Cisco PIX 525 SNMP Management

Answered Question

I looked through both those guides and they don't explain the commands really. There is one command, "snmp-server host x.x.x.x" but that does not work. That command has to be snmp-server host inside/outside poll community xxxxx. But that doesn't work either.


This is what is in my running config:

no snmp-server location
no snmp-server contact
snmp-server community xxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart



What am I missing?

Marvin Rhoads Tue, 01/12/2010 - 14:28

According to my PIX (Version 6.3(1)), the syntax for the key "snmp-server host" command is:


[no] snmp-server host [] [trap|poll]


As a bracketed parameter, is optional. In any case, that command will determine where snmp traps are sent to. Without it, the device does not know where to send snmp traps, thus raising the existential question "If a trap is generated without a receeiver does anyone hear it?"



Here is what I am using:


snmp-server host inside ***.***.***.*** poll
snmp-server location *********
snmp-server contact ********
snmp-server community ************
snmp-server enable traps


(asterisks replacing my specific data)

yjdabear Tue, 01/12/2010 - 14:42

It seems you're running PIX 7.x. If that's the case, it's "snmp-server host inside/outside poll community xxxxx" (rather than "snmp-server host inside/outside poll community xxxxx"), which does get covered in that doc:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a13.shtml#snmptothepix


"PIX/ASA Software Versions 7.x allow more granularity with regard to
      traps and queries.

 

hostname(config)#snmp-server host   trap community 

!--- The host is to be sent traps and cannot query
!--- with community string specified.


hostname(config)#snmp-server host poll community

!--- The host can query but is not to be sent traps
!--- with community string specified.





yjdabear Wed, 01/13/2010 - 10:34

For stateful failover (I vaguely recall a "special" failover cable in this picture?), "show failover" should indicate the active vs standby units. This is explained here, for example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#veri


Some possible status outputs to keep an eye on are:

"primary - active"
"context: Active"
"secondary - active"
"secondary - Failed"
"failover off"
"no license for failover"
"requires failover license"



Another way of monitoring the failover pair is to set up syslog monitoring for the failover related messages (presumably on redundant syslog servers), starting with ones such as "PIX-1-101002: (Primary) Bad failover cable" (substitute ASA for PIX if applicable, or vice versa) and on down, many of which may not indicate an immediate failover, but could forewarn conditions such as active not synchronizing to the standby:


http://www.cisco.com/en/US/docs/security/asa/asa81/system/message/81logmsg.html#wp4768551http://www.cisco.com/en/US/docs/security/asa/asa81/system/message/81logmsg.html#wpmkr4768574

Thanks...I am trying to figure out how failover works I guess. Does the standby assume the IP's and names of the primary unit when it fails over or does it use it's own IP's for the inside/outside interfaces when it fails over.



The secondary host shouldn't say this when on standby right?


Other host: Secondary - Failed



The primary always says "Waiting":


This host: Primary - Active
                Active time: 31443135 (sec)
                Interface outside (x.x.x.x): Normal (Waiting)
                Interface inside (x.x.x.x): Normal (Waiting)


Does that mean waiting to replicate?

Actions

This Discussion