Smart Call Home on the ASA

Document

Sep 1, 2010 11:55 AM
Sep 1st, 2010


What is Smart Call Home?

Smart Call Home is really a two piece solution. The first of which is the call-home feature on the ASA which is both a time-based and event-based feature which can send information to Cisco and/or yourself. The second is a web portal, where you can view your Smart Call Home registered devices, and see information about their current status.

What Benefits Does Smart Call Home Provide?

Smart Call Home provides several benefits to customers. The most well known is the ability for TAC cases to be automatically opened when a fault is detected. Some examples of this are if a fan fails, or a redundant power supply, or if the temperature of the cpu/power supply/chassis reaches a critical level. In addition, if the ASA crashes, it will also open a TAC case. Since the Cisco TAC is 24x7 they instantly start to work on the problem. Most of the time when TAC reaches out to the customer - it is before the customer is aware of the problem.

How would you like to receive a phone call from TAC letting you know they received a fan failure on a device and they are just letting you know the replacment is being shipped and on its way? Or, that your ASA crashed, and they have identified the software defect, and you may apply a workaround, or upgrade to version X to receive the fix? This proactively reaching out to you - the customer - is a key benefit of Smart Call Home.

Users of Smart Call Home can also log in to the SCH portal to view their current registered devices and their status. The portal will display information about which ASA is Active (in a failover set), and also if you have a time-based license, it will show how much time is remaining before expiration. If you have multiple ASA devices, you can quickly scan through the list to see if they are all running the same version. You can also see if any PSIRT Advisories apply to them.

sch_portal.jpg

What Types of Information are Sent from the ASA to Cisco?

If you follow the instructions in this document, and acitvate the default CiscoTAC-1 profile, then the following information will be sent in to Cisco:

1. Diagnostic

If the ASA crashes, it will send in the sanitized output of show crash and show tech-support

2. Environment

If an environmental alarm is triggered, the ASA will send in the output of show environment. If a high memory or CPU condition is detected, the ASA will send in the output of show memory detail or show cpu usage.

3. Inventory

By default, every month the output of show inventory, show version, show module, show failover state, and show environment is sent in as part of an Inventory message.

4. Configuration

By default, every month the output of show call-home registered-module status | include enabled is sent in. Which includes a list of features enabled on the ASA.


Example

ASA# show call-home registered-module status | include enabled

call-home enabled

inspection-dns enabled

inspection-esmtp enabled

inspection-ftp enabled

inspection-hs232 enabled

inspection-netbios enabled

inspection-rsh enabled

inspection-rtsp enabled

inspection-sip enabled

inspection-skinny enabled

. . .

If you want to send in your sanitized configuration for archival purposes, in the CiscoTAC-1 profile, you need to change the default command from

subscribe-to-alert-group configuration periodic monthly

to:

subscribe-to-alert-group configuration export full periodic monthly


Notice that the export full option was added. Without this, only the list of features is sent in.

5. Telemetry

By default, the following telemetry information is sent in daily:

show perfmon detail

show traffic

show conn count

show vpn-sessiondb summary

show vpn load-balancing

show local-host

show memory

show access-list | include elements

show interface

show phone-proxy media-sessions count

show phone-proxy secure-phones count

show threat-detection statistics protocol

show xlate count

show perfmon detail

show route

This can be modified by changing the following command:

subscribe-to-alert-group telemetry periodic daily

Alert Groups

All information which can be transmitted to Cisco via Smart Call Home is configured through Alert Groups. Above, we looked at the default information which is sent in based on the default configuration of alert groups. You may customize the default alert group configuration to send in the information at a different frequency, or to disable or enable alert groups. Additionally, some alert groups allow you to indicate what type and how much data is sent in.

The following alert groups can be configured on the ASA.

configuration Configuration Group
diagnostic Diagnostic Group
environment Environmental Group
inventory Inventory Group
snapshot Snapshot Group
syslog System Log Group
telemetry Telemetry Group
threat Threat Group

Alert Group
FrequencyAmount of Data
configurationConfigurable periodicity: daily, monthly, weekly

full: sends a sanatized version of the full config

minimum: only sends the list of features enabled

diagnosticAutomatically triggered based on eventConfigurable severity: alert, catastrophic, critical, debugging, disaster, emergencies, erors, informational, notifications, warnings. Default is informational
environmentAutomatically triggered based on event

Configurable severity: alert, catastrophic, critical, debugging, disaster, emergencies, erors, informational, notifications, warnings. Default is informational

The following data is sent: show environment

inventoryConfigurable periodicity: daily, monthly, weeklyThe following data is sent: show inventory, show version, show module, show failover state, and show environment
threatAutomatically triggered based on even

For Shun, the following data is sent: show threat-detection rate, show threat-detection scanning-threat, show threat-detection statistics, show shunFor dynamic-filter drops, the following data is sent:show dynamic-filter statistics , show dynamic-filter reports top

syslogAutomatically triggered based on eventThis will send the syslog message.
telemetryConfigurable periodicity: daily, monthly, weeklyThis will send the following data: show perfmon detail, show traffic, show conn count, show vpn-sessiondb summary, show vpn load-balancing, show local-host, show memory, show access-list | include elements, show interface, show phone-proxy media-sessions count, show phone-proxy secure-phones count, show threat-detection statistics protocol, show xlate count, show perfmon detail, show route
snapshotConfigurable periodicity: daily, hourly, interval, monthly, weeklThis will send the output of any command the user has requested in the snapshot

How is the Information Transmitted?

The ASA can communicate Cisco's Smart Call Home servers via either HTTPS, or SMTP. Ideally, customers should use HTTPS to securely transfer any data from the ASA to Cisco. This document will focus exclusively on configuring the ASA for HTTPS transport.

Also note that a Transport Gateway option is available, which allows SCH capable devices (like the ASA) to send data via HTTP to a customer premise Transport Gateway application. The Transport Gateway then forwards the data on to Cisco via HTTPS. This allows for all SCH data to be aggredated to a central customer premise device, and only have that device communicate to Cisco. For more information on the Transport Gateway, please see the Transport Gateway Q&A. You may also download the Transport Gateway directly from here.

Enabling Smart Call Home on the ASA

Configuring the ASA for Call Home is pretty simple, but it contains three parts:

  1. Configuring a DNS Server on the ASA
  2. Installing and trusting the CA certificate
  3. Configuring the call-home feature on the ASA

Configuring a DNS Server on the ASA

In order for the ASA to contact Cisco's Smart Call Home server via HTTPS, it must be able to resolve the web site: https://tools.cisco.com Therefore, a DNS server must be configured on the ASA for it to resolve the name to an IP address. Follow the steps below to configure a DNS server on the ASA.

  1. Enable the ASA to perform DNS lookups by adding the dns domain-lookup <interface> command.
  2. Specify the DNS server for the ASA to use when performing name lookups using the dns name-server <ip> command.

Example

ciscoasa(config)# dns domain-lookup Outside
ciscoasa(config)# dns name-server 203.0.113.43

Installing and Trusting the CA Certificate

Since the ASA will be contacting the Cisco Call Home server over Secure HTTP (HTTPS), the ASA must be able to validate and trust the certificate presented by the Call Home server. In order for this to occur, you must install the CA certificate on the ASA, which signed the certificate that was issued to the Call Home server. Please follow the steps below to accomplish this task.

For simplicity, you can just copy and paste in all of the below from enable or config mode:

configure terminal


crypto ca trustpoint Call-Home-CA
enrollment terminal
exit
crypto ca authenticate Call-Home-CA

MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
quit

6. Example

Create Trustpoint

ciscoasa(config)# crypto ca trustpoint Call-Home-CA

ciscoasa(config-ca-trustpoint)# enrollment terminal

ciscoasa(config-ca-trustpoint)# exit

ciscoasa(config)#

Install Certificate

ciscoasa(config)# crypto ca authenticate Call-Home-CA
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
quit

INFO: Certificate has the following attributes:
Fingerprint: 3c48420d ff581a38 86bcfd41 d48a41de
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported
ciscoasa(config)#

Configuring the call-home Feature on the ASA

The simplist way to configure the call-home feature on the ASA is to:

  1. Enable the service
  2. Define your contact e-mail address - which is used to send you an email to complete the registration process
  3. Activate the default CiscoTAC-1 profile

The below commands accomplish these tasks:

service call-home

call-home

contact-email-addr <email-address>

profile CiscoTAC-1

active

After configuring the above, the ASA will send a call-home message to Cisco, which will trigger the registration process and you will receive an e-mail to the contact-email-addr within a few minutes. You must click on the link in the e-mail to complete the registration process and to then view your device on the Smart Call Home portal.

Example Configuration

Below is an Example config mainly using the defaults

service call-home

call-home

contact-email-addr customer@mail.server

profile CiscoTAC-1

active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration export full periodic weekly

subscribe-to-alert-group environment

subscribe-to-alert-group diagnostic

subscribe-to-alert-group telemetry periodic daily

What has been changed is that the command subscribe-to-alert-group configuration export full periodic weekly was added. By default, the configuration export method is 'minimum', in which case the configuration is not sent it. Instead, just a list of features enabled is sent. By changing this option to export full, a scrubbed configuration (passwords and IP addresses removed) of the ASA is then sent to the Cisco Call Home server. Which allows the network administrator to view the configuration of the ASA from the Smart Call Home portal.

Troubleshooting

If you are having problems with the ASA communicating with the Cisco Call Home server, then enable debug call-home all, and then send a test message using call-home test profile <profile_name>

Example

ciscoasa# debug call-home all

call-home all event trace on

Success

What you should see is the following output


ciscoasa# call-home test profile CiscoTAC-1
INFO: Destination callhome@cisco.com skipped. Transport method email is not enabled.
INFO: Sending test message to https://tools.cisco.com/its/service/oddce/services/DDCEService...
ci/console: processing test(Test) SCH Configuration Test
ci/console: [0] dispatching test message to https://tools.cisco.com/its/service/oddce/services/DDCEService
ci/console: upload 2759 bytes
INFO: Succeeded

ci/console: throttle channel input 2759 bytes, output 2759 bytes
ci/console: [0] Successfully dispatch test message(2) to https://tools.cisco.com/its/service/oddce/services/DDCEService

Additionally, within a few minutes, you should receive an e-mail, indicating that your test message was received. If you have not completed the registration process for this ASA, then the e-mail will provide a link to confirm the registration process. By clicking on the link, you tie your CCO user ID to the ASA, so that the ASA appears when you log into the Smart Call Home portal.

Email_Notify_Device_Registration.png

No DNS Server Configured

If you have configured call-home, but the ASA is unable to resolve the IP of tools.cisco.com, (because the DNS server is not configured, or is unreachable), then you will see the following messages in the debugs.

ciscoasa# call-home test profile CiscoTAC-1


INFO: Destination callhome@cisco.com skipped. Transport method email is not enabled.
INFO: Sending test message to https://tools.cisco.com/its/service/oddce/services/DDCEService...
ERROR: Failed: INVALID_ADDRESS(16)
ci/console: processing test(Test) SCH Configuration Test
ci/console: [0] dispatching test message to https://tools.cisco.com/its/service/oddce/services/DDCEService
ci/console: [0] Dispatch message(1) test to https://tools.cisco.com/its/service/oddce/services/DDCEService failed: INVALID_ADDRESS(16)
ci/console: Local error for https://tools.cisco.com/its/service/oddce/services/DDCEService, discarded (error INVALID_ADDRESS(16))

7. Verifying the DNS Server

To validate that DNS is resolving correctly, just attempt to ping tools.cisco.com. The IP should be resolved, and pings succeed. (Note that tools.cisco.com is load-balanced and therefore the IP my differ from what is shown below.

ciscoasa# ping tools.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.107.242.16, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 70/76/80 ms

show vpn-sessiondb summary
Average Rating: 5 (2 ratings)

Actions

Login or Register to take actions

This Document

Posted September 1, 2010 at 11:55 AM
Stats:
Comments:0 Avg. Rating:5
Views:3274 Contributors:0
Shares:0

Related Content

Documents Leaderboard