Cisco ASA IP SLA Reporting & HA Failover Alerting
IPA SLA status is correctly reported from our core VSS switch but does not appear from ASA devices. Does anyone else see IP SLA reported from Cisco ASA firewalls? (Tried 9.7 and 9.8(2) software versions).
On the subject of Cisco ASA, does anyone have HA failover correctly alerting? I've tried to implement an alert but not quite mastered the technique.
[image: Inline images 1]
[image: Inline images 2]
Thanks in advance for any advice
Darren
ASAs wouldn't make it through a functional quality assurance process. I think that's probably the issue. :D
Alternatively, find out if these devices actually expose IP SLA / RTT in SNMP, perhaps we don't have the MIB assigned to the ASA.
adam. On 2018-01-18 09:52:33, Storer, Darren darren.storer@gmail.com wrote: IPA SLA status is correctly reported from our core VSS switch but does not appear from ASA devices. Does anyone else see IP SLA reported from Cisco ASA firewalls? (Tried 9.7 and 9.8(2) software versions).
On the subject of Cisco ASA, does anyone have HA failover correctly alerting? I've tried to implement an alert but not quite mastered the technique.
[Inline images 1]
[Inline images 2]
Thanks in advance for any advice
Darren
_______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
After diagnostic assistance from Adam it's sad to report that the Cisco ASA platform does not expose IP SLA details.
Any assistance or ideas for ASA HA failover alerting would be gratefully received - here what I have so far:
[image: Inline images 1]
Many thanks
Darren
On 18 January 2018 at 09:52, Storer, Darren darren.storer@gmail.com wrote:
IPA SLA status is correctly reported from our core VSS switch but does not appear from ASA devices. Does anyone else see IP SLA reported from Cisco ASA firewalls? (Tried 9.7 and 9.8(2) software versions).
On the subject of Cisco ASA, does anyone have HA failover correctly alerting? I've tried to implement an alert but not quite mastered the technique.
[image: Inline images 1]
[image: Inline images 2]
Thanks in advance for any advice
Darren
Do they generate useful syslog messages?
Adam.
Sent from BlueMail
On 18 Jan 2018, 23:24, at 23:24, "Storer, Darren" darren.storer@gmail.com wrote:
After diagnostic assistance from Adam it's sad to report that the Cisco ASA platform does not expose IP SLA details.
Any assistance or ideas for ASA HA failover alerting would be gratefully received - here what I have so far:
[image: Inline images 1]
Many thanks
Darren
On 18 January 2018 at 09:52, Storer, Darren darren.storer@gmail.com wrote:
IPA SLA status is correctly reported from our core VSS switch but
does not
appear from ASA devices. Does anyone else see IP SLA reported from
Cisco
ASA firewalls? (Tried 9.7 and 9.8(2) software versions).
On the subject of Cisco ASA, does anyone have HA failover correctly alerting? I've tried to implement an alert but not quite mastered the technique.
[image: Inline images 1]
[image: Inline images 2]
Thanks in advance for any advice
Darren
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Adam,
Thanks for the syslog suggestion - I'll try that.
Regards
Darren
On 18 January 2018 at 23:44, Adam Armstrong adama@memetic.org wrote:
Do they generate useful syslog messages?
Adam.
Sent from BlueMail http://www.bluemail.me/r?b=11745 On 18 Jan 2018, at 23:24, "Storer, Darren" darren.storer@gmail.com wrote:
After diagnostic assistance from Adam it's sad to report that the Cisco ASA platform does not expose IP SLA details.
Any assistance or ideas for ASA HA failover alerting would be gratefully received - here what I have so far:
[image: Inline images 1]
Many thanks
Darren
On 18 January 2018 at 09:52, Storer, Darren darren.storer@gmail.com wrote:
IPA SLA status is correctly reported from our core VSS switch but does not appear from ASA devices. Does anyone else see IP SLA reported from Cisco ASA firewalls? (Tried 9.7 and 9.8(2) software versions).
On the subject of Cisco ASA, does anyone have HA failover correctly alerting? I've tried to implement an alert but not quite mastered the technique.
[image: Inline images 1]
[image: Inline images 2]
Thanks in advance for any advice
Darren
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
This is the alert checker I use to monitor and alert on ASA redundancy. It may not be what you are looking for as it does not alert on a failover event itself- the alert triggers when the cluster is no longer redundant and is cleared when both are up and in a normal HA state. I find this acceptable in my environment since it is more likely one is hard down (hardware failure, power outage, etc) rather than down due to a soft outage (software crash or interface link down). Basically I don't care if they failed over, I care if they *can't* fail over! If you want to alert on the HA event, a syslog alert would be an easy way to go. The ASA definitely throws a log you can match on.
[image: Inline image 1]
On Sun, Jan 21, 2018 at 2:21 PM, Storer, Darren darren.storer@gmail.com wrote:
Hi Adam,
Thanks for the syslog suggestion - I'll try that.
Regards
Darren
On 18 January 2018 at 23:44, Adam Armstrong adama@memetic.org wrote:
Do they generate useful syslog messages?
Adam.
Sent from BlueMail http://www.bluemail.me/r?b=11745 On 18 Jan 2018, at 23:24, "Storer, Darren" darren.storer@gmail.com wrote:
After diagnostic assistance from Adam it's sad to report that the Cisco ASA platform does not expose IP SLA details.
Any assistance or ideas for ASA HA failover alerting would be gratefully received - here what I have so far:
[image: Inline images 1]
Many thanks
Darren
On 18 January 2018 at 09:52, Storer, Darren darren.storer@gmail.com wrote:
IPA SLA status is correctly reported from our core VSS switch but does not appear from ASA devices. Does anyone else see IP SLA reported from Cisco ASA firewalls? (Tried 9.7 and 9.8(2) software versions).
On the subject of Cisco ASA, does anyone have HA failover correctly alerting? I've tried to implement an alert but not quite mastered the technique.
[image: Inline images 1]
[image: Inline images 2]
Thanks in advance for any advice
Darren
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Andrew,
Thanks very much for the ASA HA alert; I've created a clone on the production network - hopefully it won't trigger too often.
Also, thanks for the recommendation about syslog, it's time for me to finish off the syslog integration, which I haven't got working yet.
Thanks again
Darren
On 24 January 2018 at 05:21, Andrew Plas andrewp.plas@gmail.com wrote:
This is the alert checker I use to monitor and alert on ASA redundancy. It may not be what you are looking for as it does not alert on a failover event itself- the alert triggers when the cluster is no longer redundant and is cleared when both are up and in a normal HA state. I find this acceptable in my environment since it is more likely one is hard down (hardware failure, power outage, etc) rather than down due to a soft outage (software crash or interface link down). Basically I don't care if they failed over, I care if they *can't* fail over! If you want to alert on the HA event, a syslog alert would be an easy way to go. The ASA definitely throws a log you can match on.
[image: Inline image 1]
On Sun, Jan 21, 2018 at 2:21 PM, Storer, Darren darren.storer@gmail.com wrote:
Hi Adam,
Thanks for the syslog suggestion - I'll try that.
Regards
Darren
On 18 January 2018 at 23:44, Adam Armstrong adama@memetic.org wrote:
Do they generate useful syslog messages?
Adam.
Sent from BlueMail http://www.bluemail.me/r?b=11745 On 18 Jan 2018, at 23:24, "Storer, Darren" darren.storer@gmail.com wrote:
After diagnostic assistance from Adam it's sad to report that the Cisco ASA platform does not expose IP SLA details.
Any assistance or ideas for ASA HA failover alerting would be gratefully received - here what I have so far:
[image: Inline images 1]
Many thanks
Darren
On 18 January 2018 at 09:52, Storer, Darren darren.storer@gmail.com wrote:
IPA SLA status is correctly reported from our core VSS switch but does not appear from ASA devices. Does anyone else see IP SLA reported from Cisco ASA firewalls? (Tried 9.7 and 9.8(2) software versions).
On the subject of Cisco ASA, does anyone have HA failover correctly alerting? I've tried to implement an alert but not quite mastered the technique.
[image: Inline images 1]
[image: Inline images 2]
Thanks in advance for any advice
Darren
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Howdy guys,
On ASA syslogging, what format do you have exporting from the ASA, and did you do anything special to the syslog processing file on your observium host? I’m obviously not doing something right, witness the following:
Yeah, all those [[EMPTY]] fields.
Advice, please?
Thx,
Ron
From: observium [mailto:observium-bounces@observium.org] On Behalf Of Storer, Darren Sent: Saturday, January 27, 2018 9:32 AM To: Observium observium@observium.org Subject: Re: [Observium] Cisco ASA IP SLA Reporting & HA Failover Alerting
Hi Andrew,
Thanks very much for the ASA HA alert; I've created a clone on the production network - hopefully it won't trigger too often.
Also, thanks for the recommendation about syslog, it's time for me to finish off the syslog integration, which I haven't got working yet.
Thanks again
Darren
On 24 January 2018 at 05:21, Andrew Plas <andrewp.plas@gmail.com mailto:andrewp.plas@gmail.com > wrote:
This is the alert checker I use to monitor and alert on ASA redundancy. It may not be what you are looking for as it does not alert on a failover event itself- the alert triggers when the cluster is no longer redundant and is cleared when both are up and in a normal HA state. I find this acceptable in my environment since it is more likely one is hard down (hardware failure, power outage, etc) rather than down due to a soft outage (software crash or interface link down). Basically I don't care if they failed over, I care if they can't fail over!
If you want to alert on the HA event, a syslog alert would be an easy way to go. The ASA definitely throws a log you can match on.
On Sun, Jan 21, 2018 at 2:21 PM, Storer, Darren <darren.storer@gmail.com mailto:darren.storer@gmail.com > wrote:
Hi Adam,
Thanks for the syslog suggestion - I'll try that.
Regards
Darren
On 18 January 2018 at 23:44, Adam Armstrong <adama@memetic.org mailto:adama@memetic.org > wrote:
Do they generate useful syslog messages?
Adam.
Sent from BlueMail http://www.bluemail.me/r?b=11745
On 18 Jan 2018, at 23:24, "Storer, Darren" <darren.storer@gmail.com mailto:darren.storer@gmail.com > wrote:
After diagnostic assistance from Adam it's sad to report that the Cisco ASA platform does not expose IP SLA details.
Any assistance or ideas for ASA HA failover alerting would be gratefully received - here what I have so far:
Many thanks
Darren
On 18 January 2018 at 09:52, Storer, Darren <darren.storer@gmail.com mailto:darren.storer@gmail.com > wrote:
IPA SLA status is correctly reported from our core VSS switch but does not appear from ASA devices. Does anyone else see IP SLA reported from Cisco ASA firewalls? (Tried 9.7 and 9.8(2) software versions).
On the subject of Cisco ASA, does anyone have HA failover correctly alerting? I've tried to implement an alert but not quite mastered the technique.
Thanks in advance for any advice
Darren
_____
observium mailing list observium@observium.org mailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.org mailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.org mailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.org mailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
As said below, by this way you can get a alert when the Primary ASA is changed. If the secondary is active you will have a actice alert and get noticed once a week.
[cid:image001.png@01D3990C.5C14A330]
Från: observium [mailto:observium-bounces@observium.org] För Storer, Darren Skickat: den 27 januari 2018 16:32 Till: Observium observium@observium.org Ämne: Re: [Observium] Cisco ASA IP SLA Reporting & HA Failover Alerting
Hi Andrew,
Thanks very much for the ASA HA alert; I've created a clone on the production network - hopefully it won't trigger too often.
Also, thanks for the recommendation about syslog, it's time for me to finish off the syslog integration, which I haven't got working yet.
Thanks again
Darren
On 24 January 2018 at 05:21, Andrew Plas <andrewp.plas@gmail.commailto:andrewp.plas@gmail.com> wrote: This is the alert checker I use to monitor and alert on ASA redundancy. It may not be what you are looking for as it does not alert on a failover event itself- the alert triggers when the cluster is no longer redundant and is cleared when both are up and in a normal HA state. I find this acceptable in my environment since it is more likely one is hard down (hardware failure, power outage, etc) rather than down due to a soft outage (software crash or interface link down). Basically I don't care if they failed over, I care if they can't fail over! If you want to alert on the HA event, a syslog alert would be an easy way to go. The ASA definitely throws a log you can match on.
[Inline image 1]
On Sun, Jan 21, 2018 at 2:21 PM, Storer, Darren <darren.storer@gmail.commailto:darren.storer@gmail.com> wrote: Hi Adam,
Thanks for the syslog suggestion - I'll try that.
Regards
Darren
On 18 January 2018 at 23:44, Adam Armstrong <adama@memetic.orgmailto:adama@memetic.org> wrote: Do they generate useful syslog messages? Adam. Sent from BlueMailhttp://www.bluemail.me/r?b=11745 On 18 Jan 2018, at 23:24, "Storer, Darren" <darren.storer@gmail.commailto:darren.storer@gmail.com> wrote: After diagnostic assistance from Adam it's sad to report that the Cisco ASA platform does not expose IP SLA details.
Any assistance or ideas for ASA HA failover alerting would be gratefully received - here what I have so far:
Many thanks
Darren
On 18 January 2018 at 09:52, Storer, Darren <darren.storer@gmail.commailto:darren.storer@gmail.com> wrote: IPA SLA status is correctly reported from our core VSS switch but does not appear from ASA devices. Does anyone else see IP SLA reported from Cisco ASA firewalls? (Tried 9.7 and 9.8(2) software versions).
On the subject of Cisco ASA, does anyone have HA failover correctly alerting? I've tried to implement an alert but not quite mastered the technique.
Thanks in advance for any advice
Darren
________________________________
observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Andrew,
As you can see below the alert (and recovery) messages are working well.
Alert HA event on Cisco ASA firewall cluster! Entity Failover primary unit (this device) Condition status_event equals alert (alert) Metrics status_event = alert Duration 4m 34s (2018-02-03 13:16:43) Device ************* Hardware ASA5525 Operating System Cisco ASA 9.8(2) Location ********* Uptime 165 days, 1h 13m 34s
Thanks again
Darren
On 27 January 2018 at 15:32, Storer, Darren darren.storer@gmail.com wrote:
Hi Andrew,
Thanks very much for the ASA HA alert; I've created a clone on the production network - hopefully it won't trigger too often.
Also, thanks for the recommendation about syslog, it's time for me to finish off the syslog integration, which I haven't got working yet.
Thanks again
Darren
On 24 January 2018 at 05:21, Andrew Plas andrewp.plas@gmail.com wrote:
This is the alert checker I use to monitor and alert on ASA redundancy. It may not be what you are looking for as it does not alert on a failover event itself- the alert triggers when the cluster is no longer redundant and is cleared when both are up and in a normal HA state. I find this acceptable in my environment since it is more likely one is hard down (hardware failure, power outage, etc) rather than down due to a soft outage (software crash or interface link down). Basically I don't care if they failed over, I care if they *can't* fail over! If you want to alert on the HA event, a syslog alert would be an easy way to go. The ASA definitely throws a log you can match on.
[image: Inline image 1]
On Sun, Jan 21, 2018 at 2:21 PM, Storer, Darren darren.storer@gmail.com wrote:
Hi Adam,
Thanks for the syslog suggestion - I'll try that.
Regards
Darren
On 18 January 2018 at 23:44, Adam Armstrong adama@memetic.org wrote:
Do they generate useful syslog messages?
Adam.
Sent from BlueMail http://www.bluemail.me/r?b=11745 On 18 Jan 2018, at 23:24, "Storer, Darren" darren.storer@gmail.com wrote:
After diagnostic assistance from Adam it's sad to report that the Cisco ASA platform does not expose IP SLA details.
Any assistance or ideas for ASA HA failover alerting would be gratefully received - here what I have so far:
[image: Inline images 1]
Many thanks
Darren
On 18 January 2018 at 09:52, Storer, Darren darren.storer@gmail.com wrote:
IPA SLA status is correctly reported from our core VSS switch but does not appear from ASA devices. Does anyone else see IP SLA reported from Cisco ASA firewalls? (Tried 9.7 and 9.8(2) software versions).
On the subject of Cisco ASA, does anyone have HA failover correctly alerting? I've tried to implement an alert but not quite mastered the technique.
[image: Inline images 1]
[image: Inline images 2]
Thanks in advance for any advice
Darren
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (6)
-
Adam Armstrong -
Adam Armstrong -
Andrew Plas -
Ron Marosko -
Storer, Darren -
Svensson Fredrik A