06-10-2009 04:04 AM - edited 03-08-2019 05:58 PM
The following information is provided as a suppliment to the information found in the ASA Configuration guide, and the SNMP MIB Browser.
The following syslogs messages are generated by SNMP:
212001: Unable to open SNMP channel (UDP port %d) on interface \"%s\", error code = %d 'error code' descriptions: -1 ::= Unable to establish a listener on the configured port. Communication with hosts in the snmp-server config is not possible. The thread will automatically attempt to re-establish a listener on the default SNMP port (UDP 161). 212002: Unable to open SNMP trap channel (UDP port %d) on interface \"%s\", error code = %d 'error code' descriptions: -1 ::= Unable to open a UDP channel on the trap port. -2 ::= Unable to bind to the UDP channel. -3 ::= Unable to set the trap channel as write-only. 212003: Unable to receive an SNMP request on interface \"%s\", error code = %d, will try again. 'error code' descriptions: -1 ::= Unsupported transport type. -5 ::= Received 0 bytes from UDP channel. -7 ::= Incoming request exceeds supported buffer size. -14 ::= Unable to determine source address from UDP. -22 ::= Invalid parameter. 212004: Unable to send an SNMP response to %s, error code = %d 'error code' descriptions: -1 ::= Unsupported transport type -2 ::= Invalid parameter. -3 ::= Unable to set destination address in UDP. -4 ::= PDU length exceeds supported UDP segment size. -5 ::= Unable to allocate system block to construct PDU. 212005: incoming SNMP request (%d bytes) from %s exceeds data buffer size, discarding this SNMP request. 212006: Dropping SNMP request from %I/%d to %s:%I/%s because: %s 'because' descriptions: "SNMPv3 not supported" "snmp-server is disabled" 211001: Memory allocation Error 710005: %s request discarded from %A/%d to %s:%A/%d 710002: %s access permitted from %A/%d to %s:%A/%s
SNMP server statistics are obtained by executing "show snmp-server statistics"
sw8-5520(config)# sh snmp-server statistics 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Get-bulk PDUs 0 Set-request PDUs (Not supported) 66 SNMP packets output 0 Too big errors (Maximum packet size 512) 0 No such name errors 0 Bad values errorsMIB 0 General errors 0 Response PDUs 66 Trap PDUs
The adaptive security appliance sends the following SNMP core traps:
• authentication: An SNMP request fails because the NMS did not authenticate with the correct community string. • linkup : An interface has transitioned to the “up” state. • linkdown : An interface is down, for example, if you removed the nameif command. • coldstart : The ASA is running after a reload.
• At bootup, the ASA sends link state traps only on interfaces that were configured with a nameif command (that is, VLAN interfaces). Traps for physical interfaces (that is, Ethernet 0/0 and Ethernet 0/1) are also displayed. • When the Ethernet 0/1 interface is down, the ASA sends traps about the two logical interfaces that are assigned to this physical interface. Traps for the logical and physical interfaces are displayed. • When the Ethernet 0/1 interface is up, the ASA sends traps about the two logical interfaces that are assigned to this physical interface. Traps for the logical and physical interfaces are displayed.
The adaptive security appliance supports browsing of the following groups:
• Systems • Interfaces, which includes the following objects: – ifOutQLen – ifInUnknownProtos
Note If the interface is up, the ifEntry.ifAdminStatus object returns a 1. If the interface is administratively down, the ifEntry.ifAdminStatus object returns a 2.
The adaptive security appliance supports browsing of the following tables:
• ifTable • ifXTable
For the ASA 5505 only:
• All of the interfaces that are displayed with the internal interfaces are assigned an ifIndex, are displayed, and have their descriptions displayed. • Only the interfaces that have an assigned MTU have a value that is greater than zero. Use the show interface details command to validate the output. • The administrative status for all interfaces is displayed. • The operational status for all interfaces is displayed.
For the ASA 5505 only: The output displays IP addresses that are assigned to the interfaces that were configured using the nameif command.
The adaptive security appliance supports browsing of the following table:
• ip.ipAddrTable
Use of the ip.ipAddrTable entry requires that all interfaces have unique addresses.
If interfaces have not been assigned IP addresses, by default, their IP addresses are all set to 127.0.0.1. Having duplicate IP addresses causes the SNMP management station to loop indefinitely. The workaround is to assign each interface a different address.
For example, you can set one address to 127.0.0.1, another to 127.0.0.2, and so on. SNMP uses a sequence of GetNext operations to traverse the MIB tree. Each GetNext request is based on the result of the previous request. Therefore, if two consecutive interfaces have the same IP address 127.0.0.1 (table index), the GetNext function returns 127.0.0.1, which is correct; however, when SNMP generates the next GetNext request using the same result (127.0.0.1), the request is identical to the previous one, which causes the management station to loop infinitely.
For example:
GetNext(ip.ipAddrTable.ipAddrEntry.ipAdEntAddr.127.0.0.1)
The MIB table index should be unique for the agent to identify a row from the MIB table. The table index for ip.ipAddrTable is the interface IP address, so the IP address should be unique; otherwise, the SNMP agent becomes confused and may return information of another interface (row), which has the same IP address (index).
The adaptive security appliance supports browsing of the following:
• snmp
The adaptive security appliance supports browsing of the following tables:
• entPhysicalTable • entLogicalTable
The adaptive security appliance supports browsing of the following traps:
• config-change: The trigger for an SNMP configuration change trap is the creation or the deletion of a context OR or an SSM is inserted/removed. • fru-insert • fru-remove
The adaptive security appliance supports browsing of the MIB. The adaptive security appliance supports browsing of the following traps:
• start • stop
The adaptive security appliance supports browsing of the MIB. The adaptive security appliance supports browsing of the following trap:
• ciscoRasTooManySessions
The adaptive security appliance supports browsing of the MIB.
The adaptive security appliance supports browsing of the MIB.
The adaptive security appliance supports browsing of the following group:
• cfwSystem—The information in cfwSystem.cfwStatus, which relates to failover status, applies to the entire device and not just a single context.
The cfsHardwareStatusTable indicates whether failover is enabled and which unit is active.
Two rows in the cfwHardwareStatusTable object provide failover status. You can access the object table from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB. ciscoFirewallMIBObjects.cfwSystem.cfwStatus.cfwHardwareStatusTable
The objects that provide failover status include the following:
• cfwHardwareType (table index) – The object type is Hardware. – If failover is enabled or disabled, Row 1 returns 6 for the primary unit. – If failover is enabled, Row 2 returns 7 for the secondary unit. • cfwHardwareInformation – The object type is SnmpAdminString. – If failover is enabled or disabled, Row 1 returns a blank value. – If failover is enabled, Row 2 returns a blank value. • cfwHardwareStatusValue – The object type is HardwareStatus. – If failover is disabled, Row 1 returns 0 (not used). – If failover is enabled: For the active unit, Row 1 and Row 2 return active or 9. For the standby unit, Row 1 and Row 2 return standby or 10. • cfwHardwareStatusDetail – The object type is SnmpAdminString. – If failover is disabled, Row 1 returns Failover Off. – If failover is enabled, Row 1 and Row 2 return a blank value.
In the MIB values window of the HP OpenView Browse MIB application, if failover is disabled, a sample MIB query provides the following information:
cfwHardwareInformation.6 : cfwHardwareInformation.7 : cfwHardwareStatusValue.6 : 0 cfwHardwareStatusValue.7 : 0 cfwHardwareStatusDetail.6 :Failover Off cfwHardwareStatusDetail.7 :Failover Off
From this list, the table index, cfwHardwareType, appears as either .6 or .7 appended to the end of each of the subsequent objects. The cfwHardwareInformation field is blank, the cfwHardwareStatusValue is 0, and the cfwHardwareStatusDetail field includes Failover Off, which indicates the failover status. When failover is enabled, a sample MIB query yields the following information:
CISCO-FIREWALL-MIB::cfwHardwareInformation.netInterface = Failover LAN Interface CISCO-FIREWALL-MIB::cfwHardwareInformation.primaryUnit = Primary unit (this device) CISCO-FIREWALL-MIB::cfwHardwareInformation.secondaryUnit = Secondary unit CISCO-FIREWALL-MIB::cfwHardwareStatusValue.netInterface = up(2) CISCO-FIREWALL-MIB::cfwHardwareStatusValue.primaryUnit = active(9) CISCO-FIREWALL-MIB::cfwHardwareStatusValue.secondaryUnit = standby(10) CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.netInterface = failif Ethernet0/3 CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.primaryUnit = Active unit CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.secondaryUnit = Standby unit
In this list, only the cfwHardwareStatusValue field includes values, either active or standby, to indicate the status of each unit.
This MIB extends the number of traps that you can use to discover additional information about the state of the adaptive security appliance, including the following events:
• Buffer usage from the show block command • Connection count from the show conn command • Failover status from the show failover command • Memory usage from the show memory command
The does not support the following notification types:
• cfwSecurityNotification • cfwContentInspectNotification • cfwConnNotification • cfwAccessNotification • cfwAuthNotification • cfwGenericNotification
You can view the number of connections in use from the cfwConnectionStatTable or from the CLI with the show conn command. You can access the cfwConnectionStatTable object table from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB. ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwConnectionStatTable
The objects that provide connection count status include the following:
• cfwConnectionStatService (table index) – The object type is Services. – The returned value for Row 1 and Row 2 is 40 (protocol). • cfwConnectionStatType (table index) – The object type is ConnectionStat. – The returned value for Row 1 is 6 (the number of current connection in use). – The returned value for Row 2 is 7 (the highest number of connections in use). • cfwConnectionStatDescription – The object type is SnmpAdminString. – The returned value for Row 1 is the number of connections currently in use by the entire . – The returned value for Row 2 is the highest number of connections in use at any one time since device startup. • cfwConnectionStatCount – The object type is Counter32. – The returned value for Row 1 and Row 2 is 0 (not used). • cfwConnectionStatValue – The object type is Gauge32. – The returned value for Row 1 is integer (the number in use). – The returned value for Row 2 is integer (the number most used).
In the MIB values window of the HP OpenView Browse MIB application, a sample MIB query provides the following information:
cfwConnectionStatDescription.40.6 :number of connections currently in use by the entire firewall cfwConnectionStatDescription.40.7 :highest number of connections in use at any one time since system startup cfwConnectionStatCount.40.6 cfwConnectionStatCount.40.7 cfwConnectionStatValue.40.6 :15 cfwConnectionStatValue.40.7 :88
From this list, the table index, cfwConnectionStatService, appears as the .40 appended to each subsequent object and the table index, cfwConnectionStatType, appears as either .6 to indicate the number of connections in use or .7 to indicate the most used number of connections.
The cfwConnectionStatValue object then lists the connection count. The cfwConnectionStatCount object always returns 0. The cfwBufferStatsTable indicates the system buffer usage, which provides an early warning to when the adaptive security appliance reaches its capacity limits. You can view this information from the CLI with the show blocks command.
You can view cfwBufferStatsTable at the following path:
iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB. ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwBufferStatsTable
The objects that provide system block usage include the following:
• cfwBufferStatSize (table index) – The object type is Unsigned 32. – The returned value of the first row and the next two rows is an integer; a SIZE value, for example, a 4-byte block. • cfwBufferStatType (table index) – The object type is ResourceStatistics. – The returned value of the first row is 3 (MAX). – The returned value of the next row is 5 (LOW). – The returned value of the next row is 8 (CNT). • cfwBufferStatInformation – The object type is SnmpAdminString. – The returned value for the first row is the maximum number of allocated integer byte blocks (integer is the number of bytes in a block). – The returned value for the next row is the fewest integer byte blocks available since system startup (integer is the number of bytes in a block). – The returned value for the next row is the current number of available integer byte blocks (integer is the number of bytes in a block). • cfwBufferStatValue – The object type is Gauge32. – The returned value for the first row is integer (MAX number). – The returned value for the next row is integer (LOW number). – The returned value for the next row is integer (CNT number).
In the MIB values window of the HP OpenView Browse MIB application, a sample MIB query provides the following information:
cfwBufferStatInformation.4.3 :maximum number of allocated 4 byte blocks cfwBufferStatInformation.4.5 :fewest 4 byte blocks available since system startup cfwBufferStatInformation.4.8 :current number of available 4 byte blocks cfwBufferStatInformation.80.3 :maximum number of allocated 80 byte blocks cfwBufferStatInformation.80.5 fewest 80 byte blocks available since system startup cfwBufferStatInformation.80.8 :current number of available 80 byte blocks cfwBufferStatInformation.256.3 :maximum number of allocated 256 byte blocks cfwBufferStatInformation.256.5 :fewest 256 byte blocks available since system startup cfwBufferStatInformation.256.8 :current number of available 256 byte blocks cfwBufferStatInformation.1550.3 :maximum number of allocated 1550 byte blocks cfwBufferStatInformation.1550.5 :fewest 1550 byte blocks available since system startup cfwBufferStatInformation.1550.8 :current number of available 1550 byte blocks cfwBufferStatValue.4.3: 1600 cfwBufferStatValue.4.5: 1600 cfwBufferStatValue.4.8: 1600 cfwBufferStatValue.80.3: 400 cfwBufferStatValue.80.5: 396 cfwBufferStatValue.80.8: 400 cfwBufferStatValue.256.3: 1000 cfwBufferStatValue.256.5: 997 cfwBufferStatValue.256.8: 999 cfwBufferStatValue.1550.3: 1444 cfwBufferStatValue.1550.5: 928 cfwBufferStatValue.1550.8: 932
From this list, the first table index, cfwBufferStatSize, appears as the first number appended to the end of each object, such as .4 or .256. The other table index, cfwBufferStatType, appears as .3, .5, or .8 after the first index. For each block size, the cfwBufferStatInformation object identifies the type of value, and the cfwBufferStatValue object identifies the number of bytes for each value.
The adaptive security appliance supports the following trap:
• clogMessageGenerated
The adaptive security appliance supports transmission of the following security-related events:
• Global access denied • Syslog messages, including failover syslog messages
You cannot browse this MIB.
The adaptive security appliance supports browsing of the MIB.
The adaptive security appliance supports browsing of the following group:
• snmpEngine, which includes the following objects: – snmpEngineID. Use the show snmp engineid command to validate output. – snmpEngineBoots – snmpEngineTime – snmpEngineMaxMessageSize
The adaptive security appliance supports browsing of the following table:
• usmUserTable under the usmUser group, which includes the following objects: – usmUserEngineID : Use the show snmp server command to validate output. – usmUserName : Use the show snmp server command to validate output. – usmUserSecurityName : Use the show snmp server command to validate output. – usmCloneFrom – usmUserAuthProtocol : Use the show snmp server command to validate output. – usmUserAuthKeyChange – usmUserOwnAuthKeyChange – usmUserPrivProtocol : Use the show snmp server command to validate output. – usmUserPrivKeyChange – usmUserOwnPrivKeyChange – usmUserPublic – usmUserStorageType : Use the show snmp server command to validate output. – usmUserStatus : Use the show snmp server command to validate output.
The adaptive security appliance supports browsing of the following table:
• vacmSecurityToGroupTable under the vacmMIBObjects group, which includes the following objects: – vacmSecurityModel : Use the show snmp group command to validate output. – vacmSecurityName : Use the show snmp group command to validate output. – vacmGroupName : Use the show snmp group command to validate output. – vacmSecurityToGroupStorageType – vacmSecurityToGroupStatus : Use the show snmp group command to validate output.
The adaptive security appliance supports browsing of the following tables under the snmpTargetObjects group:
• snmpTargetAddrTable, which includes the following objects: – snmpTargetAddrName – snmpTargetAddrTDomain – snmpTargetAddrTAddress : Use the show run snmp-server host command to validate output. – snmpTargetAddrTimeout – snmpTargetAddrRetryCount – snmpTargetAddrTagList – snmpTargetAddrParams – snmpTargetAddrRowStatus • snmpTargetParamsTable, which includes the following objects: – snmpTargetParamsName – snmpTargetParamsMPModel : Use the show run snmp-server host command to validate output. – snmpTargetParamsSecurityModel : Use the show run snmp-server host command to validate output. – snmpTargetParamsSecurityName – snmpTargetParamsSecurityLevel : Use the show run snmp-server host command to validate output. – snmpTargetParamsStorageType – snmpTargetParamsRowStatus
If you suspect the SNMP module is doing something it shouldn't or not doing something it should, it is always recommended to look at the output of "show snmp-server statistics" to confirm your device is the culprit. In a failover pair, both devices can become active and generate SNMP traffic. The snmp-server statistics can confirm which device is responsible. If SNMP is not responding to queries and your config is correct, you can use SNMP statistics and the output of "show counters" to confirm that your request is really making it to the SNMP thread (snmp in the output of "show process").
ASA currently does not support SNMP SET commands.
No. This feature is not available.
The only MIB that is supported which gives information about the configured ASA interfaces is: ifTable. Note that the interface must be configured using nameif command, or the interface does not show up.
The entityPhysical MIB is supported but at the device level. It does not have the level of detail for the sub-chassis-element.
SNMP only sends traps on interfaces it knows about. Currently, it sends traps on interfaces that have a nameif associated with it.
The ASA can give information via SNMP about remote access sessions.
Firewall connections are in CISCO-FIREWALL-MIB snmpwalk -c <community> -v <version> <asa> -OS .1.3.6.1.4.1.9.9.147.1.2.2.2 RAS connections ("sessions") are in CISCO-REMOTE-ACCESS-MONITOR-MIB snmpwalk -c <community> -v <version> <asa> -OS .1.3.6.1.4.1.9.9.392.1.3 IKE connections ("phase 1 tunnels") are in CISCO-IPSEC-FLOW-MONITOR-MIB snmpwalk -c <community> -v <version> <asa> -OS .1.3.6.1.4.1.9.9.171.1.2.1 IPSec connections ("phase 2 tunnels") are in CISCO-IPSEC-FLOW-MONITOR-MIB snmpwalk -c <community> -v <version> <asa> -OS .1.3.6.1.4.1.9.9.171.1.3.1 The ALTIGA-SSL-STATS-MIB will also display information about connections/sessions. The statistics reported by a “show perfmon” are now available via SNMP via the unified firewall mib, which was a new feature in 7.2. [http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn72.html#wp185335 Performance]
CISCO-FIREWALL-MIB gives the "show conn" information for current used and most used data as you mentioned. Some of the information from the "show perfmon detail" can be gotten by querying the ciscoUnifiedFirewallMIB as shown below.
MT-UUT/admin(config-pmap-c)# show conn count 12951 in use, 14533 most used MT-UUT/admin(config-pmap-c)# [root@linux-host tools]# snmpwalk -Os -c public -v 2c 172.23.32.180 ConnectionStat cfwConnectionStatDescription.protoIp.currentInUse = STRING: number of connections currently in use by the entire firewall cfwConnectionStatDescription.protoIp.high = STRING: highest number of connections in use at any one time since system startup cfwConnectionStatCount.protoIp.currentInUse = Counter32: 0 cfwConnectionStatCount.protoIp.high = Counter32: 0 cfwConnectionStatValue.protoIp.currentInUse = Gauge32: 12955 cfwConnectionStatValue.protoIp.high = Gauge32: 14533 [root@linux-host tools]# [root@linux-host tools]# snmpwalk -Os -c public -v 2c 10.0.0.5 ciscoUnifiedFirewallMIB cufwConnGlobalNumResDeclined.0 = Counter64: 0 Connections cufwConnGlobalNumActive.0 = Gauge32: 12853 Connections <--- The connections that are active - same as "show conn" in use data cufwConnGlobalConnSetupRate1.0 = Gauge32: 65 Connections per second <--- The averaged number of connections which the firewall establishing per second, averaged over the last 60 seconds. cufwConnGlobalConnSetupRate5.0 = Gauge32: 33 Connections per second <---The averaged number of connections which the firewall establishing per second, averaged over the last 300 seconds cufwConnSetupRate1.udp = Gauge32: 0 Connections Per Second <---- The averaged number of UDP connections which the firewall establishing per second, averaged over the last 60 seconds. cufwConnSetupRate1.tcp = Gauge32: 65 Connections Per Second <---- The averaged number of TCP connections which the firewall establishing per second, averaged over the last 60 seconds. cufwConnSetupRate5.udp = Gauge32: 0 Connections Per Second <------ The averaged number of UDP connections which the firewall establishing per second, averaged over the last 300 seconds. cufwConnSetupRate5.tcp = Gauge32: 33 Connections Per Second <----- The averaged number of TCP connections which the firewall establishing per second, averaged over the last 300 seconds. cufwUrlfRequestsNumProcessed.0 = Counter64: 0 Requests cufwUrlfRequestsProcRate1.0 = Gauge32: 0 Requests per second <------ The number of URL access requests processed per second by this firewall averaged over the last 60 seconds cufwUrlfRequestsProcRate5.0 = Gauge32: 0 Requests per second <----- The number of URL access requests processed per second by this firewall averaged over the last 300 seconds cufwUrlfRequestsNumAllowed.0 = Counter64: 0 Requests cufwUrlfRequestsNumDenied.0 = Counter64: 0 Requests cufwUrlfRequestsDeniedRate1.0 = Gauge32: 0 Requests per second cufwUrlfRequestsDeniedRate5.0 = Gauge32: 0 Requests Per Second cufwUrlfRequestsNumCacheAllowed.0 = Counter64: 0 Requests cufwUrlfRequestsNumCacheDenied.0 = Counter64: 0 Requests cufwUrlfRequestsNumResDropped.0 = Counter64: 0 Requests cufwUrlfRequestsResDropRate1.0 = Gauge32: 0 Requests Per Second cufwUrlfRequestsResDropRate5.0 = Gauge32: 0 Requests Per Second cufwUrlfNumServerTimeouts.0 = Counter64: 0 cufwUrlfNumServerRetries.0 = Counter64: 0
SNMP can't be configured in the system context.
