cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
165803
Views
15
Helpful
6
Comments
David White
Cisco Employee
Cisco Employee

 

General Information

The following information is provided as a suppliment to the information found in the ASA Configuration guide, and the SNMP MIB Browser.

 

 

Syslogs

The following syslogs messages are generated by SNMP:

   212001: Unable to open SNMP channel (UDP port %d) on interface \"%s\", error code = %d
       'error code' descriptions:
       -1 ::= Unable to establish a listener on the configured port.
              Communication with  hosts in the snmp-server config is not possible.  The
              thread will automatically attempt to re-establish a listener on the default
              SNMP port (UDP 161).
   212002: Unable to open SNMP trap channel (UDP port %d) on interface \"%s\", error code = %d
       'error code' descriptions:
       -1 ::= Unable to open a UDP channel on the trap port.
       -2 ::= Unable to bind to the UDP channel.
       -3 ::= Unable to set the trap channel as write-only.
   212003: Unable to receive an SNMP request on interface \"%s\", error code = %d, will try again.
       'error code' descriptions:
       -1 ::= Unsupported transport type.
       -5 ::= Received 0 bytes from UDP channel.
       -7 ::= Incoming request exceeds supported buffer size.
       -14 ::= Unable to determine source address from UDP.
       -22 ::= Invalid parameter.
   212004: Unable to send an SNMP response to %s, error code = %d
       'error code' descriptions:
       -1 ::= Unsupported transport type
       -2 ::= Invalid parameter.
       -3 ::= Unable to set destination address in UDP.
       -4 ::= PDU length exceeds supported UDP segment size.
       -5 ::= Unable to allocate system block to construct PDU.
   212005: incoming SNMP request (%d bytes) from %s exceeds data buffer size, discarding this SNMP request.
   212006: Dropping SNMP request from %I/%d to %s:%I/%s because: %s
       'because' descriptions:
       "SNMPv3 not supported"
       "snmp-server is disabled"
   211001: Memory allocation Error
   710005: %s request discarded from %A/%d to %s:%A/%d
   710002: %s access permitted from %A/%d to %s:%A/%s

 

Statistics

SNMP server statistics are obtained by executing "show snmp-server statistics"

   sw8-5520(config)# sh snmp-server statistics
   0 SNMP packets input
       0 Bad SNMP version errors
       0 Unknown community name
       0 Illegal operation for community name supplied
       0 Encoding errors
       0 Number of requested variables
       0 Number of altered variables
       0 Get-request PDUs
       0 Get-next PDUs
       0 Get-bulk PDUs
       0 Set-request PDUs (Not supported)
   66 SNMP packets output
       0 Too big errors (Maximum packet size 512)
       0 No such name errors
       0 Bad values errorsMIB
       0 General errors
       0 Response PDUs
       66 Trap PDUs

 

 

SNMP Core Traps

The adaptive security appliance sends the following SNMP core traps:

 •     authentication: An SNMP request fails because the NMS did not authenticate with the correct community string.
 •     linkup        : An interface has transitioned to the “up” state.
 •     linkdown      : An interface is down, for example, if you removed the nameif command.
 •     coldstart     : The ASA is running after a reload.

 

SNMP Link state traps for ASA 5505

 •     At bootup, the ASA sends link state traps only on interfaces that were configured with a nameif command (that is, VLAN interfaces). 
      Traps for physical interfaces (that is, Ethernet 0/0 and Ethernet 0/1) are also displayed.
 •     When the Ethernet 0/1 interface is down, the  ASA sends traps about the two logical interfaces that are assigned to this physical 
      interface. Traps for the logical and physical interfaces are displayed.
 •     When the Ethernet 0/1 interface is up, the  ASA sends traps about the two logical interfaces that are assigned to this physical interface. 
      Traps for the logical and physical interfaces are displayed.

 

SNMP MIB Support

 

MIB-II

The adaptive security appliance supports browsing of the following groups:

•     Systems
•     Interfaces, which includes the following objects:
–     ifOutQLen 
–     ifInUnknownProtos

Note     If the interface is up, the ifEntry.ifAdminStatus object returns a 1. If the interface is administratively down, the ifEntry.ifAdminStatus object returns a 2.

 

IF-MIB

The adaptive security appliance supports browsing of the following tables:

•     ifTable
•     ifXTable

For the ASA 5505 only:

•     All of the interfaces that are displayed with the internal interfaces are assigned an ifIndex, are displayed, and have their descriptions displayed.
•     Only the interfaces that have an assigned MTU have a value that is greater than zero. Use the show interface details command to validate the output.
•     The administrative status for all interfaces is displayed.
•     The operational status for all interfaces is displayed.

 

IP-MIB

For the ASA 5505 only: The output displays IP addresses that are assigned to the interfaces that were configured using the nameif command.

 

RFC1213-MIB

The adaptive security appliance supports browsing of the following table:

•     ip.ipAddrTable

Use of the ip.ipAddrTable entry requires that all interfaces have unique addresses.


If interfaces have not been assigned IP addresses, by default, their IP addresses are all set to 127.0.0.1. Having duplicate IP addresses causes the SNMP management station to loop indefinitely. The workaround is to assign each interface a different address.

For example, you can set one address to 127.0.0.1, another to 127.0.0.2, and so on. SNMP uses a sequence of GetNext operations to traverse the MIB tree. Each GetNext request is based on the result of the previous request. Therefore, if two consecutive interfaces have the same IP address 127.0.0.1 (table index), the GetNext function returns 127.0.0.1, which is correct; however, when SNMP generates the next GetNext request using the same result (127.0.0.1), the request is identical to the previous one, which causes the management station to loop infinitely.

For example:

GetNext(ip.ipAddrTable.ipAddrEntry.ipAdEntAddr.127.0.0.1)

The MIB table index should be unique for the agent to identify a row from the MIB table. The table index for ip.ipAddrTable is the interface IP address, so the IP address should be unique; otherwise, the SNMP agent becomes confused and may return information of another interface (row), which has the same IP address (index).

 

SNMPv2-MIB

The adaptive security appliance supports browsing of the following:

•     snmp

 

ENTITY-MIB

The adaptive security appliance supports browsing of the following tables:

•     entPhysicalTable
•     entLogicalTable

The adaptive security appliance supports browsing of the following traps:

•     config-change:  The trigger for an SNMP configuration change trap is the creation or the deletion of a context OR or an SSM is inserted/removed.
•     fru-insert
•     fru-remove

 

CISCO-IPSEC-FLOW-MONITOR-MIB

The adaptive security appliance supports browsing of the MIB. The adaptive security appliance supports browsing of the following traps:

•     start
•     stop

 

CISCO-REMOTE-ACCESS-MONITOR-MIB

The adaptive security appliance supports browsing of the MIB. The adaptive security appliance supports browsing of the following trap:

•     ciscoRasTooManySessions

 

CISCO-CRYPTO-ACCELERATOR-MIB

The adaptive security appliance supports browsing of the MIB.

 

ALTIGA-GLOBAL-REG

The adaptive security appliance supports browsing of the MIB.

 

CISCO-FIREWALL-MIB

The adaptive security appliance supports browsing of the following group:

 

•     cfwSystem—The information in cfwSystem.cfwStatus, which relates to failover status, applies to the entire device and not just a single context.

 

The cfsHardwareStatusTable indicates whether failover is enabled and which unit is active.

Two rows in the cfwHardwareStatusTable object provide failover status. You can access the object table from the following path:

.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.
ciscoFirewallMIBObjects.cfwSystem.cfwStatus.cfwHardwareStatusTable

The objects that provide failover status include the following:

•     cfwHardwareType (table index)
       –     The object type is Hardware.
       –     If failover is enabled or disabled, Row 1 returns 6 for the primary unit.
       –     If failover is enabled, Row 2 returns 7 for the secondary unit.
•     cfwHardwareInformation
       –     The object type is SnmpAdminString.
       –     If failover is enabled or disabled, Row 1 returns a blank value.
       –     If failover is enabled, Row 2 returns a blank value.
•     cfwHardwareStatusValue
       –     The object type is HardwareStatus.
       –     If failover is disabled, Row 1 returns 0 (not used).
       –     If failover is enabled: For the active unit, Row 1 and Row 2 return active or 9. For the standby unit, Row 1 and Row 2 return standby or 10.
•     cfwHardwareStatusDetail
       –     The object type is SnmpAdminString.
       –     If failover is disabled, Row 1 returns Failover Off.
       –     If failover is enabled, Row 1 and Row 2 return a blank value.

 

In the MIB values window of the HP OpenView Browse MIB application, if failover is disabled, a sample MIB query provides the following information:

cfwHardwareInformation.6 :
cfwHardwareInformation.7 :
cfwHardwareStatusValue.6 : 0 
cfwHardwareStatusValue.7 : 0
cfwHardwareStatusDetail.6 :Failover Off
cfwHardwareStatusDetail.7 :Failover Off

From this list, the table index, cfwHardwareType, appears as either .6 or .7 appended to the end of each of the subsequent objects. The cfwHardwareInformation field is blank, the cfwHardwareStatusValue is 0, and the cfwHardwareStatusDetail field includes Failover Off, which indicates the failover status. When failover is enabled, a sample MIB query yields the following information:

CISCO-FIREWALL-MIB::cfwHardwareInformation.netInterface = Failover LAN Interface
CISCO-FIREWALL-MIB::cfwHardwareInformation.primaryUnit = Primary unit (this device)
CISCO-FIREWALL-MIB::cfwHardwareInformation.secondaryUnit = Secondary unit
CISCO-FIREWALL-MIB::cfwHardwareStatusValue.netInterface = up(2)
CISCO-FIREWALL-MIB::cfwHardwareStatusValue.primaryUnit = active(9)
CISCO-FIREWALL-MIB::cfwHardwareStatusValue.secondaryUnit = standby(10)
CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.netInterface = failif Ethernet0/3
CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.primaryUnit = Active unit
CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.secondaryUnit = Standby unit

In this list, only the cfwHardwareStatusValue field includes values, either active or standby, to indicate the status of each unit.


This MIB extends the number of traps that you can use to discover additional information about the state of the adaptive security appliance, including the following events:

•     Buffer usage from the show block command
•     Connection count from the show conn command
•     Failover status from the show failover command
•     Memory usage from the show memory command

The does not support the following notification types:

•     cfwSecurityNotification
•     cfwContentInspectNotification
•     cfwConnNotification
•     cfwAccessNotification
•     cfwAuthNotification
•     cfwGenericNotification

You can view the number of connections in use from the cfwConnectionStatTable or from the CLI with the show conn command. You can access the cfwConnectionStatTable object table from the following path:

.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.
ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwConnectionStatTable

The objects that provide connection count status include the following:

•     cfwConnectionStatService (table index)
       –     The object type is Services.
       –     The returned value for Row 1 and Row 2 is 40 (protocol).
•     cfwConnectionStatType (table index)
       –     The object type is ConnectionStat.
       –     The returned value for Row 1 is 6 (the number of current connection in  use).
       –     The returned value for Row 2 is 7 (the highest number of connections in use).
•     cfwConnectionStatDescription
       –     The object type is SnmpAdminString.
       –     The returned value for Row 1 is the number of connections currently in 
               use by the entire .
       –     The returned value for Row 2 is the highest number of connections in use at any one time since device startup.
•     cfwConnectionStatCount
       –     The object type is Counter32.
       –     The returned value for Row 1 and Row 2 is 0 (not used).
•     cfwConnectionStatValue
       –     The object type is Gauge32.
       –     The returned value for Row 1 is integer (the number in use).
       –     The returned value for Row 2 is integer (the number most used).


In the MIB values window of the HP OpenView Browse MIB application, a sample MIB query provides the following information:

cfwConnectionStatDescription.40.6 :number of connections currently in use by the entire firewall
cfwConnectionStatDescription.40.7 :highest number of connections in use at any one time since system startup
cfwConnectionStatCount.40.6 
cfwConnectionStatCount.40.7 
cfwConnectionStatValue.40.6 :15
cfwConnectionStatValue.40.7 :88

From this list, the table index, cfwConnectionStatService, appears as the .40 appended to each subsequent object and the table index, cfwConnectionStatType, appears as either .6 to indicate the number of connections in use or .7 to indicate the most used number of connections.

The cfwConnectionStatValue object then lists the connection count. The cfwConnectionStatCount object always returns 0. The cfwBufferStatsTable indicates the system buffer usage, which provides an early warning to when the adaptive security appliance reaches its capacity limits. You can view this information from the CLI with the show blocks command.


You can view cfwBufferStatsTable at the following path:

iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.
ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwBufferStatsTable

The objects that provide system block usage include the following:

•     cfwBufferStatSize (table index)
        –     The object type is Unsigned 32.
        –     The returned value of the first row and the next two rows is an integer; a SIZE value, for example, a 4-byte block.
•     cfwBufferStatType (table index)
        –     The object type is ResourceStatistics.
        –     The returned value of the first row is 3 (MAX).
        –     The returned value of the next row is 5 (LOW).
        –     The returned value of the next row is 8 (CNT).
•     cfwBufferStatInformation
       –     The object type is SnmpAdminString.
       –     The returned value for the first row is the maximum number of allocated integer byte blocks (integer is the number of bytes in a block).
       –     The returned value for the next row is the fewest integer byte blocks available since system startup (integer is the number of bytes in a block).
       –     The returned value for the next row is the current number of available integer byte blocks (integer is the number of bytes in a block).
•     cfwBufferStatValue
       –     The object type is Gauge32.
       –     The returned value for the first row is integer (MAX number).
       –     The returned value for the next row is integer (LOW number).
       –     The returned value for the next row is integer (CNT number).

 

In the MIB values window of the HP OpenView Browse MIB application, a sample MIB query provides the following information:

cfwBufferStatInformation.4.3 :maximum number of allocated 4 byte blocks
cfwBufferStatInformation.4.5 :fewest 4 byte blocks available since system startup
cfwBufferStatInformation.4.8 :current number of available 4 byte blocks
cfwBufferStatInformation.80.3 :maximum number of allocated 80 byte blocks
cfwBufferStatInformation.80.5 fewest 80 byte blocks available since system startup
cfwBufferStatInformation.80.8 :current number of available 80 byte blocks
cfwBufferStatInformation.256.3 :maximum number of allocated 256 byte blocks
cfwBufferStatInformation.256.5 :fewest 256 byte blocks available since system startup
cfwBufferStatInformation.256.8 :current number of available 256 byte blocks
cfwBufferStatInformation.1550.3 :maximum number of allocated 1550 byte blocks
cfwBufferStatInformation.1550.5 :fewest 1550 byte blocks available since system startup
cfwBufferStatInformation.1550.8 :current number of available 1550 byte blocks
cfwBufferStatValue.4.3: 1600
cfwBufferStatValue.4.5: 1600
cfwBufferStatValue.4.8: 1600
cfwBufferStatValue.80.3: 400
cfwBufferStatValue.80.5: 396
cfwBufferStatValue.80.8: 400
cfwBufferStatValue.256.3: 1000
cfwBufferStatValue.256.5: 997
cfwBufferStatValue.256.8: 999
cfwBufferStatValue.1550.3: 1444
cfwBufferStatValue.1550.5: 928
cfwBufferStatValue.1550.8: 932

 

From this list, the first table index, cfwBufferStatSize, appears as the first number appended to the end of each object, such as .4 or .256. The other table index, cfwBufferStatType, appears as .3, .5, or .8 after the first index. For each block size, the cfwBufferStatInformation object identifies the type of value, and the cfwBufferStatValue object identifies the number of bytes for each value.

 

CISCO-SYSLOG-MIB

The adaptive security appliance supports the following trap:

•     clogMessageGenerated

The adaptive security appliance supports transmission of the following security-related events:

•     Global access denied
•     Syslog messages, including failover syslog messages

You cannot browse this MIB.

 

 

CISCO-UNIFIED-FIREWALL-MIB

The adaptive security appliance supports browsing of the MIB.

 

SNMP-FRAMEWORK-MIB

The adaptive security appliance supports browsing of the following group:

•     snmpEngine, which includes the following objects:
       –     snmpEngineID. Use the show snmp engineid command to validate output.
       –     snmpEngineBoots
       –     snmpEngineTime
       –     snmpEngineMaxMessageSize

 

SNMP-USM-MIB

The adaptive security appliance supports browsing of the following table:

•     usmUserTable under the usmUser group, which includes the following objects:
       –     usmUserEngineID        : Use the show snmp server command to validate output.
       –     usmUserName            : Use the show snmp server command to validate output.
       –     usmUserSecurityName    : Use the show snmp server command to validate output.
       –     usmCloneFrom
       –     usmUserAuthProtocol    : Use the show snmp server command to validate output.
       –     usmUserAuthKeyChange
       –     usmUserOwnAuthKeyChange
       –     usmUserPrivProtocol    : Use the show snmp server command to validate output.
       –     usmUserPrivKeyChange
       –     usmUserOwnPrivKeyChange
       –     usmUserPublic
       –     usmUserStorageType     : Use the show snmp server command to validate output.
       –     usmUserStatus          : Use the show snmp server command to validate output.

 

 

SNMP-VACM-MIB

The adaptive security appliance supports browsing of the following table:

•     vacmSecurityToGroupTable under the vacmMIBObjects group, which includes the following objects:
        –     vacmSecurityModel           : Use the show snmp group command to validate output.
        –     vacmSecurityName            : Use the show snmp group command to validate output. 
        –     vacmGroupName               : Use the show snmp group command to validate output.
        –     vacmSecurityToGroupStorageType
        –     vacmSecurityToGroupStatus   : Use the show snmp group command to validate output.

 

 

SNMP-TARGET-MIB

The adaptive security appliance supports browsing of the following tables under the snmpTargetObjects group:

•     snmpTargetAddrTable, which includes the following objects:
       –     snmpTargetAddrName
       –     snmpTargetAddrTDomain
       –     snmpTargetAddrTAddress   : Use the show run snmp-server host command to validate output.
       –     snmpTargetAddrTimeout
       –     snmpTargetAddrRetryCount
       –     snmpTargetAddrTagList
       –     snmpTargetAddrParams
       –     snmpTargetAddrRowStatus
•     snmpTargetParamsTable, which includes the following objects:
       –     snmpTargetParamsName
       –     snmpTargetParamsMPModel       : Use the show run snmp-server host command to validate output.
       –     snmpTargetParamsSecurityModel : Use the show run snmp-server host command to validate output.
       –     snmpTargetParamsSecurityName
       –     snmpTargetParamsSecurityLevel : Use the show run snmp-server host command to validate output.
       –     snmpTargetParamsStorageType
       –     snmpTargetParamsRowStatus

 

Q & A

 

How do I use statistics?

If you suspect the SNMP module is doing something it shouldn't or not doing something it should, it is always recommended to look at the output of "show snmp-server statistics" to confirm your device is the culprit. In a failover pair, both devices can become active and generate SNMP traffic. The snmp-server statistics can confirm which device is responsible. If SNMP is not responding to queries and your config is correct, you can use SNMP statistics and the output of "show counters" to confirm that your request is really making it to the SNMP thread (snmp in the output of "show process").

 

 

SNMP SET Support?

ASA currently does not support SNMP SET commands.

 

 

Can I get ARP table info using SNMP?

No. This feature is not available.

 

 

What is the MIB support for interfaces?

The only MIB that is supported which gives information about the configured ASA interfaces is: ifTable. Note that the interface must be configured using nameif command, or the interface does not show up.

 

 

Is there support for entityPhysical sub-chassis-element at port level ?

The entityPhysical MIB is supported but at the device level. It does not have the level of detail for the sub-chassis-element.

 

Does SNMP send traps for all interfaces?

SNMP only sends traps on interfaces it knows about. Currently, it sends traps on interfaces that have a nameif associated with it.

 

 

Connection Statistic in SNMP?

 

Remote Access Sessions

The ASA can give information via SNMP about remote access sessions.

Firewall connections are in CISCO-FIREWALL-MIB
snmpwalk -c <community> -v <version> <asa> -OS .1.3.6.1.4.1.9.9.147.1.2.2.2

RAS connections ("sessions") are in CISCO-REMOTE-ACCESS-MONITOR-MIB
snmpwalk -c <community> -v <version> <asa> -OS .1.3.6.1.4.1.9.9.392.1.3

IKE connections ("phase 1 tunnels") are in CISCO-IPSEC-FLOW-MONITOR-MIB
snmpwalk -c <community> -v <version> <asa> -OS .1.3.6.1.4.1.9.9.171.1.2.1

IPSec connections ("phase 2 tunnels") are in CISCO-IPSEC-FLOW-MONITOR-MIB
snmpwalk -c <community> -v <version> <asa> -OS .1.3.6.1.4.1.9.9.171.1.3.1

The ALTIGA-SSL-STATS-MIB will also display information about connections/sessions.

The statistics reported by a “show perfmon” are now available via SNMP via the unified firewall mib, 
which was a new feature in 7.2.
[http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn72.html#wp185335 Performance]

 

 

Connection Information

CISCO-FIREWALL-MIB gives the "show conn" information for current used and most used data as you mentioned. Some of the information from the "show perfmon detail" can be gotten by querying the ciscoUnifiedFirewallMIB as shown below.

MT-UUT/admin(config-pmap-c)# show conn count
12951 in use, 14533 most used

MT-UUT/admin(config-pmap-c)#
 
[root@linux-host tools]# snmpwalk -Os -c public -v 2c 172.23.32.180 ConnectionStat
cfwConnectionStatDescription.protoIp.currentInUse = STRING: number of connections currently in use by the entire firewall
cfwConnectionStatDescription.protoIp.high = STRING: highest number of connections in use at any one time since system startup
cfwConnectionStatCount.protoIp.currentInUse = Counter32: 0
cfwConnectionStatCount.protoIp.high = Counter32: 0
cfwConnectionStatValue.protoIp.currentInUse = Gauge32: 12955
cfwConnectionStatValue.protoIp.high = Gauge32: 14533
[root@linux-host tools]#


[root@linux-host tools]# snmpwalk -Os -c public -v 2c 10.0.0.5 ciscoUnifiedFirewallMIB

cufwConnGlobalNumResDeclined.0 = Counter64: 0 Connections
cufwConnGlobalNumActive.0 = Gauge32: 12853 Connections <--- The connections that are active - same as "show conn" in use data
cufwConnGlobalConnSetupRate1.0 = Gauge32: 65 Connections per second <--- The averaged number of connections which the firewall establishing per second, averaged over the last 60 seconds.
 
cufwConnGlobalConnSetupRate5.0 = Gauge32: 33 Connections per second <---The averaged number of connections which the firewall establishing per second, averaged over the last 300 seconds
cufwConnSetupRate1.udp = Gauge32: 0 Connections Per Second <---- The averaged number of UDP connections which the firewall establishing per second, averaged over the last 60 seconds.
 
cufwConnSetupRate1.tcp = Gauge32: 65 Connections Per Second <---- The averaged number of TCP connections which the firewall establishing per second, averaged over the last 60 seconds.
 
cufwConnSetupRate5.udp = Gauge32: 0 Connections Per Second <------ The averaged number of UDP connections which the firewall establishing per second, averaged over the last 300 seconds.
 
cufwConnSetupRate5.tcp = Gauge32: 33 Connections Per Second <----- The averaged number of TCP connections which the firewall establishing per second, averaged over the last 300 seconds.
 
cufwUrlfRequestsNumProcessed.0 = Counter64: 0 Requests
cufwUrlfRequestsProcRate1.0 = Gauge32: 0 Requests per second <------ The number of URL access requests processed per second by this firewall averaged over the last 60 seconds
cufwUrlfRequestsProcRate5.0 = Gauge32: 0 Requests per second <----- The number of URL access requests processed per second by this firewall averaged over the last 300 seconds
cufwUrlfRequestsNumAllowed.0 = Counter64: 0 Requests
cufwUrlfRequestsNumDenied.0 = Counter64: 0 Requests
cufwUrlfRequestsDeniedRate1.0 = Gauge32: 0 Requests per second
cufwUrlfRequestsDeniedRate5.0 = Gauge32: 0 Requests Per Second
cufwUrlfRequestsNumCacheAllowed.0 = Counter64: 0 Requests
cufwUrlfRequestsNumCacheDenied.0 = Counter64: 0 Requests
cufwUrlfRequestsNumResDropped.0 = Counter64: 0 Requests
cufwUrlfRequestsResDropRate1.0 = Gauge32: 0 Requests Per Second
cufwUrlfRequestsResDropRate5.0 = Gauge32: 0 Requests Per Second
cufwUrlfNumServerTimeouts.0 = Counter64: 0
cufwUrlfNumServerRetries.0 = Counter64: 0

 

 

Multi-Context and SNMP?

SNMP can't be configured in the system context.

To get information about interfaces in either the admin or user context, you can use the IF-MIB's:

snmpwalk -v 2c -c public <context(user/admin) ip> ifDescr
IF-MIB::ifDescr.1 = STRING: Adaptive Security Appliance 'inside' interface
IF-MIB::ifDescr.2 = STRING: Adaptive Security Appliance 'outside' interface
IF-MIB::ifDescr.3 = STRING: Adaptive Security Appliance 'mgmt' interface

IP-MIBs will give you the IP address of all the interfaces when you query context.

snmpwalk -v 2c -c public <context(user/admin) ip> ipAddr
IP-MIB::ipAdEntAddr.10.7.14.32 = IpAddress: 10.7.14.32
IP-MIB::ipAdEntAddr.10.8.1.92 = IpAddress: 10.8.1.92
IP-MIB::ipAdEntAddr.10.7.1.92 = IpAddress: 10.7.1.92
IP-MIB::ipAdEntIfIndex.10.7.14.32 = INTEGER: 3
IP-MIB::ipAdEntIfIndex.46.7.1.92 = INTEGER: 2
IP-MIB::ipAdEntIfIndex.47.7.1.92 = INTEGER: 1
IP-MIB::ipAdEntNetMask.10.7.14.32 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntNetMask.10.8.1.92 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntNetMask.10.7.1.92 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntBcastAddr.10.7.14.32 = INTEGER: 0
IP-MIB::ipAdEntBcastAddr.10.8.1.92 = INTEGER: 0
IP-MIB::ipAdEntBcastAddr.10.7.1.92 = INTEGER: 0
IP-MIB::ipAdEntReasmMaxSize.10.7.14.32 = INTEGER: 65535
IP-MIB::ipAdEntReasmMaxSize.10.8.1.92 = INTEGER: 65535
IP-MIB::ipAdEntReasmMaxSize.10.7.1.92 = INTEGER: 65535

System name or Hostname of any context corresponds to the context name in multiple mode. System names can be retrived using Snmpv2 System MIB "sysName".

"snmpwalk -v 2c -c public <context(user/admin) ip> sysName"

SNMPv2-MIB::sysName.0 = STRING: c1 <------ "c1" is the context name

 

 

SNMP v3 support?

SNMP v3 support was added to ASA version 8.2(1).

 

 

What MIBs are supported in the ASA?

All the MIB's listed on the URL: Supported MIBs are supported.

 

 

Polling for VPN Users and tunnel stats

Starting in Version 7.0(1), several MIBs were added to reflect VPN stats. When walking the VPN MIBs there are no "down" tunnels. If the tunnel is up there's an entry present on the MIB tables, otherwise the entry is removed. The traps cipSecTunnelStart and cipSecTunnelStop can be enabled if one wants to receive traps when the tunnel is built up and torn down.

Note that the traps come from CISCO-IPSEC-FLOW-MONITOR-MIB, which will also include L2L tunnels, not just remote-access. The cras MIB objects are populated from the vpn-session manager, which correspond to "show vpn-sessiondb ..." on the CLI.

 

 

How do I perform SNMP walk?

Configure the ASA to allow an SNMP server to connect to it:

snmp-server host inside 10.44.112.157 community public

"10.44.112.157" is your client PC ip address on which your snmp walk tool is installed. "public" is a shared secret string defined by you.

On the SNMP server with IP "10.44.112.157", issue:

snmpwalk -v2c -c public <IP_of_ASA_interface> 1.3.6.1.4.1.3076.2.1.2.26.1.2 

The above command should output the following:

SNMPv2-SMI::enterprises.3076.2.1.2.26.1.2.0 = Gauge32: 1

 

 

Support for CISCO-CONFIG-COPY MIB ?

Currently, this MIB is not supported.

 

 

SNMP walk of the ciscoMemPool MIB ?

How do I read the output of the ciscoMemPool MIB in multi-mode and co-relate it with the output of show mem ?

The ciscoMemoryPoolUsed OID value represents the used memory on the ASA. In case of single mode, it will be the used memory of the system, and in case of multi-mode, it is the used memory of the context.

The ciscoMemoryPoolFree OID value will be the free memory that is available to the system regardless of the mode - i.e. single or multi-mode. In multi-mode, ASA does not have an upper bound on the amount of memory that is assigned to a particular context, so the total free memory in the system is available to each context.

The following example should make this clear.

'''System context:'''

asa-5520(config)# show mem
Free memory:       292792568 bytes (55%)
Used memory:       236816008 bytes (45%)
-------------     ----------------
Total memory:      529608576 bytes (100%)


'''Admin context:'''

asa-5520(config)# show mem
Free memory:       292792568 bytes (55%)
Used memory:       236816008 bytes (45%)
-------------     ----------------
Total memory:      529608576 bytes (100%)

SNMP walk output:

[root@myinsidelnx root]# snmpwalk -OS -v 2c -c public 10.7.14.12 ciscoMemoryPool
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolName.1 = System memory
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolAlternate.1 = 0
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolValid.1 = true(1)
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolUsed.1 = Gauge32: 1537500 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolFree.1 = Gauge32: 292791392 bytes
CISCO-MEMORY-POOL-MIB::ciscoMemoryPoolLargestFree.1 = Gauge32: 292791392 bytes

 

 

Deep Packet Inspection with inspect snmp

The 'inspect snmp' engine only looks at the version to perform filtering of the packet itself. Use the inspect snmp command to enable SNMP inspection, using the settings configured with an SNMP map, which you create using the snmp-map command. Use the deny version command in SNMP map configuration mode to restrict SNMP traffic to a specific version of SNMP.

One reason to use inspect snmp would be to restrict a particular version SNMP, for example: v1 which is less secure. To deny a specific version of SNMP, use the deny version command within an SNMP map, which you create using the snmp-map command. After configuring the SNMP map, you enable the map using the inspect snmp command and then apply it to one or more interfaces using the service-policy command

 

 

Failover pair information on the ASA ?

To get detailed information about the units in the fail-over pair, use the OID cfwHardwareStatusTable.

Here is an example with the information that this OID returns:

[root@sw8-ilinux root]# snmpwalk -v2c -c public -OS 10.7.14.55 cfwHardwareStatusTable
CISCO-FIREWALL-MIB::cfwHardwareInformation.netInterface = Failover LAN InterfaceCISCO-FIREWALL-MIB::cfwHardwareInformation.primaryUnit = Primary unit (this device)
CISCO-FIREWALL-MIB::cfwHardwareInformation.secondaryUnit = Secondary unit
CISCO-FIREWALL-MIB::cfwHardwareStatusValue.netInterface = up(2)
CISCO-FIREWALL-MIB::cfwHardwareStatusValue.primaryUnit = active(9)
CISCO-FIREWALL-MIB::cfwHardwareStatusValue.secondaryUnit = error(4)
CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.netInterface = failif Ethernet0/3 (system)
CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.primaryUnit = Active unit
CISCO-FIREWALL-MIB::cfwHardwareStatusDetail.secondaryUnit = Unit has failed

 

 

Differences between FWSM and ASA

ASA does not support the following MIBs that FWSM supports:

 
CISCO-ENTITY-ALARM-MIB.my
CISCO-ENTITY-REDUNDANCY-MIB.my
CISCO-ENTITY-REDUNDANCY-TC-MIB.my
CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB.my
CISCO-NAT-EXT-MIB.my
NAT-MIB.my
TCP-MIB.my
UDP-MIB.my

The traps that the ASA does not support and FWSM does:

ceAlarmAsserted: CISCO-ENTITY-ALARM-MIB.my
ceRedunEventSwitchover: CISCO-ENTITY-REDUNDANCY-MIB.my
clrResourceLimitReached: CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB.my
clrResourceRateLimitReached: CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB.my

ASA supports entityMIB, which can generate an "entConfigChange" trap. Currently the entConfigChange trap is only generated when a security context is added/removed (multi-mode) or an SSM is inserted/removed (though OID is not officially supported).

The authentication trap is sent when an attempt is made to poll the ASA with a wrong SNMP community. It is NOT generated when a user tries wrong password when logging into the device (telnet, SSH, etc.).


Example of configChange trap:

2009-03-10 12:22:38 host-14-12.f1boulder.lab [10.7.14.12] TRAP, SNMP v1, community public
        ENTITY-MIB::entityMIBTraps Enterprise Specific Trap (ENTITY-MIB::entConfigChange) Uptime: 0:13:40.00


Example of authentication Failure trap:

2009-03-09 09:14:47 host-14-55.f1boulder.lab [10.7.14.55] TRAP, SNMP v1, community public
        CISCO-PRODUCTS-MIB::ciscoASA5510 Authentication Failure Trap (0) Uptime: 2 days, 15:56:06.00

The image is currently designed to emit the FRU traps only when a SSM/SSC ("card") is inserted or removed. It will not generate a trap if a PSU is removed. Note that the coldStart is generated when the device reaches the 'up' state, e.g. after the reboot. There is no SNMP trap generated prior to the power loss.

 

 

What MIB do we support for authenticationFailure trap ?

The ASA supports the SNMPv2-MIB authenticationFailure trap instead of the CISCO-GENERAL-TRAPS MIB. Due to this, the ASA does not report who was responsible for the authenticationFailure trap but just that the trap is seen.

 

 

ifInDiscard OID doesn't match packets dropped

The ifInDiscard OID displays different information depending on the interface type. ifInDiscard for a physical interface will show the number of packets discarded on the physical interface due to insufficient buffer space. This is the 'no buffer' counter seen when performing a 'show interface'. For a logical interface ifInDiscard will correspond to the 'packets dropped' traffic statistic seen when performing a 'show interface'.

  • Value of ifInDiscard for physical interface: show interface <interface-name> | grep "no buffer"
  • Value of ifInDiscard for logical interface: show interface <interface-name> | grep "packets dropped"

 

Comments
Jing Ren
Level 1
Level 1

May I ask has anyone tried to retrieve stats in a multi-context asa or fwsm using the abovementioned method?

snmpwalk -v 2c -c public <context(user/admin) ip> ifDescr

This command doesn't seem to work at all. Could anyone drop a hint please?

pkupisie
Cisco Employee
Cisco Employee

Additional thing regarding multiple contexts. SNMP ENTITY-MIB is not working for non-admin contexts.

It is logical, but couldn't find any official reference to it (maybe good to add it to this great DOC):

iso.3.6.1.2.1.47.1.1.1.1.11 = No Such Instance currently exists at this OID

keyur.desai
Level 1
Level 1

Guys, I am trying to Monitor the anyconnect connection profile, I have 4-5 different tunnel profile, does anyone know what will be snmp oid ?

If I go into asdm I can montitor this # by doing this:

Monitor--> VPN-->All Remote Access-->connection Profile--> tunnel Name (e.g abc)

andrew.fedyszak
Level 1
Level 1

Hi,

Can someone clarify if there is any definite list of supported MIBs and OIDs for Cisco security devices like ASAs and FWSM?

For example if you look at Cisco list of supported MIBs for both FWSM and ASAs for most "fairly current" versions (see below) the CISCO-PROCESS-MIB.my MIB is listed as supported, albeit just for particular subbranch called cpmCPU.

This should have about 29 OIDs in it including CPU and Memory info.

However this MIB is NOT listed at the top of this document under "SNMP MIB support".

Moreover, if you log on onto ASA and FWSM ( I tried this for various ASA models including 55800-40 for different OS versions and for FWSM for different OS versions) and run "show snmp-server oidlist" command or do snmp walk from some MIB browser tool you do NOT even get full list of OIDs allegedly supported.

Usually you get just first five (regardless if you are on FWSM oe ASA and regardless of OS version):

show snmp-server oidlist | inc 109

[128]   1.3.6.1.4.1.9.9.109.1.1.1.1.2.  cpmCPUTotalPhysicalIndex

[129]   1.3.6.1.4.1.9.9.109.1.1.1.1.3.  cpmCPUTotal5sec

[130]   1.3.6.1.4.1.9.9.109.1.1.1.1.4.  cpmCPUTotal1min

[131]   1.3.6.1.4.1.9.9.109.1.1.1.1.5.  cpmCPUTotal5min

but on one FWSM running 3.1 OS it listed OIDs going to 1.3.6.1.4.1.9.9.109.1.1.1.1.9 inclusive.

The missing OIDs values include memory usage (i.e. free/available) which I would like to monitor.

Anyone knows whether full set of OIDs for the cpmCPU sub-branch of CPU-PROCESS-MIB is available at all and if so is it only available for particular hardware, firmware or OS version? 

regards,

Andrew

This is from Cisco MIB support/download web page:

Version 8.2 and higher

CISCO-PROCESS-MIB.my          Only objects defined under cpmCPU are supported.

David White
Cisco Employee
Cisco Employee

Hi Andrew,

This page is accurate:

ftp://ftp.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html

As listed in the Note section:

   CISCO-PROCESS-MIB.my    Only objects defined under cpmCPU are        supported.

Only the cpmCPU OIDs are supported in the Cisco-Process-MIB.  If you want to query memory usage, please use the

CISCO-MEMORY-POOL-MIB

Please see Table 39-1 in

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/monitor.html  for which MIBs and OIDs are supported.

Hope it helps.


David.

seymourbrown
Level 1
Level 1

David -

Sorry to re-animate this dead thread, but the lack of ARP via SNMP is a glaring fault that I had hoped would be fixed by now.

Is there any particular reason why ARP cache and it's IPv6 cousin, IpV6 Neighbor table are not available on ASA? It's a huge hole in our ability to monitor what's happening or even existing in our DMZs.

If it's a philosophy thing, is there any hope the philosopher might retire or move on some other company soon? Maybe we can make them an offer ;^)

thanks,

=seymour=

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: