I noticed that a pair of firewalls I had failed over about a month ago but the only thing showing in the logs of the device was that the mac addresses all changed. Is there a way to get better alerting on failover? I know the stateful failover are almost sub second but logs are generated.
Not sure if you can monitor that with SNMP but figured I would throw that out there.
Carlos
If only mac address would become metric attribute it would be possible to track failovers and alert whenever mac changes. I'm not sure if thats possible but hope to see it. Lukasz 5 lis 2014 16:09 "Carlos Martinez" cmartinez@datapipe.com napisał(a):
I noticed that a pair of firewalls I had failed over about a month ago but the only thing showing in the logs of the device was that the mac addresses all changed. Is there a way to get better alerting on failover? I know the stateful failover are almost sub second but logs are generated.
Not sure if you can monitor that with SNMP but figured I would throw that out there.
Carlos _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Do keep in mind that in true “high-availability” scenarios, the MAC address can be manually configured as part of the ASA failover, thus making it where the device MAC address does NOT change in case of a failover situation, the standby device even assumes the configured MAC address.
Just having a cursory glance at the CISCO-FIREWALL-MIB, the only thing I find is as follows:
Hardware ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "This textual convention is used to describe various hardware
resouces that can be monitored by the firewall.
memory - identifies memory.
disk - identifies disk.
power - identifies power.
netInterface - identifies a network interface.
tape - identifies a tape drive.
controller - identifies hardware controller.
cpu - identifies CPU.
primaryUnit - identifies the primary unit of the two
identical firewalls configured redundancy.
secondaryUnit - identifies the secondary unit of the two
identical firewalls configured redundancy.
other - identifies other hardware.
That might be one OID that can be polled to determine which device is active…. that primaryUnit vs secondaryUnit.
…Ron
From: observium [mailto:observium-bounces@observium.org] On Behalf Of Lukasz Sztukowski Sent: Wednesday, November 05, 2014 9:13 AM To: Observium Network Observation System Subject: Re: [Observium] Cisco ASA failover
If only mac address would become metric attribute it would be possible to track failovers and alert whenever mac changes. I'm not sure if thats possible but hope to see it. Lukasz
5 lis 2014 16:09 "Carlos Martinez" cmartinez@datapipe.com napisał(a):
I noticed that a pair of firewalls I had failed over about a month ago but the only thing showing in the logs of the device was that the mac addresses all changed. Is there a way to get better alerting on failover? I know the stateful failover are almost sub second but logs are generated.
Not sure if you can monitor that with SNMP but figured I would throw that out there.
Carlos _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
On 11/5/2014 7:08 AM, Carlos Martinez wrote:
I noticed that a pair of firewalls I had failed over about a month ago but the only thing showing in the logs of the device was that the mac addresses all changed. Is there a way to get better alerting on failover? I know the stateful failover are almost sub second but logs are generated.
Not sure if you can monitor that with SNMP but figured I would throw that out there.
Yes, the status can be checked via SNMP -- here is a subset of code from a Perl Nagios plugin we use that shows the different modes. Not pretty, but does the job.
# load failover hash based on this table my $snmpCfwHardwareStatusValue = '1.3.6.1.4.1.9.9.147.1.2.1.1.1.3';
if ($failover{6} == 0) { $state = 'WARNING'; print "$state: $hostname failover disabled\n"; } elsif ($failover{6} == 9 and $failover{7} == 10) { $state = 'OK'; print "$state: $hostname pri active, sec standby\n"; } elsif ($failover{6} == 9 and $failover{7} == 9) { $state = 'CRITICAL'; print "$state: $hostname pri and sec are BOTH active\n"; } elsif ($failover{6} == 9 and $failover{7} == 4) { $state = 'WARNING'; print "$state: $hostname pri active, sec error\n"; } elsif ($failover{6} == 9) { $state = 'WARNING'; print "$state: $hostname pri active, sec unknown\n"; } elsif ($failover{6} == 10 and $failover{7} == 9) { $state = 'WARNING'; print "$state: $hostname pri standby, sec is active\n"; } elsif ($failover{6} == 10 and $failover{7} == 4) { $state = 'WARNING'; print "$state: $hostname pri standby, sec error\n"; } elsif ($failover{7} == 9) { $state = 'WARNING'; print "$state: $hostname pri unknown, sec active\n"; } else { $state = 'UNKNOWN'; print "$state: $hostname failover status is unknown\n"; }
Regards, Mark
participants (4)
-
Carlos Martinez -
Mark D. Nagel -
Ron Marosko -
Łukasz Sztukowski