Anonymous Reporting and Smart Call Home

This chapter describes how to configure the Anonymous Reporting and Smart Call Home services.

About Anonymous Reporting

You can help to improve the ASA platform by enabling Anonymous Reporting, which allows Cisco to securely receive minimal error and health information from the device. If you enable the feature, your customer identity will remain anonymous, and no identifying information will be sent.

Enabling Anonymous Reporting creates a trust point and installs a certificate. A CA certificate is required for your ASA to validate the server certificate present on the Smart Call Home web server and to form the HTTPS session so that your ASA can send messages securely. Cisco imports a certificate that is predefined in the software. If you decide to enable Anonymous Reporting, a certificate is installed on the ASA with a hardcoded trust point name: _SmartCallHome_ServerCA. When you enable Anonymous Reporting, this trust point is created, the appropriate certificate is installed, and you receive a message about this action. The certificate then appears in your configuration.

If the appropriate certificate already exists in your configuration when you enable Anonymous Reporting, no trust point is created, and no certificate is installed.


Note


When you enable Anonymous Reporting, you acknowledge your consent to transfer the specified data to Cisco or to vendors operating on Cisco’s behalf (including countries outside of the U.S.). 
Cisco maintains the privacy of all customers. For information about Cisco’s treatment of personal information, see the Cisco Privacy Statement at the following URL:
http://www.cisco.com/web/siteassets/legal/privacy.html

When the ASA configures Smart Call Home anonymous reporting in the background, the ASA automatically creates a trustpoint containing the certificate of the CA that issues the Call Home server certificate. The ASA now supports validation of the certificate if the issuing hierarchy of the server certificate changes, without the need for customer involvement to make certificate hierarchy changes. You can also automatically import the trustpool certificates so that ASA renews the certificate hierarchy without any manual intervention.

When you upgrade ASA 9.14(2.14), the trust point configuration automatically changes from CallHome_ServerCA to CallHome_ServerCA2.


DNS Requirement

A DNS server must be configured correctly for the ASA to reach the Cisco Smart Call Home server and send messages to Cisco. Because it is possible that the ASA resides in a private network and does not have access to the public network, Cisco verifies your DNS configuration and then configures it for you, if necessary, by doing the following:

  1. Performing a DNS lookup for all DNS servers configured.

  2. Getting the DNS server from the DHCP server by sending DHCPINFORM messages on the highest security-level interface.

  3. Using the Cisco DNS servers for lookup.

  4. Randomly using a static IP addresses for tools.cisco.com.

These tasks are performed without changing the current configuration. (For example, the DNS server that was learned from DHCP will not be added to the configuration.)

If there is no DNS server configured, and the ASA cannot reach the Cisco Smart Call Home Server, Cisco generates a syslog message with the warning severity level for each Smart Call Home message that is sent to remind you to configure DNS correctly.

See the syslog messages guide for information about syslog messages.

About Smart Call Home

When fully configured, Smart Call Home detects issues at your site and reports them back to Cisco or through other user-defined channels (such as e-mail or directly to you), often before you know that these issues exist. Depending on the seriousness of these problems, Cisco responds to your system configuration issues, product end-of-life announcements, security advisory issues, and so on by providing the following services:

  • Identifying issues quickly with continuous monitoring, real-time proactive alerts, and detailed diagnostics.

  • Making you aware of potential problems through Smart Call Home notifications, in which a service request has been opened, with all diagnostic data attached.

  • Resolving critical problems faster with direct, automatic access to experts in Cisco TAC.

  • Using staff resources more efficiently by reducing troubleshooting time.

  • Generating service requests to Cisco TAC automatically (if you have a service contract), routed to the appropriate support team, which provides detailed diagnostic information that speeds problem resolution.

The Smart Call Home Portal offers quick access to required information that enables you to do the following:

  • Review all Smart Call Home messages, diagnostics, and recommendations in one place.

  • Check service request status.

  • View the most up-to-date inventory and configuration information for all Smart Call Home-enabled devices.

Guidelines for Anonymous Reporting and Smart Call Home

This section includes the guidelines and limitation that you should review before configuring Anonymous reporting and Smart Call Home.

Anonymous Reporting Guidelines

  • DNS must be configured.

  • If an Anonymous Reporting message cannot be sent on the first try, the ASA retries two more times before dropping the message.

  • Anonymous Reporting may coexist with other Smart Call Home configurations without changing the existing configuration. For example, if Smart Call Home is disabled before enabling Anonymous Reporting, it remains disabled, even after Anonymous Reporting has been enabled.

