Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SNMP - Accepted Dropped Connections per Interface

I need to be able to report on a count of Accepted and Dropped connections due to policy on the Outside interface on a monthly basis.

The outside interface is ifIndex.3 .

Support gave me the below OID, but I'm not convinced its correct. I also cant see how to change it per interface.

Any help would be greatly appreciated.

Object     cfwBasicConnectionEventType

OID        1.3.6.1.4.1.9.9.147.1.1.1.2.1.5

Type       ConnectionEvent
                1:other
               2:accept
               3:error
               4:drop
               5:close
               6:timeout
               7:refused
               8:reset
               9:noResp

"The type of connection-related event that this row contains.

If the event is not connection-related this object will not

be instantiated." "The type of connection-related event that this row contains.
If the event is not connection-related this object will not
be instantiated."

5 REPLIES
Gold

SNMP - Accepted Dropped Connections per Interface

Hi Justin,

When you say you want to see accepted and dropped connections due to a policy on the outside interface, what exactly do you mean? Connections can be build and torn down for many reasons so defining which policy your referring to will help. Is there a particular counter or 'show' output on the CLI that you're looking to poll via SNMP?

cfwBasicConnectionEventType will probably be your best bet, though it's global for the ASA so you'll need to do some filtering after the data is received.

-Mike

New Member

SNMP - Accepted Dropped Connections per Interface

Thanks for the response.

I guess counters on the outside_acl would make the most sense.

Gold

SNMP - Accepted Dropped Connections per Interface

Hi Justin,

Unfortunately, the ASA doesn't have an OID that can poll ACL hits. You can log the ACL hits to a syslog and then redirect the syslog via SNMP to a server, but this would be a trap rather than a poll.

If you want an automated way to query the hits every month, you might want to look into Smart Call Home which is more suited for this type of monitoring. You can configure a profile to check the ACL hits and have it email them to you or HTTPS POST it to a web server once a month. You can find some config examples here:

https://supportforums.cisco.com/docs/DOC-14958

-Mike

New Member

SNMP - Accepted Dropped Connections per Interface

Thanks again.

"Log the ACL Hits to syslog"

Would that show each hit in detail or just a counter like object?

Could I just clear the counters on the ACL monthly I wonder ?

Justin

Gold

SNMP - Accepted Dropped Connections per Interface

Hi Justin,

The logs will look like this:

Permitted:

%ASA-6-106100: access-list outside_in permitted tcp outside/192.168.1.100(60270) -> inside/10.1.1.10(443) hit-cnt 1 first hit [0x8545f26e, 0x0]

Denied:

%ASA-6-106100: access-list outside_in denied tcp outside/192.168.1.100(60290) -> inside/10.1.1.10(80) hit-cnt 1 first hit [0x6c9e7133, 0x0]

That will be a lot more information than you probably want. If you just want to see the aggregate hits each month, my suggestion would be to use Smart Call Home (or maybe an Expect script via SSH) to pull the ACL hits (something like 'show access-list | ex hitcnt=0') once a month and then immediately clear them ('clear access-list ' counters).

-Mike

490
Views
0
Helpful
5
Replies