | include elements
In the above example, the firewall will send these outputs to the email address firstname.lastname@example.org monthly.
Network Profiling using Snapshots
Network profiling is an important process that allows a network administrator to understand current utilization levels of their network. This is important for monitoring current load, feature usage as well as anamolous behaviour. Having good archived historical network profile data helps to troubleshoot the most complex networking problems such as oversubscription and load issues. Additionally, it provides an early warning system to help net admins to understand when their network is reaching capacity.
Snapshots are a Smart Call Home feature that allows the user to customize which commands are sent by the ASA.
In the below example, the network administrator is interested in understanding the network utilization of their ASA. As a result, the snapshot profile is built to gather outputs relevant to network utilization:
These outputs will be gathered periodically every 120 minutes as emails, which the network adminstrator can then parse and format into graphs or charts. In the above example, the network administrator will be able to graph the current traffic rate through all the interfaces, the current rate of connection as well as the current connection and xlate counts. Additionally, the net admin was interested in knowing how much traffic through the firewall was being sent through the service-policy, which is the last output included in the snapshot.
Device Oversubscription Issues
Networking profiling is very useful to monitor the current status of a network. But, when there is a network load related issue, snapshots can be used to more efficiently isolate the problem.
When a network adminsitrator suspects that the firewall is reaching a load limit, they can leverage Smart Call Home and the snapshot feature to provide very specific data that helps to isolate the oversubscription related issues. For more information regarding this specific issue, please refer to the following document: https://supportforums.cisco.com/docs/DOC-12439
Specific to Smart Call Home, the following snapshot profile will help to gather the necessary data:
By using the document linked above, the net admin understands that oversubscription can be primarily caused by cpu utilization and network load. Since the net admin is already gathering network profile information, the only additional information required is with regards to device level utilization. The snapshot profile above gathers information regarding cpu utilization, interface oversubscription and memory levels.
The Smart Call Home information gathered in both the network profiling and device oversubscription can be graphed to better understand whether the oversubscription behaviour is periodic or consistent. A consistent problem may indicate a network attack or infected host, while a periodic behaviour tends to be caused by network load.
Since VPN features are licensed on the ASA platforms, it is important for a network administrator to understand utilization levels of the VPN deployment. This will help to forecast VPN expansion requirements to accomodate network growth.
Below is a profile that provides the necessary VPN information:
Hi All, I am trying to setup an interface on a Cisco ESA which is for unauthenticated internal mail (SMTP) but has restrictions. I am trying to setup one of the two options; Option 1 - Do not accept email when the sender domain is not from an ap...
Hello, I have doubts about the number of subscriptions required in the following scenarios:Scenario 101 x Cluster of 2 Cisco Firepower 4100.How many IPS subscriptions are considered? One or Two subscriptions L-FPR4115T-T-3Y?Scenario 201 x Active Stan...
Hi,After I configure the posture with "call home" to detect the PSN servers, the wireless can detect the PSN and check the compliance and the COA is working properly, the endpoint goes from unknown (Redirect URL) to compliant. For the wired, the endpoint ...
HiWhen I tried enable this 3des I got this Warning and I did see 3des in my transform-set.WARNING: 3DES configuration under crypto ikev1 policy encryption is insecure. Converted to AES. Please check release notes for details. crypto ikev1 policy 2aut...