cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 15

Your Input on Network Insight for Cisco ASA

As you may have seen, we're working on providing additional monitoring for Cisco ASAs.  If you run ASAs in production, we'd love to hear your input on what you'd like covered and how you would like that coverage to work.  For example:

  1. What problems occur on your ASAs that are not detected by your monitoring today?
  2. Are there any customizations you've done for monitoring your ASAs, for example UNDPs?  How do they work and why do you find them useful?
  3. What would you like to alert on in relation to your ASAs?
  4. What are the most important things to know about your ASAs when you're troubleshooting a problem?

There are a couple of ways you can get involved.  The easiest way is to comment here, in this thread.  Our User Experience research team will also be doing phone calls to walk through early prototypes and use cases, as well as general feedback sessions.  If you'd like to be involved in that, please note your interested in participating in UX research here.  We'd also like to know:

Another easy way to get involve is to upload an SNMP walk of your ASA.  We use these during development to make sure our code works against many different versions and implementation scenarios, and that our visualizations scale both up and down.  It's a great chance to make sure this feature fits your environment specifically.  You can use the SolarWinds SNMP walk tool to grab the walk, and upload it here.

Looking forward to your feedback!

-Chris

89 Replies
Level 16

MIB Walk is uploaded

Hardware Health is important

Failover status

VPN status graphs, AnyConnect, Clientless, IPSec, Site to Site sub groups.

ACL details with hits

Object details, including groups

NAT information such as number outstanding (Xlate graph for example)

AnyConnect license data, making sure we dont overrun

CPU details showing top 5 processes

Thanks!!!

What are "site to site sub groups"?

0 Kudos

I uploaded a new set of walks....  Let me know if I can do anything...

(I'm back from a long vacation)

0 Kudos

sub groups is bad wording.  I was thinking about statistics such as hash, GF Group, IKE Mode, Auth mode....  stuff like that.

It helps the help desk see what the connections are so they can talk to the owners intelligently.

0 Kudos

FYi:  happy to work with UX, but I'm on vacation from the 5th to the 15th...

0 Kudos

Hey familyofcrowes​!

We're actually thinking of having a couple of UX sessions from Aug 15-18th. Would you mind if I send you an email with more details?

0 Kudos

sounds great

0 Kudos

I've got about 60 ASA from stand alone 5505's in VIP's homes to HA 5555's in multiple data centers.  Some features I'd love Orion modules to cover include:

  • Vulnerability Reports
    • They'd have to compare existing versions with recommended versions of Cisco code.
    • They'd also need to analyze and alert on poor logic in ACL construction
    • The cat's pajamas would be if they did the above AND also gave alerts on what "poorly designed" rule sets are in place
  • NAT analysis
    • What's being done where
    • Alert on overlaps
    • Alert on missing configuration items for NAT and ACLs
  • Provide a general idiot-proofing of configuration before clicking Apply

I realize a lot of this should be on Cisco's back, but I bet SW can do it better and faster.  I'm waiting on Cisco and not holding my breath.

  • Amazingly intuitive logging of ACL hits.  I miss this on ASA's, since I'm accustomed to it on Sidewinders for the last 20 years.
    • Should include the ability to track allows and denies both in real-time and historically
  • VPN build analysis and troubleshooting

Can you elaborate on "Amazingly intuitive logging of ACL hits"?

0 Kudos

Our Sidewinders log information onboard for every ping, hit, deny, attack, flow, etc.  The onboard logging enables me to capture audits and tcpdumps in real time, AND ALSO analyze historic problems.

It's amazing to be able to get a ticket from a customer saying "Two weeks ago last Friday, I needed to get to a web site and I couldn't get there.  I remember it was right at 3 p.m.  The web site is www.whateverthenameis.com:82.  I need to access it again this afternoon, but I'm afraid it will fail again.  Can you fix it in the next hour so it works for me?"

In this case I can SSH to the Sidewinder and show the audit for 3 p.m. two Fridays ago and see why the traffic failed.  Further, if the client isn't exactly sure, I can search multiple gzipped files for their source address or the destination site's address or port 82.  From the results of that analysis I can understand what firewall rules were missing or were misconfigured, adjust them, and satisy the customer's needs quickly.

Although I can build a packet capture on the ASA, ASA's can't do this--they have no local logging.  It all has to be sent to a SIEM, and our Splunk is not something I can access--nor do I wish it.  The ASA's syslogs are forwarded to NPM, and digging what I need out of there is challenging.

