Page 1 of 2
Check Cisco ASA Failover Status
Posted: Thu Oct 02, 2014 2:01 pm
by macranes
Hi, I am trying to check the Cisco ASA failover status using the XI SNMP wizard. I would like to monitor the status of one of the ASA's to verify it is active so that traffic is being monitored with bluecoat and fireeye.
what I did:
ran the xi snmp wizard and the check command is: -o xxxxxxxxxxxxx -C ooooooooo -P 2c -r "`Primary Unit (this device)`"
I had to add the tilde ` because it was returning critical message: SNMP CRITICAL - *"Primary unit (this device)"*
I get this after adding the tilde: SNMP OK - "Primary unit (this device)"
It appears to be reading the status from the ASA because is the service alert stays ok/green when I fail over to the other node but the status changes to: "Primary unit" I was expecting this to be a Critical state.
Do I have something incorrect with the syntax, or am I using the incorrect method for what I am trying to do?
Thank you for your assistance.
Re: Check Cisco ASA Failover Status
Posted: Thu Oct 02, 2014 2:48 pm
by Box293
Instead of using the tilde use the single quote instead?
Re: Check Cisco ASA Failover Status
Posted: Thu Oct 02, 2014 2:55 pm
by macranes
Yes, I tried using the single quote instead of the tilde: -o xxxxxxxxxxxxx -C ooooooooo -P 2c -r "'Primary Unit (this device)'"
It returns the critical message: SNMP CRITICAL - *"Primary unit (this device)"*
the asterisk is back in the message
Re: Check Cisco ASA Failover Status
Posted: Thu Oct 02, 2014 2:59 pm
by Box293
What is the output when you snmpwalk this device at the particular OID?
I want to see exactly what is being returned.
Re: Check Cisco ASA Failover Status
Posted: Fri Oct 03, 2014 10:02 am
by macranes
snmpwalk.png
here are the results for that OID.
Re: Check Cisco ASA Failover Status
Posted: Fri Oct 03, 2014 2:57 pm
by lmiltchev
Run check_snmp against this OID to see if the output will match "Primary Unit (this device)" (text and case).
Code: Select all
/usr/local/nagios/libexec/check_snmp -H <ip> -C <community> -P 2c -o <OID>
Wrap the output in single quotes only and try your check again:
Code: Select all
/usr/local/nagios/libexec/check_snmp -H <ip> -C <community> -P 2c -o <OID> -r '<exact output>'
Re: Check Cisco ASA Failover Status
Posted: Mon Oct 06, 2014 1:22 pm
by macranes
i verified the output:
verify output.png
modified check command when the asa is primary: I got the expected results that it is ok
check status primary active.png
I failed over the firewall and then reran the check command but it is still showing ok with it not being primary. I was expecting it to be critical since the string didn't match.
check status primary failed over.png
am i incorrect to expect that I would get a Critical alert when the firewall is failed over and the check string no longer matches?
Re: Check Cisco ASA Failover Status
Posted: Mon Oct 06, 2014 1:30 pm
by slansing
Do you know what that OID is checking? Are you running it against the same firewall in both those above cases? It may be that it is checking the counter which tells you if it properly failed over or not, you may be able to find another OID which checks a metric that would always fail when a failover occurred.
Re: Check Cisco ASA Failover Status
Posted: Mon Oct 06, 2014 1:57 pm
by macranes
It is checking for the active/primary unit status. Yes, the commands are all on the same ASA.
When it is active the OID will read: "'Primary Unit (this device)'" |
When it is not active--failed over to the other ASA--the OID will read: "Primary Unit" |
Re: Check Cisco ASA Failover Status
Posted: Mon Oct 06, 2014 5:19 pm
by tmcdonald
Try searching just for:
I think the regex might be off.