Hi,
I'm trying to add the standby Cisco ASA firewalls we have in our active/standby failover pairs. I am able to add our ASA-SM (ASA service modules), but not the "normal" ASA's or PIX firewalls.
Unfortunately, a Cisco ASA failover pair shares the same "sysName" and "snmpEngineID". This is not configurable on the ASA firewalls.
When I try to add a standby ASA (with a different hostname / IP address) I get the following error: Already got device with SNMP-read sysName (xxxxxxxxxxx) and 'snmpEngineID' = xxxxxxxxxxx (xxxxxxxxxxx). I see that this is because of a check in "functions.php".
Is there any workaround you can think of to allow us to add the standby devices? It is essential for us to monitor them, and we were also hoping to use Observium as our hardware inventory database (which is now missing all standby ASA's).
Regards, Erik
Ask your vendor to fix this. snmpEngineID essentially only unique ID should be configurable so you can actually ID them with same config.
On 18/02/14 17:46, Erik INGEBERG wrote:
Unfortunately, a Cisco ASA failover pair shares the same "sysName" and "snmpEngineID". This is not configurable on the ASA firewalls.
ha! That's a good one. ;o)
-Chris
On 2/18/14 10:01 AM, Nikolay Shopik wrote:
Ask your vendor to fix this. snmpEngineID essentially only unique ID should be configurable so you can actually ID them with same config.
On 18/02/14 17:46, Erik INGEBERG wrote:
Unfortunately, a Cisco ASA failover pair shares the same "sysName" and "snmpEngineID". This is not configurable on the ASA firewalls.
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
No I'm deadly serious about that, We reported lots SNMP issues to Cisco, most of them fixed, but not fast as you may expect though.
Just recent one with incorrect report of IPv6 neighbors as example.
On 18.02.2014 22:11, Chris Moody wrote:
ha! That's a good one. ;o)
-Chris
On 2/18/14 10:01 AM, Nikolay Shopik wrote:
Ask your vendor to fix this. snmpEngineID essentially only unique ID should be configurable so you can actually ID them with same config.
On 18/02/14 17:46, Erik INGEBERG wrote:
Unfortunately, a Cisco ASA failover pair shares the same "sysName" and "snmpEngineID". This is not configurable on the ASA firewalls.
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi,
Not in the mood to start a crusade against Cisco to make them change their snmp stuff. But I did find a workaround I wanted to share.
Just log on to the standby ASA and change the domain name to something else, add / discover the device (which now has a different snmp sysName), and then change the domain name back.
Regards, Erik
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Nikolay Shopik Sent: 18. februar 2014 20:16 To: Observium Network Observation System Subject: Re: [Observium] Unable to add standby Cisco ASA
No I'm deadly serious about that, We reported lots SNMP issues to Cisco, most of them fixed, but not fast as you may expect though.
Just recent one with incorrect report of IPv6 neighbors as example.
On 18.02.2014 22:11, Chris Moody wrote:
ha! That's a good one. ;o)
-Chris
On 2/18/14 10:01 AM, Nikolay Shopik wrote:
Ask your vendor to fix this. snmpEngineID essentially only unique ID should be configurable so you can actually ID them with same config.
On 18/02/14 17:46, Erik INGEBERG wrote:
Unfortunately, a Cisco ASA failover pair shares the same "sysName" and "snmpEngineID". This is not configurable on the ASA firewalls.
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Sure, workarounds are nice. But since you already paid top dollar, why not open tac case for it. As it clearly business case you need to solve.
Will save others time in future not doing any workarounds :)
On 19 февр. 2014 г., at 12:04, Erik INGEBERG eri@steria.no wrote:
Hi,
Not in the mood to start a crusade against Cisco to make them change their snmp stuff. But I did find a workaround I wanted to share.
Just log on to the standby ASA and change the domain name to something else, add / discover the device (which now has a different snmp sysName), and then change the domain name back.
Regards, Erik
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Nikolay Shopik Sent: 18. februar 2014 20:16 To: Observium Network Observation System Subject: Re: [Observium] Unable to add standby Cisco ASA
No I'm deadly serious about that, We reported lots SNMP issues to Cisco, most of them fixed, but not fast as you may expect though.
Just recent one with incorrect report of IPv6 neighbors as example.
On 18.02.2014 22:11, Chris Moody wrote: ha! That's a good one. ;o)
-Chris
On 2/18/14 10:01 AM, Nikolay Shopik wrote: Ask your vendor to fix this. snmpEngineID essentially only unique ID should be configurable so you can actually ID them with same config.
On 18/02/14 17:46, Erik INGEBERG wrote: Unfortunately, a Cisco ASA failover pair shares the same "sysName" and "snmpEngineID". This is not configurable on the ASA firewalls.
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
The ASA's use UDP 162 for SNMP, for whatever brilliant reason.
Just flip that when you are adding the device and all should be well.
We have a pair of 5520's that get monitored just fine.
From: observium [mailto:observium-bounces@observium.org] On Behalf Of Erik INGEBERG Sent: Tuesday, February 18, 2014 8:47 AM To: observium@observium.org Subject: [Observium] Unable to add standby Cisco ASA
Hi,
I'm trying to add the standby Cisco ASA firewalls we have in our active/standby failover pairs. I am able to add our ASA-SM (ASA service modules), but not the "normal" ASA's or PIX firewalls.
Unfortunately, a Cisco ASA failover pair shares the same "sysName" and "snmpEngineID". This is not configurable on the ASA firewalls.
When I try to add a standby ASA (with a different hostname / IP address) I get the following error: Already got device with SNMP-read sysName (xxxxxxxxxxx) and 'snmpEngineID' = xxxxxxxxxxx (xxxxxxxxxxx). I see that this is because of a check in "functions.php".
Is there any workaround you can think of to allow us to add the standby devices? It is essential for us to monitor them, and we were also hoping to use Observium as our hardware inventory database (which is now missing all standby ASA's).
Regards, Erik
_______________________________________________________________
NOTICE TO PERSONS SUBJECT TO UNITED STATES TAXATION (MCPS)
DISCLOSURE UNDER TREASURY CIRCULAR 230: The United States Federal tax advice, if any, contained in this document and its attachments may not be used or referred to in the promoting, marketing or recommending of any entity, investment plan or arrangement, nor is such advice intended or written to be used, and may not be used, by a taxpayer for the purpose of avoiding Federal tax penalties. _______________________________________________________________
participants (4)
-
Chris Moody -
Erik INGEBERG -
Nikolay Shopik -
Ryan, Spencer J.