SNMP on ASA

Started by icecream-guy, October 22, 2019, 07:59:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

icecream-guy

October 22, 2019, 07:59:17 AM Last Edit: October 22, 2019, 08:03:36 AM by ristau5741

say I want to enable snmp-server traps. but want to limit what the ASA sends to the snmp-server.

example I want to send to a specific server A

snmp-server enable traps interface-threshold
snmp-server enable traps cpu threshold rising


but don't want to send these to that server A, but want to for other servers B & C.

snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached

I've looks at filtering, but that's only for routers and switches.
I can set up views, but that appears to be for polling, not trapping.

any ideas?

this would include both version v2c and v3

or would this need to be done on the receiver side.

Maybe it's time to give TAC a call.

:professorcat:

My Moral Fibers have been cut.

deanwebb

#1
October 22, 2019, 08:49:41 AM
I know the SNMP-server host on switches can be set to specify the traps that go to a particular host... is that command available on the ASA?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#2
October 22, 2019, 09:07:09 AM
Quote from: deanwebb on October 22, 2019, 08:49:41 AM
I know the SNMP-server host on switches can be set to specify the traps that go to a particular host... is that command available on the ASA?

what command is that?
:professorcat:

My Moral Fibers have been cut.

deanwebb

#3
October 22, 2019, 03:10:01 PM
This one: https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/sm/snmp-server-host.html

With the "traps" parameter, you specify the traps to go to that host.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#4
October 24, 2019, 12:59:12 PM
Quote from: deanwebb on October 22, 2019, 03:10:01 PM
This one: https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/sm/snmp-server-host.html

With the "traps" parameter, you specify the traps to go to that host.

nope not supported on the asa

:professorcat:

My Moral Fibers have been cut.

deanwebb

#5
October 24, 2019, 02:58:21 PM
Aw, nuts. Well, you may not have that option on the ASA. Maybe send all the traps to an SNMP forwarder that sorts them all out?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#6
October 28, 2019, 09:10:28 PM
I'm sure the older ASAs allowed this but I cannot check to confirm.

On my 5515 I have, you can turn on and off SNMP traps globally. And you can configure snmp servers to receive poll and/or traps. But it looks like if you enable traps to a server, then they get what is configured globally. Although you can separate an snmp poll server and snmp trap server.

icecream-guy

#7
October 29, 2019, 05:43:27 AM
TAC said it was not possible for traps.  I am confirming that something needs to be done on the receiver end to filter out unwanted traps.
:professorcat:

My Moral Fibers have been cut.

icecream-guy

#8
October 29, 2019, 05:51:13 AM
Quote from: ristau5741 on October 29, 2019, 05:43:27 AM
TAC said it was not possible for traps.  I am confirming that something needs to be done on the receiver end to filter out unwanted traps.

yep.
:professorcat:

My Moral Fibers have been cut.
Print
Go Up Pages1
User actions