Check Cisco ASA Failover Status

macranes · Post by **macranes** » Thu Oct 02, 2014 2:01 pm

Hi, I am trying to check the Cisco ASA failover status using the XI SNMP wizard. I would like to monitor the status of one of the ASA's to verify it is active so that traffic is being monitored with bluecoat and fireeye.

what I did:
ran the xi snmp wizard and the check command is: -o xxxxxxxxxxxxx -C ooooooooo -P 2c -r "`Primary Unit (this device)`"
I had to add the tilde ` because it was returning critical message: SNMP CRITICAL - *"Primary unit (this device)"*
I get this after adding the tilde: SNMP OK - "Primary unit (this device)"

It appears to be reading the status from the ASA because is the service alert stays ok/green when I fail over to the other node but the status changes to: "Primary unit" I was expecting this to be a Critical state.

Do I have something incorrect with the syntax, or am I using the incorrect method for what I am trying to do?

Thank you for your assistance.

Post by **Box293** » Thu Oct 02, 2014 2:48 pm

Instead of using the tilde use the single quote instead?

macranes · Post by **macranes** » Thu Oct 02, 2014 2:55 pm

Yes, I tried using the single quote instead of the tilde: -o xxxxxxxxxxxxx -C ooooooooo -P 2c -r "'Primary Unit (this device)'"
It returns the critical message: SNMP CRITICAL - *"Primary unit (this device)"*
the asterisk is back in the message

Post by **Box293** » Thu Oct 02, 2014 2:59 pm

What is the output when you snmpwalk this device at the particular OID?

I want to see exactly what is being returned.

macranes · Post by **macranes** » Fri Oct 03, 2014 10:02 am

snmpwalk.png

here are the results for that OID.

Post by **lmiltchev** » Fri Oct 03, 2014 2:57 pm

Run check_snmp against this OID to see if the output will match "Primary Unit (this device)" (text and case).

Code: Select all

/usr/local/nagios/libexec/check_snmp -H <ip> -C <community> -P 2c -o <OID>

Wrap the output in single quotes only and try your check again:

Code: Select all

/usr/local/nagios/libexec/check_snmp -H <ip> -C <community> -P 2c -o <OID> -r '<exact output>'

macranes · Post by **macranes** » Mon Oct 06, 2014 1:22 pm

i verified the output:

verify output.png

modified check command when the asa is primary: I got the expected results that it is ok

check status primary active.png

I failed over the firewall and then reran the check command but it is still showing ok with it not being primary. I was expecting it to be critical since the string didn't match.

check status primary failed over.png

am i incorrect to expect that I would get a Critical alert when the firewall is failed over and the check string no longer matches?

slansing · Post by **slansing** » Mon Oct 06, 2014 1:30 pm

Do you know what that OID is checking? Are you running it against the same firewall in both those above cases? It may be that it is checking the counter which tells you if it properly failed over or not, you may be able to find another OID which checks a metric that would always fail when a failover occurred.

macranes · Post by **macranes** » Mon Oct 06, 2014 1:57 pm

It is checking for the active/primary unit status. Yes, the commands are all on the same ASA.
When it is active the OID will read: "'Primary Unit (this device)'" |
When it is not active--failed over to the other ASA--the OID will read: "Primary Unit" |

tmcdonald · Post by **tmcdonald** » Mon Oct 06, 2014 5:19 pm

Try searching just for:

Code: Select all

this device

I think the regex might be off.

Nagios Support Forum

Check Cisco ASA Failover Status

Check Cisco ASA Failover Status

Re: Check Cisco ASA Failover Status

Re: Check Cisco ASA Failover Status

Re: Check Cisco ASA Failover Status

Re: Check Cisco ASA Failover Status

Re: Check Cisco ASA Failover Status

Re: Check Cisco ASA Failover Status

Re: Check Cisco ASA Failover Status

Re: Check Cisco ASA Failover Status

Re: Check Cisco ASA Failover Status