ASA-X route table monitoring through SNMP

Started by Dieselboy, August 08, 2016, 10:38:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dieselboy

August 08, 2016, 10:38:36 PM
I've done an SNMP walk on the ASA and a GET on the ipRouteTable MIB and can't see that this is available on the ASA. The GET on the route table gives back "No Such Object".

So - how do I monitor the default route on the ASA with SNMP? I need to make sure the ASA is sending the traffic to the correct place. Usually the OID ends with the route you want to monitor, in my case it would end with .0.0.0.0 which would then give me the next hop IP as the returned result.

Anyone done this?

The OID should be: ipRouteNextHop.0.0.0.0 which is .1.3.6.1.2.1.4.21.1.7.0.0.0.0

icecream-guy

#1
August 09, 2016, 07:51:28 AM
how often does your default route change?

I could see this in some sort of DR scenario.

but it'd more more of a point and forget type of thing for me.
:professorcat:

My Moral Fibers have been cut.

deanwebb

#2
August 09, 2016, 10:17:11 AM
Static routes for the win, baby!
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#3
August 09, 2016, 11:06:12 PM
The default route is never supposed to change, hence the SNMP check / alert mechanism I need to set up.

The ASA only has static routes, but the default static route is a tracked route in case our primary ISP goes down. Then outbound internet traffic fails over.

My site to site VPNs are done by a different device using VTI tunnels, with one tunnel pointing across each of my internet lines in front of the ASAs. This IPSEC VPN tunnels are not reliant upon the default route of the ASA and will failover independantly.

I might need to raise a case on this one - I'm not sure how I can monitor this at present.

Dieselboy

#4
April 13, 2017, 06:23:15 AM
Enhancement request has been filed by someone... Feature missing since 8.4 according to the bug. No planned release to fix... Seems a bit odd to me, I wonder what this snmp oid breaks or creates risk against.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCty94557/

wintermute000

#5
April 13, 2017, 06:50:20 AM
at worst, python expect script to login, show ip route 0.0.0.0 and compare the expected output / next hop (regex is prob easiest).

Dieselboy

#6
April 13, 2017, 07:38:34 AM
Can't monitor IP SLA either : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCui53368

I'm going to look at something like Ansible or Py as you suggest. Can Nagios do monitoring with Ansible? Would be pretty flexible if so.
Print
Go Up Pages1
User actions