Cisco Firewall :: ASA5505 SNMP Polling Fails?
May 31, 2012
I am having issues with monitoring our Cisco ASA5505 devices with "SolarWinds Orion NPM 10.2" through the use of SNMPv2. On some devices we see that SNMP polling stops and that the ASA's interfaces would show up as unknown - usually when the link to the device goes down/up or after a random ammount of time. At that point SNMP polling data is no longer updated and all we can rely on is ICMP for device status. I can resolve the issue by restarting the remote ASA OR restarting the SolarWinds server after which polling resumes. We are only seeing this behaviour with our remote ASA's.
Our setup is as follows:
Head End: Cisco ASA 5520 [ASA 8.3(2)]
Remote: Cisco ASA 5505 [ASA 8.3(2)]
I have found a SolarWinds article listed below that possibly identifies the issue that we are having but am not sure where to start.
[URL]
View 8 Replies
ADVERTISEMENT
Sep 28, 2011
I have an LMS 4.0.1 server (on Windows 2008 R2) with all the LMS and device updates applied that fails when trying to do an Inventory Collection on a Cisco 3925E router. The router is running IOS Version 15.1(1)T2. This device is apparently supported according to:
[URL]
Some 'show ver' info:
Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.1(1)T2, RELEASE SOFTWARE (fc1)
ROM: System Bootstrap, Version 15.1(1r)T2, RELEASE SOFTWARE (fc1)
System image file is "flash0:c3900e-universalk9-mz.SPA.151-1.T2.bin"
Cisco CISCO3925-CHASSIS (revision 1.0) with C3900-SPE200/K9 with 689152K/293888K bytes of memory.
'show inv':
NAME: "CISCO3925-CHASSIS", DESCR: "CISCO3925-CHASSIS"
PID: CISCO3925-CHASSIS , VID: V02, SN: FGL152610R8
[Code]....
View 2 Replies
View Related
Apr 29, 2013
How to get the Snmp OID for polling the in and out utilization for the CIsco 1900 Series Router interfaces.
View 1 Replies
View Related
Sep 1, 2011
I have a customer with an ASA5505 where it will not reply to SNMP polls from any source, i have followed the configuration guide [URL].at and tested another ASA in our internal network and i have that working fine on our LAN, here is the snmp and logging sections of the show-run on the ASA, it there anything obvious im missing to make the SNMP work on this device?
snmp-server host outside 203.XX.75.122 community XXXX
snmp-server host outside 203.XX.84.196 community XXXX
snmp-server host outside 203.XX.86.82 community XXXX
snmp-server host outside 82.XX.244.3 community XXX
[Code] .....
View 3 Replies
View Related
Feb 13, 2013
I have a ASA5505 with version 8.4(3) that it's working as a DHCP server and I would like to get information about IPs availables (or assignated) on theirs pools via SNMP but I can't find the MIB or OID that I need.
What MIB that I need?
View 1 Replies
View Related
Apr 3, 2012
We currently have a few 5505s installed at client sites which are connected via s2s ipsec VPN to our datacenter's 5510. We are using Nagios to monitor the local data center and remote client infrastructure (over the VPNs) which has been working well.
We would like to also monitor the remote 5505s using SNMP over the s2s tunnels but it doesn't seem to be working, the connection is timing out. We've configured the remote 5505s with the same snmp statement we used on the 5510 (snmp-server host inside <remote datacenter IP> poll community ***** version 2c) yet the Nagios SNMP check cannot connect to the remote 5505s. We've also tried the command using 'outside' without any luck, not sure how to get SNMP to route over the VPN.
View 15 Replies
View Related
Dec 8, 2011
I am in vain trying to transfer image to my asa5505, but fails in last step copying the file to flash:
Boots to rommon
tftpdnld image -> asa5505 boots on tftp file in en mode, i try to copy command but this fails, always getting No such device error. I have tried all different solutions found on google for this step, but it simply does not work, as i am never able to ping anything from the ASA.
rommon #6> tftpdnld
ROMMON Variable Settings:
ADDRESS=192.168.1.115
SERVER=192.168.1.113
GATEWAY=192.168.1.254
PORT=Ethernet0/0
VLAN=untagged
IMAGE=asa805-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
tftp asa805-k8.bin@192.168.1.113 via 192.168.1.254
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ciscoasa# copy tftp disk0:
Address or name of remote host []? 192.168.1.113
Source filename []? asa805-k8.bin
Destination filename [asa805-k8.bin]?
Accessing tftp://192.168.1.113/asa805-k8.bin...
%Error opening tftp://192.168.1.113/asa805-k8.bin (No such device)
Apparently it dont work with Eth, nor with vlan 1. Any way to shut down all functions in router so i can access everything?
