nv-l
[Top] [All Lists]

RE: [NV-L] Pix/ASA Firewall status monitoring problem

To: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Subject: RE: [NV-L] Pix/ASA Firewall status monitoring problem
From: Mike Pearson <pearsom@us.ibm.com>
Date: Wed, 30 Apr 2008 18:04:50 -0400
Delivery-date: Wed, 30 Apr 2008 23:05:17 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
In-reply-to: <1CD97387AD5B5949B8C5A1A13197C6FD6161AD@HQGTNEVS-02.doe.local>
List-help: <mailto:nv-l-request@lists.ca.ibm.com?subject=help>
List-id: Tivoli NetView Discussions <nv-l.lists.ca.ibm.com>
List-post: <mailto:nv-l@lists.ca.ibm.com>
List-subscribe: <http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=subscribe>
List-unsubscribe: <http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=unsubscribe>
References: <1CD97387AD5B5949B8C5A1A13197C6FD6161AB@HQGTNEVS-02.doe.local> <OFAB6DE6BB.2097BB86-ON8525743B.006D86B6-8525743B.006E380B@us.ibm.com> <1CD97387AD5B5949B8C5A1A13197C6FD6161AD@HQGTNEVS-02.doe.local>
Reply-to: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Sender: nv-l-bounces@lists.ca.ibm.com
Bill:
      I would love to see what a Wireshark trace would show.  Is the demand
poll actually sending out what we think and if so, what is actually coming
back.
                                                                                
   
 Thank you,                                                                     
   
 
.................................................................................
 
 Mike Pearson                                                                   
   
 SWG Client Support - Tivoli Software                                           
   
 NetView & Precision Support                                                    
   
 o/l 1-919-254-2270 t/l 444-2270                                                
   
 pearsom@us.ibm.com                                                             
   
                                                                                
   
 (Embedded image moved to file: pic31392.jpg)                                   
   
 http://www-306.ibm.com/software/support/toolbar/index.html?ibmsst=ibmTbMenu    
   
                                                                                
   





                                                                           
             "Evans, Bill"                                                 
             <Bill.Evans@hq.do                                             
             e.gov>                                                     To 
             Sent by:                  "Tivoli NetView Discussions"        
             nv-l-bounces@list         <nv-l@lists.ca.ibm.com>             
             s.ca.ibm.com                                               cc 
                                                                           
                                                                   Subject 
             04/30/2008 04:29          RE: [NV-L] Pix/ASA Firewall status  
             PM                        monitoring problem                  
                                                                           
                                                                           
             Please respond to                                             
              Tivoli NetView                                               
                Discussions                                                
             <nv-l@lists.ca.ib                                             
                  m.com>                                                   
                                                                           
                                                                           




Yes, I'm doing that for the paired ones.  Some of the ASA appliances are
not paired.  This particular one is appropriately marked in the seed file.
We have eleven boxes with four pairs and three loners.  We have this
problem with nine of the boxes and DNS lookup problems with the other two.
I have yet to get any of the PIX or ASA systems functioning as advertised.

I don't know if it's hardware, configuration or bugs on my end.  Since a
normal SNMPWALK for the INTERFACES table works perfectly well but the
demand poll doesn't I figured I'd query the community for input then open a
PMR on this part of the problem if necessary.  Demand poll should work if
SNMPWALK does.  Once I'm sure my side is clean I can start beating on the
PIX/ASA side.


Bill Evans
Senior Tivoli NetView Support Analyst
Energy Enterprise Solutions (EES)
Support to OCIO HQ DOE IM-651
e-mail: bill.evans@hq.doe.gov
301-903-0057 office
570-852-9549 cell
570-639-5691 home




From: nv-l-bounces@lists.ca.ibm.com [mailto:nv-l-bounces@lists.ca.ibm.com]
On Behalf Of Leslie Clark
Sent: Wednesday, April 30, 2008 4:04 PM
To: Tivoli NetView Discussions
Subject: Re: [NV-L] Pix/ASA Firewall status monitoring problem


Isn't this the kind of device you can identify to Netview as  a pix
failover pair, and have it poll the proprietary MIB?  Are you doing that in
the seedfile with the > sighn?

Cordially,

Leslie A. Clark
IT Services Specialist, Network Mgmt
Information Technology Services Americas
IBM Global Services
(248) 552-4968 Voicemail, Fax, Pager


                                                                           
 "Evans, Bill"                                                             
 <Bill.Evans@hq.doe.gov>                                                   
 Sent by:                                                                  
 nv-l-bounces@lists.ca.ibm.com                                          To 
                                                 NV-L@lists.ca.ibm.com     
                                                                        cc 
 04/30/2008 03:28 PM                                                       
                                                                   Subject 
                                                 [NV-L] Pix/ASA Firewall   
          Please respond to                      status monitoring problem 
     Tivoli NetView Discussions                                            
       <nv-l@lists.ca.ibm.com>                                             
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





Down below my signature is an extract from the netmon.trace -M12 output
from a demand poll issued to the inside address of a PIX/ASA firewall.
I've removed what I could to make it esier to see the data returned.
Names and addresses have been altered.

Part way down the listing I see "ifIndex = 2, ifPhysAddress =
0x000000010011, iftype = 135, adminStatus = 1, operStatus = 1" for each
of the interfaces. Later I get "Interface 10.10.100.11(index 2): No
Admin/Oper Status in ifTable" for the same interface and this is true
for all the interfaces present.  This makes it very difficult to monitor
the device with SNMP.

The text returned by the nmdemandpoll is:

                15:09:49 SNMP error: noSuchName
                15:09:49   Interface 10.10.100.11(index 2): No Admin/Oper
Status
in ifTable

There was a discussion of similar problems with PIX firewalls over a
year ago and this resembles some of those issues but it's been a long
time since including the installation of NetView 7.1.5.2 for Red Hat 4
on my side of the wire.  The firewall device claims to be a "Cisco
Adaptive Security Appliance Version 7.2(3)12".

Does anyone have any ideas why I get to see this?

Bill Evans
Senior Tivoli NetView Support Analyst
Energy Enterprise Solutions (EES)
Support to OCIO HQ DOE IM-651
e-mail: bill.evans@hq.doe.gov
301-903-0057 office
570-852-9549 cell
570-639-5691 home


./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = Objid reqid = 1591301
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = Descr reqid = 1591302
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = SysName reqid = 1591303
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = Forward reqid = 1591304
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IPaddr reqid = 1591305
./nl_snmpstate.c[6512] : ### ipAdEntAddr = 10.10.3.1, ipAdEntNetMask =
255.255.255.248, ipAdEntIfIndex = 1
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IPaddr reqid = 1591306
./nl_snmpstate.c[6512] : ### ipAdEntAddr = 10.10.100.3, ipAdEntNetMask =
255.255.255.248, ipAdEntIfIndex = 3
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IPaddr reqid = 1591307
./nl_snmpstate.c[6512] : ### ipAdEntAddr = 10.10.100.11, ipAdEntNetMask
= 255.255.255.248, ipAdEntIfIndex = 2
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IPaddr reqid = 1591308
./nl_snmpstate.c[6512] : ### ipAdEntAddr = 10.10.100.19, ipAdEntNetMask
= 255.255.255.248, ipAdEntIfIndex = 4
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IPaddr reqid = 1591309
./nl_snmpstate.c[6512] : ### ipAdEntAddr = 10.10.100.27, ipAdEntNetMask
= 255.255.255.248, ipAdEntIfIndex = 5
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IPaddr reqid = 1591310
./nl_snmpstate.c[6512] : ### ipAdEntAddr = 10.10.100.35, ipAdEntNetMask
= 255.255.255.248, ipAdEntIfIndex = 6
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IPaddr reqid = 1591311
./nl_snmpstate.c[6512] : ### ipAdEntAddr = 10.10.100.43, ipAdEntNetMask
= 255.255.255.248, ipAdEntIfIndex = 7
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IPaddr reqid = 1591312
./nl_snmpstate.c[6512] : ### ipAdEntAddr = 10.10.100.52, ipAdEntNetMask
= 255.255.255.248, ipAdEntIfIndex = 8
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IPaddr reqid = 1591313
./nl_snmpstate.c[6512] : ### ipAdEntAddr = 10.10.100.60, ipAdEntNetMask
= 255.255.255.248, ipAdEntIfIndex = 9
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IPaddr reqid = 1591314
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = cHsrpGrpTable reqid = 1591315
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFnumber reqid = 1591316
./nl_snmpstate.c[5530] : ### ifNumber = 9
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFtab reqid = 1591317
./nl_snmpstate.c[6254] : ### ifIndex = 1, ifPhysAddress =
0x000000010001, iftype = 6, adminStatus = 1, operStatus = 1
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFtab reqid = 1591318
./nl_snmpstate.c[6254] : ### ifIndex = 2, ifPhysAddress =
0x000000010011, iftype = 135, adminStatus = 1, operStatus = 1
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFtab reqid = 1591319
./nl_snmpstate.c[6254] : ### ifIndex = 3, ifPhysAddress =
0x000000010011, iftype = 135, adminStatus = 1, operStatus = 1
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFtab reqid = 1591320
./nl_snmpstate.c[6254] : ### ifIndex = 4, ifPhysAddress =
0x000000010011, iftype = 135, adminStatus = 1, operStatus = 1
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFtab reqid = 1591321
./nl_snmpstate.c[6254] : ### ifIndex = 5, ifPhysAddress =
0x000000010011, iftype = 135, adminStatus = 1, operStatus = 1
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFtab reqid = 1591322
./nl_snmpstate.c[6254] : ### ifIndex = 6, ifPhysAddress =
0x000000010011, iftype = 135, adminStatus = 1, operStatus = 1
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFtab reqid = 1591323
./nl_snmpstate.c[6254] : ### ifIndex = 7, ifPhysAddress =
0x000000010011, iftype = 135, adminStatus = 1, operStatus = 1
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFtab reqid = 1591324
./nl_snmpstate.c[6254] : ### ifIndex = 8, ifPhysAddress =
0x000000010011, iftype = 135, adminStatus = 1, operStatus = 1
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFtab reqid = 1591325
./nl_snmpstate.c[6254] : ### ifIndex = 9, ifPhysAddress =
0x000000010011, iftype = 135, adminStatus = 1, operStatus = 1
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = IFtab reqid = 1591326
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = GetSecIF reqid = 1591327
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = CDPCache reqid = 1591328
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = RouteD reqid = 1591329
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = XIFtable reqid = 1591330
./nl_snmpstate.c[6153] : ### ifIndex = 1, ifName = inside, ifAlias =
<none>
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = XIFtable reqid = 1591331
./nl_snmpstate.c[6153] : ### ifIndex = 2, ifName = cna, ifAlias = <none>
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = XIFtable reqid = 1591332
./nl_snmpstate.c[6153] : ### ifIndex = 3, ifName = intel, ifAlias =
<none>
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = XIFtable reqid = 1591333
./nl_snmpstate.c[6153] : ### ifIndex = 4, ifName = eia, ifAlias = <none>
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = XIFtable reqid = 1591334
./nl_snmpstate.c[6153] : ### ifIndex = 5, ifName = sca, ifAlias = <none>
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = XIFtable reqid = 1591335
./nl_snmpstate.c[6153] : ### ifIndex = 6, ifName = eea, ifAlias = <none>
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = XIFtable reqid = 1591336
./nl_snmpstate.c[6153] : ### ifIndex = 7, ifName = outbound, ifAlias =
<none>
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = XIFtable reqid = 1591337
./nl_snmpstate.c[6153] : ### ifIndex = 8, ifName = sipnet, ifAlias =
<none>
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = XIFtable reqid = 1591338
./nl_snmpstate.c[6153] : ### ifIndex = 9, ifName = diskless, ifAlias =
<none>
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = XIFtable reqid = 1591339
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = PIXFailover reqid = 1591340
./nl_snmpstate.c[6043] : ### cfwHardwareStatus.6 = 9,
cfwHardwareStatus.7 = 10, PIX Firewall currently in RECOVERED state.
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = SNMPStatus reqid = 1591341
./nl_snmpstate.c[2565] : Interface 10.10.3.1(index 1): No Admin/Oper
Status in ifTable
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = SNMPStatus reqid = 1591342
./nl_snmpstate.c[2565] : Interface 10.10.100.11(index 2): No Admin/Oper
Status in ifTable
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = SNMPStatus reqid = 1591343
./nl_snmpstate.c[2565] : Interface 10.10.100.3(index 3): No Admin/Oper
Status in ifTable
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = SNMPStatus reqid = 1591344
./nl_snmpstate.c[2565] : Interface 10.10.100.19(index 4): No Admin/Oper
Status in ifTable
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = SNMPStatus reqid = 1591345
./nl_snmpstate.c[2565] : Interface 10.10.100.27(index 5): No Admin/Oper
Status in ifTable
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = SNMPStatus reqid = 1591346
./nl_snmpstate.c[2565] : Interface 10.10.100.35(index 6): No Admin/Oper
Status in ifTable
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = SNMPStatus reqid = 1591347
./nl_snmpstate.c[2565] : Interface 10.10.100.43(index 7): No Admin/Oper
Status in ifTable
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = SNMPStatus reqid = 1591348
./nl_snmpstate.c[2565] : Interface 10.10.100.52(index 8): No Admin/Oper
Status in ifTable
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = SNMPStatus reqid = 1591349
./nl_snmpstate.c[2565] : Interface 10.10.100.60(index 9): No Admin/Oper
Status in ifTable
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = Loc reqid = 1591350
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = Contact reqid = 1591351
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = MPLS MIB reqid = 1591352
./nl_snmpstate.c[2045] : ### MPLS MIB not present
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = dot1dBridge MIB reqid = 1591353
./nl_snmpstate.c[2058] : ### xnet-fw1 does not support the dot1dBridge
MIB
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = GetIpNetToMedia reqid = 1591354
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = ARP reqid = 1591355
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = GetSGVers reqid = 1591356
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = GetSIAVers reqid = 1591357
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = Get Mgr reqid = 1591358
./nl_snmper.c[1355] : recv_snmp: from xnet-fw1 (10.10.3.1) op = FORCED
req = Get SIAOS2 reqid = 1591359


_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)
_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)

Attachment: pic31392.jpg
Description: JPEG image

_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to 
internal IBM'ers only)
<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web