Monitoring a Cisco ASA 5510 (snmp?)

[NightHawk]

Nagios Xi noob here. I've worked with it enough to know how to navigate around pretty well, add new servers, modify notifications, etc... I've never setup monitoring for a firewall though. I would like to monitor our Cisco ASA 5510's cpu and connections. From what I've read online this is done through SNMP. I've setup SNMP on the firewall with a basic community string, SNMP version 1, with the default port 161. When I try to do an SNMP Walk in Nagios Xi I use the IP of my firewall, port 161, the same community string, version 1, I leave OID blank, default values for timeout, max results, and force scan. I get a no results were returned message.

Leaving the OID blank should return everything I can monitor from the firewall correct?

Now if I do an auto discovery from within Nagios Xi it only shows me SSH, Telnet, and https. Does that mean SNMP isn't running correctly on my firewall?

[cdienger]

SNMP uses UDP so it wouldn't be too unusual for a scan not to pick up on port 161. Since it is able to find the other services it's likely the snmp service isn't configured properly or, less likely, the snmp requests are not making it to asa. https://www.cisco.com/c/en/us/td/docs/s ... r_snmp.pdf covers enabling snmp as well as some troubleshooting steps.

Also try running the snmpwalk command from the XI machine and other machines:

snmpwalk -mAll -v1 -cpublic <asa_ip> system

[NightHawk]

Thank you for the response and doc!

If I run snmpwalk -mAll -v1 -cpublic <asa_ip> system it times out with no reponse. If I run snmpwalk -v1 -c public 10.0.0.0 where "public" is the community string set on the asa I get a slew of IF-MIB, SNMPv2-MIB, and SNMPv2-SMI responses containing info on the asa. Is it a version difference on the asa that causes one command to timeout and the other to return information?

That document has a section for configuring a cpu usage threshold on the asa snmp cpu threshold rising. Do I understand this correctly? Forgive me if I use these terms incorrectly. You can set the CPU threshold and when that threshold is hit a trap is initiated that Nagios Xi can be listening for at which point will send out a notification?

Something I've updated: I setup a management access rule on the asa allowing snmp/udp from the network our Nagios Xi box sits in.

[cdienger]

Correct, Nagios can also listen for traps being sent by devices. This is different from the snmp walk which pulls data, but is covered in https://assets.nagios.com/downloads/nag ... ios_XI.pdf if this is something you'd like to set up.

The fact that it is able to pull via the command line is promising. The command that the wizard runs would essentially be this:

/usr/bin/snmpwalk -v 1 -c public 10.0.0.0:161

Does this work? When the wizard run this it will write the output to a file like:

/usr/local/nagiosxi/tmp/snmpwalk--10.0.0.0

The permissions on the tmp directory shoud look something like:

drwsrwsr-x 2 nagios nagios 4096 Sep 13 12:08 tmp

[NightHawk]

We ended up using these plugins to monitor the firewall.

Sessions
https://exchange.nagios.org/directory/P ... ns/details

CPU
https://exchange.nagios.org/directory/P ... ks/details

[cdienger]

Glad to hear a solution was found!