View 2 Replies
View Related
May 1, 2012
We use LMS 3.2 with the latest patches. In IPM we have a couple of collectors (availabilty latency etc) and reports for our customers.
The polling interval for all collectors are working hour 7:30 - 18:00 Mo - Fr.
Unfortunately the polling detail is not included in the PDF report. Is there a way to include this information in the report.
View 1 Replies
View Related
Oct 27, 2012
Just purchased a Cisco SG200-26 (non-PoE version).
It works great, but since hooking it up to my network, my Synology NAS won't hibernate.
So I went and checked if the switch was polling, and indeed it is. Every 1-2 seconds, the activity LED on all connected ports, flashes simoultaneously.
When the LED on the switch flashes, the network LED on my NAS also flash. So I'm prone to think the switch is polling the entire network every couple seconds.
I've tried disabling Spanning Tree, and other other options that could relate to the issue, but without any luck.
View 19 Replies
View Related
Jun 23, 2011
I have 3560-24PS-S (ios version 12.2(35)SE1) that have high CPU (almost 100%) use at every inventory collection (each sunday) or polling (each day 6 a.m) during 2 or 3 minutes.
I read on the forum, that this could be due to some mib object polling failure, and could, perhaps, be solved by upgrading the ios version or configuring view preventing the poll of the problematic object.
But what view to configure ?Is there well known MIB objects to filter ? Which ones ? I did not see any bug related to my IOS version and this behavior in the bug toolkit ... I join some sh commands (unfortunately done when no problem). I will try to obtain the output of the sh command when the pb occurs.
View 1 Replies
View Related
Sep 7, 2011
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
View 1 Replies
View Related
Jun 13, 2012
I have an Pix 515E firewall with Pix724-33.bin IOS. I just want to know that does this IOS support SNMPV3 or I will have to upgarde it with some other version.
View 1 Replies
View Related
Feb 24, 2011
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
[Code].....
View 2 Replies
View Related
May 17, 2011
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies
View Related
Jul 14, 2011
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies
View Related
Jan 9, 2013
Internet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2 -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3. Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
View 2 Replies
View Related
Sep 4, 2011
I have a simple query for the issues I m facing currently.I have @ remote site remote site PIX firewall which is configurd to get the Snmp poll on the server locate outside via site to site VPN.There is another snmp server located also in inside which I’m not managing it .
========================================================================
below are the command for the snmp configured on PIX.
snmp-server host inside x.x.x.x community XXXXX ---This is not managed by us
snmp-server host inside x.x.x.x community XXXXX
snmp-server host outside y.y.y.y (private IP tunneled though VPN) poll community YYYYY ---Managed by us
snmp-server host outside y.y.y.y poll community YYYYY
[code]....
there are 2 snmp community & server defined in snmp-server host command for 2 different IP address belongs to snmp server and we can only define one global snmp-server community for any one of them .Question is how the snmp community take a precedence currently I am able to ping from my snmp server from outside to the PIX firewall outside interface over L2L VPN but somehow the snmp server is not listening when i do port query on 161 por!.
View 3 Replies
View Related
Nov 13, 2012
Seems like something simple, but can't find on Cisco.com. What are the max SNMP hosts allowed on an ASA 8.2 code? That would be Polls and Traps?
View 1 Replies
View Related
Oct 13, 2011
Does 8.4(2) support snmp v3?
View 1 Replies
View Related
Apr 1, 2013
I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"
[Code].....
View 4 Replies
View Related
Mar 28, 2011
The FTP server log shows no hits, from 192.168.1.4 I can telnet to 5505 no problem.
Doing everything on inside interface eth0/1, ftp server shows up and arp table of 5505 has correct mac for 192.168.1.4
ciscoasa# copy ftp://bob@192.168.1.4/asa841-k8.bin disk0:
Address or name of remote host [192.168.1.4]?
Source username [bob]?
[Code]...
View 2 Replies
View Related
Aug 27, 2008
Is there a way to trigger stateful (or stateless) failover on ASA 55xx (8.0.3) when there's a failure on the IPS unit? I understand the fail open/fail close and its application on a single firewall, but the better solution for an IPS failure in a redundant pair would seem to be a stateful failover to the other ASA, and I don't see that as a documented feature.
View 8 Replies
View Related
Apr 10, 2013
I have a Cisco ASA 5510 with a strange issue. When I power it ON, the following is the status of the front panel LED:
Power is OFF
Status is Amber
Active is Amber
VPN is Green
Flash is OFF
Also nothing comes up on the console. I suspected a Power supply issue and replaced it, but still it doesn't seem to work.I cant open up a TAC as I do not have a Smart Net contract.
View 2 Replies
View Related
Aug 16, 2012
Does the pix-501 support multiple SNMP communities? Im trying to add a second one, but the original community string gets removed when I add the new one. If we can have multiple SNMP hosts, then I woud imagine you could have multiple strings. I thought it was like most switches and routers, which can have the following:
snmp-server community STRING1
snmp-server community STRING2
The Pix-501 is currently running on version 6.3(5).
View 2 Replies
View Related
Jun 14, 2011
i would like to get information from my ASA5520 using SNMP V2c such as :
-xtable entries
-ARP cache table
does it's possible or not ..
View 2 Replies
View Related
Mar 16, 2013
i have a Problem with SNMP on the ASA Outside Interface. I want to monitor the Interface via SNMP (linkup, link down). I have a Active/Passive Cluster running on 8.4.2 and configured SNMP (v1) for Test on the Outside Interface. It's not that hard but when i try to test my Configuration with (peerless) SNMP Tester the Interface doesn't respond. Did i forget to configure something? Searched the forum but didn't find anything useful.
View 4 Replies
View Related
Dec 12, 2011
We have ASA 5540 with 8.2 SW. We are trying to download a file (3 MB pdf) from https session which fails if done behind the firewall. In case, the client bypasses firewall, the file gets downloaded as usuall. Interesting thing here to note is that when client is behind the firewall, its takes a long time to download the file and the file size always 312 Bytes, of course its a corrupt file.
View 3 Replies
View Related
Jun 6, 2011
The client is only interested to have one-WAN(MPLS) and One internet circuit with Dual ASA5510 primary/failover configuration. In the event primary firewall fails, there is no direct WAN/internet connection to failover firewall. I beleived that to mitigate the issue, I needed to add a layer 3 switch , and have each circuit (MPLS/Internet) or (modems/routers) connect to a L3 switch. L3 switch will do the vlan based routing based on the state of firewall. ? am i correct? The client want automatic failover to secondary firewall in the event the actual firewall failed without impacting the day to day business.
View 3 Replies
View Related
Nov 6, 2012
I have CISCO pix, version 525, today while trying to save the config, I am getting below error
GPRS-PIX# wrBuilding configuration...no memory available
Error executing command
[FAILED]
Cisco PIX Security Appliance Software Version 8.0(4)Device Manager Version 6.1(5)51
Compiled on Thu 07-Aug-08 19:42 by buildersSystem image file is "flash:/pix804.bin"
[Code]....
View 4 Replies
View Related
Mar 27, 2008
I am trying to monitor my ASA 5505. This asa is connect via a ip-sec tunnel to our network. I have no problems with snmp monitoring devices behind the ASA, but when trying to monitor the asa itself I do not get a SNMP response.
View 2 Replies
View Related
Oct 23, 2012
i am wanting to open up snmp on a pix 501 6.3 version. I am planning on doing it with the following configuration: [code]
I noticed you cannot specify RO on the snmp-server command with the older pix. I don't want this configuration to open up any write access to the pix. Is there a way to specify only read only for snmp
View 1 Replies
View Related
Feb 6, 2013
I have an ASA-5505 which I have been managing using ASDM from a PC and a Mac.I just happens that the Mac has not been used in a little while and when I tried to use ASDM on it, it fails.I've had a trawl through various posts and release notes (after updating various components in the process, incl Java with all the diabling/security updates of late) but am still having the problem and this is where I'm at:
- the ASA runs v8.4(2) and ASDM 7.1(1)52
- release notes state that ASDM 7.1 should work on Java 7 on Windows 7 and MacOS 10.7
- ASDM starts fine on my Windows 7 PC running Java 1.7.0_13
- I am also running Java 1.7.0_13 on MacOS 10.7.5
- on MacOS, ASDM starts, asks for credentials, download/refreshes the cached app... and then crashes with the following exception message:
The root cause of the issue seems to be that a Java class called apple.laf.AquaTableHeaderUI is not found..Now, I don't know much about Java, but that seems to be an Apple UI related class - I presume that it would be good to use this to give ASDM a more native look and feel, but why on earth is there no fallback? or am I missing something?
View 4 Replies
View Related
Jul 8, 2012
I want to set-up a HA for ASA5510. I wanted to design the network to achieve HA. I am attaching the present set-up of the network. At present, I have 2 ISPs connections terminating in ASA5510. The configuration is done for failover in ASA5510.I have another ASA5510 and want to use it for HA. I needed to know the design for the set-up. I want a stateless failover since the amount of traffic is less. I don't have any ISP routers in the present network. I suppose I need 2 routers for HA and couple of switches. One more question is that, as there are SSL VPN users, is there any way for the users to not get disconnected when one device fails.
View 5 Replies
View Related