When I request "Amazingly intuitive logging of ACL hits", I'm looking for something that lets me easily search for, and quickly find, the audit records of traffic failures or allowances, to help me understand what's denied or allowed traffic.  At present, the only solution outside of Splunk is just watching ACL counters increment--or not increment.  That's not much help, and it's where Orion could really fill a gap.

0 Kudos

How I've seen something similar done with ASAs is adding "log" to the end of ACL line that is a deny, then aggregating all of your firewalls to a central syslog server.  When someone calls in, you grep for their IP and/or destination IP in those logs.  Not all environments are setup like that way and some people would argue it's dangerous to log that way, but I've seen it be fantastically useful.

It sounds like the Sidewinders do something similar by default, and also add info from the inspection engines (not just ACL blocks), maybe other sources, plus some just in time packet captures or something.  Am I getting that right?

Here's an example of a Sidewinder captured audit of me trying to ping yahoo, which is denied by corporate policy:

Admn {1} % showaudit -kH x.x.x.x

2016-08-01 10:49:46 -0500 f_kernel_ipfilter a_general_area t_attack p_major
hostname: firewall category: policy_violation event: ACL deny
attackip: x.x.x.x attackzone: Internal application: ICMP srcip: x.x.x.x
srczone: Internal protocol: 1 dst_geo: US dstip: y.y.y.y
rule_name: DiscardPingIntrnlToExternal reason: Traffic denied by policy.

2016-08-01 10:49:49 -0500 f_http_proxy a_libproxycommon t_nettraffic p_major
pid: 5256 logid: 0 cmd: 'httpp' hostname: firewall
event: session end application: http app_risk: low
app_categories: infrastructure netsessid: b8846579f6f5c srcip: x.x.x.x
srcport: 57248 srczone: Internal protocol: 6 dst_geo: US dstip: y.y.y.y
dstport: 80 dstzone: Internet bytes_written_to_client: 1357
bytes_written_to_server: 1608 rule_name: http_out_exception_sites cache_hit: 0
start_time: 2016-08-01 10:48:44 -0500

This locally-logged format enables me to troubleshoot emergent issues in real time, and also let's me grep for them historically, or run a historic or real-time "showaudit" report.  Since our ASA's can't display this kind of detail locally or historically, we had them forwarding to Splunk via NPM.  Eventually it turned out that NPM isn't built for the massive amounts of syslogs ASA's (and other devices) can flood it with, so we adjusted the ASA's to send this kind of syslog directly to Splunk.

If NPM could be part of my troubleshooting and analysis tools for this kind of work, effectively providing Sidewinder functionality for ASA logs, that would be excellent!

0 Kudos

Got it.  Thanks.

Yes, you've got the concept.

0 Kudos

We ran into a problem where we were maxing out the "ConnectionsInUse" on an ASA we had awhile back and causing LOTS of problems, so we monitor it now on the ones we have left.   We're moving towards Fortinet where we have ASA's, so their importance is becoming less.  Not a fan of that decision, but...

Pretty sure the OID we're using is

1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6

Having problems with the UnDP app right now, and can't get into it.

0 Kudos

Got it.  Thanks!

0 Kudos
Level 8

I'd echo most of the above, particularly the HA aspects. On checking with those in our organisation that know much more than I do about ASA's than I do, they came to the same conclusion as I did about our own environment and views of our ASA use - which is pretty much limited to VPN termination. In our case this is a desire for improved visibility of Site to Site VPN's, their status, VPN configuration/connection information, throughput - following on from that, it'd be really good to have some easier to implement alerting than we've managed so far in this area.

0 Kudos
Level 13

1. We've struggled with monitoring the HA failover status between units.  We're currently using some UnDP's to monitor this and alert, but this would be a nice out of the box feature for ASA's in HA mode.

2. We typically add UnDP's for total connection counts and Anyconnect session counts

3. Related to #1, I'd like to see alerting when ever a unit is not operating in it's designated mode -- i.e. Primary unit is not Active, Standby unit not standby.

4. Firewall troubleshooting is typically more than just is a port up/down, or is the CPU high -- it's more about NAT and ACL's.  So it would really cool if NPM had some intelligence around the NAT and ACL configuration to see if traffic would be allowed/or NAT'd correctly.  ASDM already has this built in with the packet-tracer tool, so it would be great if there was a way to interface with packet-tracer from the NPM GUI without having to go to ASDM.  As everyone knows, ASDM is terrible.

branfarm​ - I had the same struggle.  One thing I found helpful in the cli is to put in, "prompt hostname priority state"

As soon as I log in, I know if I'm on the primary or secondary, and what state it's in - active|standby.

ie.:  asa01p/pri/act#

This!

0 Kudos

You and I are on the same wavelength!  Thanks for the feedback.

0 Kudos