ASA failover monitoring and alert setup

  I have this problem too, but I never did anything about it.

  The problem is the IP address switched and you are always polling the active node with the IP you are using.

  I was thinking about finding a way to poll the serial number through some OID and alert when it's not the primary serial number.

To give you an idea of how to do this, I have a similar situation with alerting on HSRP states. The way I did this is with two custom properties on nodes, which specifies what the active & standby IPs are, and then use a "Custom Node Poller Custom SQL Alert" for the alert criteria. The query looks up the labels so that it knows which value relates to which row.

In your instance, with a very slight query change, you could probably do it without the need for a custom property. Something like...

INNER JOIN
    CustomPollerLabels ON CustomPollerStatus.CustomPollerAssignmentID = CustomPollerLabels.CustomPollerAssignmentID
  AND
    CustomPollerStatus.RowID = CustomPollerLabels.RowID
WHERE ( (CustomPollerLabels.Label = 'Primary unit')
    AND (CustomPollerStatus.Status = 'Standby unit')
)

Note that I have NOT tested the above criteria, and I'm not very good with SQL - it might need another condition so that blank or error rows aren't matched.

This is the HSRP query which I use:

INNER JOIN
    CustomPollerLabels ON CustomPollerStatus.CustomPollerAssignmentID = CustomPollerLabels.CustomPollerAssignmentID
  AND
    CustomPollerStatus.RowID = CustomPollerLabels.RowID
WHERE (
    (CustomPollers.UniqueName = 'cHsrpGrpStandbyState')
AND (CustomPollerLabels.Label = Nodes.HSRP_Active_IP)
AND NOT (CustomPollerStatus.Status = 'active')
)

See attached image for what the web page poller looks like for my HSRP state.

Please note that everything after WHERE must be enclosed with parentheses, because otherwise the reset condition won't work - Orion just puts a "NOT" after the WHERE for the reset trigger, so if you don't enclose everything in brackets it will just make the first condition negative, rather than every condition.

Ok I think I got it working. What I did was setup the alert to send me an email when the status changes on the UnDP.

Then for the reset I just set it to reset when the status is not empty (which is always true) and reset after 2 hours.

This way the alert will always reset after 2 hours regardless, but we will still get alerts when the status changes and when it changes back.

Hopefully this works, I haven't been able to test it yet as I don't really want to failover a firewall just to test this alert, but it seems like it will work.

For the trigger definition, did you do [status] [has changed] ? That won't work - "has changed", as far as I'm aware, is for uptime only.

This is what the TriggerQuery SQL will be in your AlertDefinitions table for this alert:

SELECT DISTINCT CustomPollerAssignment.CustomPollerAssignmentID AS NetObjectID,
  CustomPollerAssignment.AssignmentName AS Name
FROM CustomPollerStatus INNER JOIN
     CustomPollerAssignment ON CustomPollerStatus.CustomPollerAssignmentID = CustomPollerAssignment.CustomPollerAssignmentID
     LEFT OUTER JOIN
     CustomPollers ON CustomPollerAssignment.CustomPollerID = CustomPollers.CustomPollerID
WHERE (CustomPollers.UniqueName = 'cHsrpGrpStandbyState')
AND (CustomPollerStatus.Status = CustomPollerStatus.Status)
AND ((SELECT     COUNT(*) AS Expr1
          FROM    AlertValueChanges
          WHERE  (TableName = 'Nodes') AND (FieldName = 'LastBoot')) > 0)
AND (NodeID IN  (SELECT     NodeID
                   FROM      AlertValueChanges
                   WHERE    (TableName = 'Nodes')
                   AND (FieldName = 'LastBoot')
                   AND (DATEDIFF(s, Changed, GETDATE()) < 60 * 1.2)))

Yes I have it setup as a Custom Node Poller alert and set to trigger when the status has changed.

Looking at the CustomPollerStatus table in my Netperfmon database the status column for this custom node poller actually reflects the values of "active unit" and "standby unit".

Given that I believe the alert will trigger as setup, since the failover will cause those statuses to change.

I did something very similar to that when i setup an alert to monitor BGP status on my routers and that worked.

Another possible way is to monitor the MAC address of the failover interface.  If the address changes than you know the firewall failed over.

how do you monitor the mac address?  is it native to NPM or a custom poller.... 

thanks

Did you ever find this out? Whenever I go into alert manager and try to build an alert for this event the only status's available are Unknown, Up, Down, Warning, Shutdown, Testing, Unmanage, Unplugged, Unreachable.  Where is the status for changed?

Hi jrich,

The status "changed" can be found by modifying the logic condition "is equal to". I don't have anything available to test the actual alert itself with at the moment but this is where you can configure the alert.

Hi Shuth,

Thanks for the reply.  We went a little different way with the logic and did Vendor Icon Contains Cisco ASA and then, under the Interface property monitor did Physical Address has changed.  This way we didn't have to deal with custom pollers.  Solarwinds detects that the interface's physical address has changed when the ASA fails over if the interface is monitored (before we implemented this) now I think this might work when that event occurs.  It is too bad Solarwinds doesn't tell us what is actually generating that event so we can just tell it to alert off of that event.  It would have been way more intuitive.