To get information about interfaces in either the admin or user context, you can use the IF-MIB's:
snmpwalk -v 2c -c public <context(user/admin) ip> ifDescr
IF-MIB::ifDescr.1 = STRING: Adaptive Security Appliance 'inside' interface IF-MIB::ifDescr.2 = STRING: Adaptive Security Appliance 'outside' interface IF-MIB::ifDescr.3 = STRING: Adaptive Security Appliance 'mgmt' interface
IP-MIBs will give you the IP address of all the interfaces when you query context.
snmpwalk -v 2c -c public <context(user/admin) ip> ipAddr
IP-MIB::ipAdEntAddr.10.7.14.32 = IpAddress: 10.7.14.32 IP-MIB::ipAdEntAddr.10.8.1.92 = IpAddress: 10.8.1.92 IP-MIB::ipAdEntAddr.10.7.1.92 = IpAddress: 10.7.1.92 IP-MIB::ipAdEntIfIndex.10.7.14.32 = INTEGER: 3 IP-MIB::ipAdEntIfIndex.46.7.1.92 = INTEGER: 2 IP-MIB::ipAdEntIfIndex.47.7.1.92 = INTEGER: 1 IP-MIB::ipAdEntNetMask.10.7.14.32 = IpAddress: 255.255.255.0 IP-MIB::ipAdEntNetMask.10.8.1.92 = IpAddress: 255.255.255.0 IP-MIB::ipAdEntNetMask.10.7.1.92 = IpAddress: 255.255.255.0 IP-MIB::ipAdEntBcastAddr.10.7.14.32 = INTEGER: 0 IP-MIB::ipAdEntBcastAddr.10.8.1.92 = INTEGER: 0 IP-MIB::ipAdEntBcastAddr.10.7.1.92 = INTEGER: 0 IP-MIB::ipAdEntReasmMaxSize.10.7.14.32 = INTEGER: 65535 IP-MIB::ipAdEntReasmMaxSize.10.8.1.92 = INTEGER: 65535 IP-MIB::ipAdEntReasmMaxSize.10.7.1.92 = INTEGER: 65535
System name or Hostname of any context corresponds to the context name in multiple mode. System names can be retrived using Snmpv2 System MIB "sysName".
"snmpwalk -v 2c -c public <context(user/admin) ip> sysName"
SNMPv2-MIB::sysName.0 = STRING: c1 <------ "c1" is the context name
SNMP v3 support was added to ASA version 8.2(1).
All the MIB's listed on the URL: Supported MIBs are supported.
Starting in Version 7.0(1), several MIBs were added to reflect VPN stats. When walking the VPN MIBs there are no "down" tunnels. If the tunnel is up there's an entry present on the MIB tables, otherwise the entry is removed. The traps cipSecTunnelStart and cipSecTunnelStop can be enabled if one wants to receive traps when the tunnel is built up and torn down.
Note that the traps come from CISCO-IPSEC-FLOW-MONITOR-MIB, which will also include L2L tunnels, not just remote-access. The cras MIB objects are populated from the vpn-session manager, which correspond to "show vpn-sessiondb ..." on the CLI.
Configure the ASA to allow an SNMP server to connect to it:
snmp-server host inside 10.44.112.157 community public
"10.44.112.157" is your client PC ip address on which your snmp walk tool is installed. "public" is a shared secret string defined by you.
On the SNMP server with IP "10.44.112.157", issue:
snmpwalk -v2c -c public <IP_of_ASA_interface> 1.3.6.1.4.1.3076.2.1.2.26.1.2
The above command should output the following:
SNMPv2-SMI::enterprises.3076.2.1.2.26.1.2.0 = Gauge32: 1
Currently, this MIB is not supported.
How do I read the output of the ciscoMemPool MIB in multi-mode and co-relate it with the output of show mem ?
The ciscoMemoryPoolUsed OID value represents the used memory on the ASA. In case of single mode, it will be the used memory of the system, and in case of multi-mode, it is the used memory of the context.
