Can't get SNMP data from ASA's AIP 10 IPS module

Unanswered Question
Nov 12th, 2008
User Badges:

Hi,


I have just had the AIP 10 IPS module installed onto my ASA 5520. I have now setup the SNMP and my SNMP server (solarwinds) can detect the CPU, Memory and sensors to monitor.


The problem I have is the SNMP server is getting data form the sensors but not data from the CPU or memory mibs, is something denying this from the IPS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Farrukh Haroon Sun, 11/16/2008 - 00:08
User Badges:
  • Red, 2250 points or more

If you can get other data from the sensor, then the solarwinds product does not support the IDS cpu/memory MIB. We faced the same issue with BMC Dashboard/Entuity and we had to build a custom forumula for that.


Regards


Farrukh

mathias.mahnke Fri, 11/21/2008 - 12:07
User Badges:

Hi Farrukh, Hello All,


could you post the OIDs of the values your are monitoring? I'm very interested for the CPU status.


Looking at the SNMP navigator tool, I didn't found any list of supported MIBs on the IPS modules.


Thanks

Mathias

Farrukh Haroon Fri, 11/21/2008 - 22:24
User Badges:
  • Red, 2250 points or more

The following are some IDS mibs, Cisco forgot to link them on the MIBs page located at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml



ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-ENHANCED-MEMPOOL-MIB.my


ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-PROCESS-MIB.my


ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-CIDS-MIB.my



ftp://ftp-sj.cisco.com/pub/mibs/oid/CISCO-CIDS-MIB.oid


ftp://ftp-sj.cisco.com/pub/mibs/oid/CISCO-ENHANCED-MEMPOOL-MIB.oid


Here is the forula we are using to get the memory utlization percentage(in BMC Dashboard):


average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.8 ) / ( average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.8 ) + average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.7 ) ) * 100


Which translates to:


average ( select cempmempoolfree ) / ( average ( select cempmempoolfree ) + average ( select cempmempoolused ) ) * 100


I'm unable to find the formula for the CPU, but try loading the PROCESS mib for that.


average ( select 1.3.6.1.4.1.9.9.109.1.1.1.1.5 )


Please rate if helpful.


Regards


Farrukh

whiteford Sat, 11/22/2008 - 02:00
User Badges:

Hi,


So have you managed to monitor you CPU of your IPS?


So do you have to load the mibs into your snmp software?

Farrukh Haroon Sat, 11/22/2008 - 02:39
User Badges:
  • Red, 2250 points or more

We were not getting any valid data for the CPU in our IDSM-2. However the BMC development teams was able to get values in their simulation lab. The issue later died as we decided not to renew the BMC product for the next (Due to other reasons).


Yes I had to load the MIBs in the software.


Regards


Farrukh

whiteford Sat, 11/22/2008 - 02:44
User Badges:

Hi,


I use Orion Solarwinds, I really need to monitor my CPU and memory of the IPS as it can hit 100%.


Any other way?

Farrukh Haroon Sat, 11/22/2008 - 02:47
User Badges:
  • Red, 2250 points or more

If youa are running 6.1.x you can use the IPS Manager Express (IME) to monitor CPU/Memory.


Regards


Farrukh

whiteford Sat, 11/22/2008 - 03:03
User Badges:

That's what I'm using but I need some sort email alert as what can't look at that screen 24/7.


Solarwinds currently does this

Farrukh Haroon Sat, 11/22/2008 - 03:22
User Badges:
  • Red, 2250 points or more

Did you try polling the MIBs I gave you earlier?


Can you load external MIB files in Solarwinds?


Regards


Farrukh

whiteford Sat, 11/22/2008 - 03:46
User Badges:

Not sure if you can load those into solarwinds, will have to log a call with them.


They update their mib db all the time and boast having 100,000's in it. So surprising IPS isn't in it, but IDS is. I does an auto detection.


Thing it does detect the sensors and CPU and memory, but just doesn't gather data for the memory or cpu, but does for the sensors.



mathias.mahnke Sat, 11/22/2008 - 07:10
User Badges:

Thanks for the OID hints. I finally managed to get the CPU values from the AIP-IPS modules with:


host$ snmpwalk -v 2c -c 1.3.6.1.4.1.9.9.109.1.1.1.1

SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.1 = INTEGER: 0

SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.6.1 = Gauge32: 33

SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.7.1 = Gauge32: 38

SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.1 = Gauge32: 29


This looks quite the same like getting the value via the IPS CLI ("sh statistics host"):


CPU Statistics

Usage over last 5 seconds = 23

Usage over last minute = 38

Usage over last 5 minutes = 29


(Last 5 seconds differs since I can't set up both requests simultaniously for obvious reasons ;-).


Thanks a lot for your hints and the links!


I'll work futher on it to write NAGIOS check scripts...


Regards

Mathias

Farrukh Haroon Sat, 11/22/2008 - 23:07
User Badges:
  • Red, 2250 points or more

Its great that you have made progress mathias.


Please update us once you have the scripts :). And also please rate if you find any post helpful.


Regards


Farrukh

mathias.mahnke Sun, 11/23/2008 - 09:25
User Badges:

Nagios check scripts are running and can also be used just as Linux CLI tools:


host$ ./check_cisco_ips.pl -H -C -2 -T cpu -w 70%,50%,40% -c 90%,70%,50%

Cisco IPS CPU : 5sec = 13 %, 2min = 13 %, 5min = 18 % : OK


host$ ./check_cisco_ips.pl -H -C -2 -T mem -w 60% -c 80%

Cisco IPS Memory : used = 977 MB, free = 1018 MB, utilization = 48 % : OK


host$ ./check_cisco_ips.pl -H -C -2 -T health -w 1,0,1,1 -c 0,1,5,5

Cisco IPS Health : inactive = 0, memory critical = 0, packet loss = 0 %, packet deny rate = 0 % : OK


host$ ./check_cisco_ips_int.pl -H -C -2 -n ge0_[0,1] -k -w 10000,10000 -c 20000,20000 --label

ge0_1:Unpaired (in=597.9KBps/out=597.9KBps), ge0_0:UP (in=0.4KBps/out=4.1KBps) : 2 UP : OK


Tested with AIP-IPS-20 modules hosted in an ASA5540. May have still bugs, any feedback is welcome.



mathias.mahnke Tue, 12/16/2008 - 07:38
User Badges:

FYI, there is currently a feature request open to add SNMP information regarding the IPS inspection load:


"CSCsu08529 Unable to monitor sensor health via SNMP.


This is not a bug, this is an enhancement request to add SNMP OIDs to

retrieve sensor health data such as the inspection load."

Andy White Wed, 08/01/2012 - 07:12
User Badges:

Hi,


Did anyone manage to import the load % into Solarwinds in the end, looks like the CPU is possible, but the Load is the most important one in my eyes?


Thanks

Actions

This Discussion