cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1129
Views
0
Helpful
5
Replies

SNMP - Accepted Dropped Connections per Interface

jickfoo
Level 1
Level 1

I need to be able to report on a count of Accepted and Dropped connections due to policy on the Outside interface on a monthly basis.

The outside interface is ifIndex.3 .

Support gave me the below OID, but I'm not convinced its correct. I also cant see how to change it per interface.

Any help would be greatly appreciated.

Object     cfwBasicConnectionEventType

OID        1.3.6.1.4.1.9.9.147.1.1.1.2.1.5

Type       ConnectionEvent
                1:other
               2:accept
               3:error
               4:drop
               5:close
               6:timeout
               7:refused
               8:reset
               9:noResp

"The type of connection-related event that this row contains.

If the event is not connection-related this object will not

be instantiated." "The type of connection-related event that this row contains.
If the event is not connection-related this object will not
be instantiated."

5 Replies 5

mirober2
Cisco Employee
Cisco Employee

Hi Justin,

When you say you want to see accepted and dropped connections due to a policy on the outside interface, what exactly do you mean? Connections can be build and torn down for many reasons so defining which policy your referring to will help. Is there a particular counter or 'show' output on the CLI that you're looking to poll via SNMP?

cfwBasicConnectionEventType will probably be your best bet, though it's global for the ASA so you'll need to do some filtering after the data is received.

-Mike

Thanks for the response.

I guess counters on the outside_acl would make the most sense.

Hi Justin,

Unfortunately, the ASA doesn't have an OID that can poll ACL hits. You can log the ACL hits to a syslog and then redirect the syslog via SNMP to a server, but this would be a trap rather than a poll.

If you want an automated way to query the hits every month, you might want to look into Smart Call Home which is more suited for this type of monitoring. You can configure a profile to check the ACL hits and have it email them to you or HTTPS POST it to a web server once a month. You can find some config examples here:

https://supportforums.cisco.com/docs/DOC-14958

-Mike

Thanks again.

"Log the ACL Hits to syslog"

Would that show each hit in detail or just a counter like object?

Could I just clear the counters on the ACL monthly I wonder ?

Justin

Hi Justin,

The logs will look like this:

Permitted:

%ASA-6-106100: access-list outside_in permitted tcp outside/192.168.1.100(60270) -> inside/10.1.1.10(443) hit-cnt 1 first hit [0x8545f26e, 0x0]

Denied:

%ASA-6-106100: access-list outside_in denied tcp outside/192.168.1.100(60290) -> inside/10.1.1.10(80) hit-cnt 1 first hit [0x6c9e7133, 0x0]

That will be a lot more information than you probably want. If you just want to see the aggregate hits each month, my suggestion would be to use Smart Call Home (or maybe an Expect script via SSH) to pull the ACL hits (something like 'show access-list | ex hitcnt=0') once a month and then immediately clear them ('clear access-list ' counters).

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: