Cisco ASA 5585-X clustering

Hello, thank you for your inquiry.

How exactly does this Cluster behave from an SNMP standpoint? Both nodes have the same Addresses? Can you define more than one SNMP Agent to monitor the invidual node?

What is it that you want to monitor exactly, the status of the Cluster or the hardware status of a specific node? If you're interested in monitoring the status of the cluster or cluster nodes it may be possible with the Cisco CISCO-FIREWALL-MIB:

The cfwHardwareStatusValue contains the "current status of the resource":

If that's available, a few Custom SNMP Sensors together with lookups would allow you to have an accurate overview of your cluster. For more info's about creating lookups please check:

• Value interpretation (aka Lookups)

Please download our latest SNMP Tester, run it on the PRTG Host (or host of the Remote Probe), and perform a "Walk" against the target device providing the "1.3.6.1.4.1.9.9.147.1.2.1.1" OID (without quotes) as parameter.

Which results do you get in the Tester? Please share the result of the walk test.

Hi Luciano!

Actually i only can connect to the master node of the cluster; its a cluster of 2 members using 5585-x units.

thats the output you asked for:

----------------------- New Test -----------------------
Paessler SNMP Tester 5.2.1
06/11/2015 15:51:33 (1 ms) : Device: 10.11.2.1
06/11/2015 15:51:33 (1 ms) : SNMP V1
06/11/2015 15:51:33 (1 ms) : Walk 1.3.6.1.4.1.9.9.147.1.2.1.1
06/11/2015 15:51:33 (3 ms) : 1.3.6.1.4.1.9.9.147.1.2.1.1.1.2.4 = "Failover LAN Interface" [ASN_OCTET_STR]
06/11/2015 15:51:33 (30 ms) : 1.3.6.1.4.1.9.9.147.1.2.1.1.1.2.6 = "Primary unit" [ASN_OCTET_STR]
06/11/2015 15:51:33 (32 ms) : 1.3.6.1.4.1.9.9.147.1.2.1.1.1.2.7 = "Secondary unit (this device)" [ASN_OCTET_STR]
06/11/2015 15:51:33 (34 ms) : 1.3.6.1.4.1.9.9.147.1.2.1.1.1.3.4 = "3" [ASN_INTEGER]
06/11/2015 15:51:33 (47 ms) : 1.3.6.1.4.1.9.9.147.1.2.1.1.1.3.6 = "3" [ASN_INTEGER]
06/11/2015 15:51:33 (49 ms) : 1.3.6.1.4.1.9.9.147.1.2.1.1.1.3.7 = "3" [ASN_INTEGER]
06/11/2015 15:51:33 (50 ms) : 1.3.6.1.4.1.9.9.147.1.2.1.1.1.4.4 = "not Configured" [ASN_OCTET_STR]
06/11/2015 15:51:33 (52 ms) : 1.3.6.1.4.1.9.9.147.1.2.1.1.1.4.6 = "Failover Off" [ASN_OCTET_STR]
06/11/2015 15:51:33 (54 ms) : 1.3.6.1.4.1.9.9.147.1.2.1.1.1.4.7 = "Failover Off" [ASN_OCTET_STR]

Hello xveral,
thank you for your reply.

Based on the results of the walk file, it doesn't look very good:

Based on this result, from an SNMP Standpoint the device is reporting that both units have "Failover Off" and are in status 3 (Down). We're unable to confirm whenever this are normal values/readings.

You should be able to monitor the status using the Custom Sensors or Library Sensors(importing the MIB), but only Cisco will be able to confirm the meaning of those values, as we rely on their documentation.

Best Regards,

sure, this is a normal behaviour because we dont have a failover; we have a cluster. Some info:

Cisco ASA Clustering: Changing the shape of network security

thanks!

Hello xveral,
thank you for your reply.

I'm afraid that we don't yet have much expertise in this scenario. I was able to located the following from Cisco's Documentation Configuring a Cluster of ASAs.

SNMP

An SNMP agent polls each individual ASA by its Local IP address. You cannot poll consolidated data for the cluster.

You should always use the Local address, and not the Main cluster IP address for SNMP polling. If the SNMP agent polls the Main cluster IP address, if a new master is elected, the poll to the new master unit will fail.

Source: Cisco ASA Cluster - SNMP

This leads me to believe that the nodes in the cluster will still have independent SNMP configurations and agents and you should be able to pool them individually for things like CPU utilization and hardware status using the standard sensors.

Cisco's Table 1.1 also indicates that the SNMP Engine ID is not Replicated Across the ASA Cluster.

Best Regards,