The ciscoMemoryPoolFree OID value will be the free memory that is available to the system regardless of the mode - i.e. single or multi-mode. In multi-mode, ASA does not have an upper bound on the amount of memory that is assigned to a particular context, so the total free memory in the system is available to each context.
The following example should make this clear.
'''System context:''' asa-5520(config)# show mem Free memory: 292792568 bytes (55%) Used memory: 236816008 bytes (45%) ------------- ---------------- Total memory: 529608576 bytes (100%) '''Admin context:''' asa-5520(config)# show mem Free memory: 292792568 bytes (55%) Used memory: 236816008 bytes (45%) ------------- ---------------- Total memory: 529608576 bytes (100%) SNMP walk output: [root@myinsidelnx root]# snmpwalk -OS -v 2c -c public 10.7.14.12 ciscoMemoryPool CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolName.1 = System memory CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolAlternate.1 = 0 CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolValid.1 = true(1) CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolUsed.1 = Gauge32: 1537500 bytes CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolFree.1 = Gauge32: 292791392 bytes CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolLargestFree.1 = Gauge32: 292791392 bytes
The 'inspect snmp' engine only looks at the version to perform filtering of the packet itself. Use the inspect snmp command to enable SNMP inspection, using the settings configured with an SNMP map, which you create using the snmp-map command. Use the deny version command in SNMP map configuration mode to restrict SNMP traffic to a specific version of SNMP.
One reason to use inspect snmp would be to restrict a particular version SNMP, for example: v1 which is less secure. To deny a specific version of SNMP, use the deny version command within an SNMP map, which you create using the snmp-map command. After configuring the SNMP map, you enable the map using the inspect snmp command and then apply it to one or more interfaces using the service-policy command
To get detailed information about the units in the fail-over pair, use the OID cfwHardwareStatusTable.
Here is an example with the information that this OID returns:
[root@sw8-ilinux root]# snmpwalk -v2c -c public -OS 10.7.14.55 cfwHardwareStatusTable CISCO-FIREWALL-MIB::cfwHardwareInformation.netInterface = Failover LAN InterfaceCISCO-FIREWALL-MIB::cfwHardwareInformation.primaryUnit = Primary unit (this device) CISCO-FIREWALL-MIB::cfwHardwareInformation.secondaryUnit = Secondary unit CISCO-FIREWALL-MIB::cfwHardwareStatusValue.netInterface = up(2) CISCO-FIREWALL-MIB::cfwHardwareStatusValue.primaryUnit = active(9) CISCO-FIREWALL-MIB::cfwHardwareStatusValue.secondaryUnit = error(4) CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.netInterface = failif Ethernet0/3 (system) CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.primaryUnit = Active unit CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.secondaryUnit = Unit has failed
ASA does not support the following MIBs that FWSM supports:
CISCO-ENTITY-ALARM-MIB.my CISCO-ENTITY-REDUNDANCY-MIB.my CISCO-ENTITY-REDUNDANCY-TC-MIB.my CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB.my CISCO-NAT-EXT-MIB.my NAT-MIB.my TCP-MIB.my UDP-MIB.my
The traps that the ASA does not support and FWSM does:
ceAlarmAsserted: CISCO-ENTITY-ALARM-MIB.my ceRedunEventSwitchover: CISCO-ENTITY-REDUNDANCY-MIB.my clrResourceLimitReached: CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB.my clrResourceRateLimitReached: CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB.my
ASA supports entityMIB, which can generate an "entConfigChange" trap. Currently the entConfigChange trap is only generated when a security context is added/removed (multi-mode) or an SSM is inserted/removed (though OID is not officially supported).
The authentication trap is sent when an attempt is made to poll the ASA with a wrong SNMP community. It is NOT generated when a user tries wrong password when logging into the device (telnet, SSH, etc.).
Example of configChange trap:
2009-03-10 12:22:38 host-14-12.f1boulder.lab [10.7.14.12] TRAP, SNMP v1, community public ENTITY-MIB::entityMIBTraps Enterprise Specific Trap (ENTITY-MIB::entConfigChange) Uptime: 0:13:40.00
Example of authentication Failure trap:
2009-03-09 09:14:47 host-14-55.f1boulder.lab [10.7.14.55] TRAP, SNMP v1, community public CISCO-PRODUCTS-MIB::ciscoASA5510 Authentication Failure Trap (0) Uptime: 2 days, 15:56:06.00
The image is currently designed to emit the FRU traps only when a SSM/SSC ("card") is inserted or removed. It will not generate a trap if a PSU is removed. Note that the coldStart is generated when the device reaches the 'up' state, e.g. after the reboot. There is no SNMP trap generated prior to the power loss.
The ASA supports the SNMPv2-MIB authenticationFailure trap instead of the CISCO-GENERAL-TRAPS MIB. Due to this, the ASA does not report who was responsible for the authenticationFailure trap but just that the trap is seen.
The ifInDiscard OID displays different information depending on the interface type. ifInDiscard for a physical interface will show the number of packets discarded on the physical interface due to insufficient buffer space. This is the 'no buffer' counter seen when performing a 'show interface'. For a logical interface ifInDiscard will correspond to the 'packets dropped' traffic statistic seen when performing a 'show interface'.
May I ask has anyone tried to retrieve stats in a multi-context asa or fwsm using the abovementioned method?
snmpwalk -v 2c -c public <context(user/admin) ip> ifDescr
This command doesn't seem to work at all. Could anyone drop a hint please?
Additional thing regarding multiple contexts. SNMP ENTITY-MIB is not working for non-admin contexts.
It is logical, but couldn't find any official reference to it (maybe good to add it to this great DOC):
iso.3.6.1.2.1.47.1.1.1.1.11 = No Such Instance currently exists at this OID
Guys, I am trying to Monitor the anyconnect connection profile, I have 4-5 different tunnel profile, does anyone know what will be snmp oid ?
If I go into asdm I can montitor this # by doing this:
Monitor--> VPN-->All Remote Access-->connection Profile--> tunnel Name (e.g abc)
Hi,
Can someone clarify if there is any definite list of supported MIBs and OIDs for Cisco security devices like ASAs and FWSM?
For example if you look at Cisco list of supported MIBs for both FWSM and ASAs for most "fairly current" versions (see below) the CISCO-PROCESS-MIB.my MIB is listed as supported, albeit just for particular subbranch called cpmCPU.
This should have about 29 OIDs in it including CPU and Memory info.
However this MIB is NOT listed at the top of this document under "SNMP MIB support".
Moreover, if you log on onto ASA and FWSM ( I tried this for various ASA models including 55800-40 for different OS versions and for FWSM for different OS versions) and run "show snmp-server oidlist" command or do snmp walk from some MIB browser tool you do NOT even get full list of OIDs allegedly supported.
Usually you get just first five (regardless if you are on FWSM oe ASA and regardless of OS version):
show snmp-server oidlist | inc 109
[128] 1.3.6.1.4.1.9.9.109.1.1.1.1.2. cpmCPUTotalPhysicalIndex
[129] 1.3.6.1.4.1.9.9.109.1.1.1.1.3. cpmCPUTotal5sec
[130] 1.3.6.1.4.1.9.9.109.1.1.1.1.4. cpmCPUTotal1min
[131] 1.3.6.1.4.1.9.9.109.1.1.1.1.5. cpmCPUTotal5min
but on one FWSM running 3.1 OS it listed OIDs going to 1.3.6.1.4.1.9.9.109.1.1.1.1.9 inclusive.
The missing OIDs values include memory usage (i.e. free/available) which I would like to monitor.
Anyone knows whether full set of OIDs for the cpmCPU sub-branch of CPU-PROCESS-MIB is available at all and if so is it only available for particular hardware, firmware or OS version?
regards,
Andrew
This is from Cisco MIB support/download web page:
Version 8.2 and higher
CISCO-PROCESS-MIB.my Only objects defined under cpmCPU are supported.
Hi Andrew,
This page is accurate:
ftp://ftp.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html
As listed in the Note section:
CISCO-PROCESS-MIB.my Only objects defined under cpmCPU are supported.
Only the cpmCPU OIDs are supported in the Cisco-Process-MIB. If you want to query memory usage, please use the
CISCO-MEMORY-POOL-MIB
Please see Table 39-1 in
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/monitor.html for which MIBs and OIDs are supported.
Hope it helps.
David.
David -
Sorry to re-animate this dead thread, but the lack of ARP via SNMP is a glaring fault that I had hoped would be fixed by now.
Is there any particular reason why ARP cache and it's IPv6 cousin, IpV6 Neighbor table are not available on ASA? It's a huge hole in our ability to monitor what's happening or even existing in our DMZs.
If it's a philosophy thing, is there any hope the philosopher might retire or move on some other company soon? Maybe we can make them an offer ;^)
thanks,
=seymour=
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: