Cisco Support Community

Smart Call Home - Anonymous Reporting on the ASA

What information is sent in to Cisco?

The following configuration lines are added when Smart Call Home Anonymous Reporting is enabled:

profile _anonymous
  destination address http
  destination transport-method http
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group diagnostic severity disaster

This configuration can be seen by issuing a  show running-config all call-home.  The first two lines under profile _anonymous indicate that the ASA will contact Cisco's Smart Call Home server using HTTPS (secure HTTP).  The following 3 lines indicate what catagories of information is sent in, and how frequently that data is sent.  In the next few subsections, we will look at each of the alert-group categories in detail to explain what information is sent in to Cisco.

Inventory Alert-Group

The config line:

subscribe-to-alert-group inventory periodic monthly

causes the ASA to send in the output of the following commands, on a monthly basis:

  • show inventory
  • show version
  • show module
  • show failover state
  • show environment (if applicable)

Configuration Alert-Group

The config line:

subscribe-to-alert-group configuration periodic monthly

is a little misleading.  By reading that line verbatim, one would believe that the ASA is sending in it's configuration to Cisco.  This is NOT the case.  Instead, this line sends in the following commands:

  • show context (if applicable)
  • show call-home registered-module status | exclude disabled

Where the show call-home registered-module status command just lists which modules (ie: features) are on the device, and if they are enabled or disabled.  By piping that output to exclude disabled, the ASA is only sending in a list of modules (features) which are enabled on the device.

Note:  When configuring registered Smart Call Home, one does have the ability to send in a sanitized configuration (minus passwords and IP Addresses, etc) from the ASA to Cisco, but this is also not enabled by deafult.  To have the ASA send in a configuration to Cisco, the configuration alert-group line would have to include the keywords export full.  For example the following line would send in a sanatized configuraiton from the ASA to Cisco.

subscribe-to-alert-group configuration export full periodic monthly

Diagnostic Alert-Group

The config line:

subscribe-to-alert-group diagnostic severity disaster

Indicates that the ASA will send diagnostic events which reach the severity level of 'disaster'.  There is only one such event which reaches this level, and that is generated when the ASA crashes.

When a crash occurs, the ASA records a crashinfo file on flash, which contains the traceback, a partial memory dump, as well as the output from a 'show tech' command, minus the configuration.  When the ASA reboots, it checks for the presense of a new crashinfo file.  If it exists, then the ASA will send just the top portion of the crashinfo file - which is the traceback, but not the partial memory dump or any other information that follows in the crashinfo file.  The reason for doing this is we do not want to send in inforamtion which may be considered sensitive, or personally identifyable.  The traceback information which is sent in just contains the function names which were executing on the processor at the time of the crash.