Re: Cisco ASA Firewall failover status monitoring (456 Views)
Reply
Occasional Advisor
Sagar_P
Posts: 9
Registered: ‎06-07-2013
Message 1 of 9 (507 Views)

Cisco ASA Firewall failover status monitoring

Hi,

 

I have a requirement from our Network team to monitor Cisco ASA Firewall failover status. When the firewall failover from active to secondary an alert should be generated.

 

i have the required OIDs for this.

 

I tried configuring the OID's in Management event configuration but didnot received any alert for that. 

 

also i checked with my Network team if they can enable traps for this. but they replied saying no snmp traps for failover can be enable in firewall.

 

Please help to know how this can be monitor.

 

We have NNMi 9.1 installed on Linux box.

 

Thanks.

 

Regards

sagar

Trusted Contributor
trinhdong
Posts: 115
Registered: ‎03-13-2014
Message 2 of 9 (496 Views)

Re: Cisco ASA Firewall failover status monitoring

Hello Sagar,

In order to monitor the Cisco ASA Firewall failover statusin such case. I would suggest to create a custom poller to poll the OID: 1.3.6.1.4.1.9.9.147.1.2.1.1.1.3 (cfwHardwareStatusValue)

You can find the object information as below:

 

 Specific Object Information

Object cfwHardwareStatusValue

OID 1.3.6.1.4.1.9.9.147.1.2.1.1.1.3

Type HardwareStatus 
1:other
2:up
3:down
4:error
5:overTemp
6:busy
7:noMedia
8:backup
9:active
10:standby

 

Hope this help!

Best Regards,
Dong
HP Support
IF this or any post resolves your issue, Plz be sure to mark it as an accepted solution.
To show your appreciation, click KUDOS !!!
Occasional Advisor
Sagar_P
Posts: 9
Registered: ‎06-07-2013
Message 3 of 9 (456 Views)

Re: Cisco ASA Firewall failover status monitoring

thanks for reply dong.

 

I have configured the same using Custom Poller NNMi guide. Just have couple of questions.

 

What should be the MIB Expression and MIB Filter value for this.

 

also I have created the policy for this but I am not getting any value for this when I check in Custom Node Collections.

 

Thanks.

 

Regards

sagar

Trusted Contributor
trinhdong
Posts: 115
Registered: ‎03-13-2014
Message 4 of 9 (447 Views)

Re: Cisco ASA Firewall failover status monitoring

Hello Sagar,

 

Kindly upload the fully nnmsnmpwalk of those nodes here to simulate.

#nnmsnmpwalk.ovpl -T <Primary_nodeIP> >C:\tmp\walk_binary1.txt

#nnmsnmpwalk.ovpl -T <Secondary_nodeIP> >C:\tmp\walk_binary2.txt

You also need to share the ip management of those nodes.

Best Regards,
Dong
HP Support
IF this or any post resolves your issue, Plz be sure to mark it as an accepted solution.
To show your appreciation, click KUDOS !!!
Occasional Advisor
Sagar_P
Posts: 9
Registered: ‎06-07-2013
Message 5 of 9 (437 Views)

Re: Cisco ASA Firewall failover status monitoring

hi

 

Please find attached the snmpwalk files for both the devices.

 

Primary Mnagement ip add for FW is 168.94.110.19

 

Secondary Management ip add for FW is 168.94.110.20

 

Thanks.

 

Regards

Sagar

Trusted Contributor
trinhdong
Posts: 115
Registered: ‎03-13-2014
Message 6 of 9 (420 Views)

Re: Cisco ASA Firewall failover status monitoring

Hello Sagar,

 

Your custom poller should match the following:

MIB Expression: 1.3.6.1.4.1.9.9.147.1.2.1.1.1.4 (cfwHardwareStatusDetail)

MIB Filter Variable: 1.3.6.1.4.1.9.9.147.1.2.1.1.1.2 (cfwHardwareInformation)


Here is the results simulation in my test system:

Test.JPG

 

Kindly refer to the napshot below to understand the failover status in custom poller:

Failover.JPG

Hope this help!

Best Regards,
Dong
HP Support
IF this or any post resolves your issue, Plz be sure to mark it as an accepted solution.
To show your appreciation, click KUDOS !!!
Occasional Advisor
Sagar_P
Posts: 9
Registered: ‎06-07-2013
Message 7 of 9 (408 Views)

Re: Cisco ASA Firewall failover status monitoring

Thanks Dong.

 

i am able to configure it now successfuly.

 

Only thing is in Custom node collections the status of the node is showing as No Status. While I can see that in Custom Polled instances it is green.

 

also the node status of the firewall is green.

 

So not sure why there is no status showing in Custom Node Collections. We did failover the firewall but didn't see any status change or received any incident.

 

regards

sagar

Trusted Contributor
trinhdong
Posts: 115
Registered: ‎03-13-2014
Message 8 of 9 (399 Views)

Re: Cisco ASA Firewall failover status monitoring

Hi sargar,

 

In order to see Node status change and received the incident when the failover occurred, you have to check the box "Affect Node Status" - to take the node status change and "Generate Incident" - to receive its indient.

 

Failover11.JPG

Hope this help!

 

Best Regards,
Dong
HP Support
IF this or any post resolves your issue, Plz be sure to mark it as an accepted solution.
To show your appreciation, click KUDOS !!!
Occasional Advisor
Sagar_P
Posts: 9
Registered: ‎06-07-2013
Message 9 of 9 (391 Views)

Re: Cisco ASA Firewall failover status monitoring

Hi Dong,

 

Both the  nodes in Custom node collections are discovered properly and showing as green and also the same is in Custom Polled instances.

 

I asked my Network Engg to failover the firewall but i didn't received any incident for this.

 

I can see this data in Custom Poller

 

TopologyObjects cfwHardwareStatusDetail

dnf2b2b-.4 state-sync GigabitEthernet1/3

dnf2b2b-.7 Active unit

dnf2b2b-.6 Unit has failed

 

Now when the failover is successful it shows following data in Custom Poller

 

TopologyObjects cfwHardwareStatusDetail

dnf2b2b-.4 state-sync GigabitEthernet1/3

dnf2b2b-.7 Active unit

dnf2b2b-.6 Standby unit

 

 

Please let me know how to configure this alert when there is a failover.

Thanks.

 

Regards

Sagar

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.