  • If Anonymous Reporting is enabled, you cannot remove the trust point, and when Anonymous Reporting is disabled, the trust point remains. If Anonymous Reporting is disabled, you can remove the trust point, but disabling Anonymous Reporting does not cause the trust point to be removed.

  • If you are using a multiple context mode configuration, the dns, interface, and trustpoint commands are in the admin context, and the call-home commands are in the system context.

  • You can automate the update of the trustpool bundle at periodic intervals so that Smart Call Home can remain active if the self-signed certificate of the CA server changes. This trustpool auto renewal feature is not supported under multi-context deployments.

Smart Call Home Guidelines

  • In multiple context mode, the subscribe-to-alert-group snapshot periodic command is divided into two commands: one to obtain information from the system configuration and one to obtain information from the user context.

  • The Smart Call Home back-end server can accept messages in XML format only.

  • A Smart Call Home message is sent to Cisco to report important cluster events if you have enabled clustering and configured Smart Call Home to subscribe to the diagnostic alert group with a critical severity level. A Smart Call Home clustering message is sent for only the following events:

    • When a unit joins the cluster

    • When a unit leaves the cluster

    • When a cluster unit becomes the cluster control unit

    • When a secondary unit fails in the cluster

    Each message that is sent includes the following information:

    • The active cluster member count

    • The output of the show cluster info command and the show cluster history command on the cluster control unit

Configure Anonymous Reporting and Smart Call Home

While Anonymous Reporting is part of the Smart Call Home service and allows Cisco to anonymously receive minimal error and health information from your device, the Smart Call Home service provides customized support of your system health, enabling Cisco TAC to monitor your devices and open a case when there is an issue, often before you know the issue has occurred.

You can have both services configured on your system at the same time, although configuring the Smart Call Home service provides the same functionality as Anonymous Reporting, plus customized services.

Configure Anonymous Reporting

To configure Anonymous Reporting, perform the following steps:

Procedure


Step 1

Choose Configuration > Device Management > Smart Call Home.

Step 2

Check the Enable Anonymous Reporting check box.

Step 3

Click Test Connection to ensure that your system is able to send messages.

ASDM returns a success or error message to notify you of test results.

Step 4

Click Apply to save the configuration and enable Anonymous Reporting.


Configure Smart Call Home

To configure the Smart Call Home service, system setup, and alert subscription profiles, perform the following steps.

Procedure


Step 1

Choose Configuration > Device Management > Smart Call Home.

Step 2

Check the Enable Registered Smart Call Home check box to enable Smart Call Home and register your ASA with Cisco TAC.

Step 3

Double-click Advanced System Setup. This area consists of three panes. Each pane can be expanded or collapsed by double-clicking the title row.

  1. You can set up mail servers in the Mail Servers pane, through which Smart Call Home messages are delivered to e-mail subscribers.

  2. You can enter the information of the person to contact in the Contact Information pane for the ASA that appears in Smart Call Home messages. This pane includes the following information:

    • The name of the contact person.

    • The contact phone number.

    • The postal address of the contact person.

    • The e-mail address of the contact.

    • The “from” e-mail address in Smart Call Home e-mail.

    • The “reply-to” e-mail address in Smart Call Home e-mail.

    • The customer ID.

    • The site ID.

    • The contract ID.

  3. You can adjust alert control parameters in the Alert Control pane. This pane includes the Alert Group Status pane, which lists the status (enabled or disabled) of the following alert groups:

    • The diagnostics alert group.

    • The configuration alert group.

    • The environmental alert group.

    • The inventory alert group.

    • The snapshot alert group.

    • The syslog alert group.

    • The telemetry alert group.

    • The threat alert group.

    • The maximum number of Smart Call Home messages processed per minute.

    • The “from” e-mail address in Smart Call Home e-mail.

Step 4

Double-click Alert Subscription Profiles. Each named subscription profile identifies subscribers and alert groups of interest.

  1. Click Add or Edit to display the Subscription Profile Editor, in which you can create a new subscription profile or edit an existing subscription profile.

  2. Click Delete to remove the selected profile.

  3. Check the Active check box to send a Smart Call Home message of the selected subscription profile to subscribers.

Step 5

Click Add or Edit to display the Add or Edit Alert Subscription Profile dialog box.

  1. The Name field is read-only and cannot be edited.

  2. Check the Enable this subscription profile check box to enable or disable this particular profile.

  3. Click either the HTTP or Email radio button in the Alert Delivery Method area.

  4. Enter the e-mail address or web address in the Subscribers field.

  5. Specify a Reference Identity object by name to enable RFC 6125 reference identity checks on the certificate received from the Syslog server.

    See Configure Reference Identities for details on the reference identity object.

Step 6

The Alert Dispatch area lets the administrator specify which type of Smart Call Home information to send to subscribers and under what conditions. There are two types of alerts, time-based and event-based, chosen according to how the alert is triggered. The following alert groups are time-based: Configuration, Inventory, Snapshot, and Telemetry. The following alert groups are event-based: Diagnostic, Environmental, Syslog, and Threat.

Step 7

The Message Parameters area lets you adjust parameters that control messages sent to the subscriber, including the preferred message format and the maximum message size.

Step 8

For time-based alerts, click Add or Edit in the Alert Dispatch area to display the Add or Edit Configuration Alert Dispatch Condition dialog box.

  1. Specify the frequency in the Alert Dispatch Frequency area in which to send the information to subscribers:

    • For a monthly subscription, specify the day of the month, as well as the time of the day to send the information. If they are not specified, the ASA chooses appropriate values for them.

    • For a weekly subscription, specify the day of the week, as well as the time of the day to send the information. If they are not specified, the ASA chooses appropriate values for them.

    • For a daily subscription, specify the time of the day to send the information. If it is not specified, the ASA chooses an appropriate value for it.

    • For an hourly subscription, specify the minute of the hour to send the information. If it is not specified, the ASA chooses an appropriate value for it. Hourly subscriptions are applicable to the snapshot and telemetry alert groups only.

  2. Click the Basic or Detailed radio button to provide the desired level of information to subscribers.

  3. Click OK to save the configuration.

Step 9

For diagnostic, environment, and threat event-based alerts, click Add or Edit in the Alert Dispatch area to display the Create or Edit Diagnostic Alert Dispatch Condition dialog box.

Step 10

Specify the event severity that triggers dispatch of the alert to subscribers in the Event Severity drop-down list, and then click OK.

Step 11

For inventory time-based alerts, click Add or Edit in the Alert Dispatch area to display the Create or Edit Inventory Alert Dispatch Condition dialog box.

Step 12

Specify how often to dispatch alerts to subscribers in the Alert Dispatch Frequency drop-down list, and then click OK.

Step 13

For snapshot time-based alerts, click Add or Edit in the Alert Dispatch area to display the Create or Edit Snapshot Alert Dispatch Condition dialog box.

  1. Specify the frequency in the Alert Dispatch Frequency area in which to send the information to subscribers:

    • For a monthly subscription, specify the day of the month, as well as the time of the day to send the information. If they are not specified, the ASA chooses appropriate values for them.

    • For a weekly subscription, specify the day of the week, as well as the time of the day to send the information. If they are not specified, the ASA chooses appropriate values for them.

    • For a daily subscription, specify the time of the day to send the information. If it is not specified, the ASA chooses an appropriate value for it.

    • For an hourly subscription, specify the minute of the hour to send the information. If it is not specified, the ASA chooses an appropriate value for it. Hourly subscriptions are applicable to the snapshot and telemetry alert groups only.

    • For an interval subscription, specify how often, in minutes, the formation is sent to the subscribers. This requirement is applicable to the snapshot alert group only.

  2. Click OK to save the configuration.

Step 14

For syslog event-based alerts, click Add or Edit in the Alert Dispatch area to display the Create or Edit Syslog Alert Dispatch Condition dialog box.

  1. Check the Specify the event severity which triggers the dispatch of alert to subscribers check box, and choose the event severity from the drop-down list.

  2. Check the Specify the message IDs of syslogs which trigger the dispatch of alert to subscribers check box.

  3. Specify the syslog message IDs that trigger dispatch of the alert to subscribers according to the on-screen instructions.

  4. Click OK to save the configuration.

Step 15

For telemetry event-based alerts, click Add or Edit in the Alert Dispatch area to display the Create or Edit Telemetry Alert Dispatch Condition dialog box.

  1. Specify the frequency in the Alert Dispatch Frequency area in which to send the information to subscribers:

    • For a monthly subscription, specify the day of the month, as well as the time of the day to send the information. If they are not specified, the ASA chooses appropriate values for them.

    • For a weekly subscription, specify the day of the week, as well as the time of the day to send the information. If they are not specified, the ASA chooses appropriate values for them.

    • For a daily subscription, specify the time of the day to send the information. If it is not specified, the ASA chooses an appropriate value for it.

    • For an hourly subscription, specify the minute of the hour to send the information. If it is not specified, the ASA chooses an appropriate value for it. Hourly subscriptions are applicable to the snapshot and telemetry alert groups only.

  2. Click OK to save the configuration.

Step 16

Click Test to determine if the configured alerts are operating correctly.


Configure Auto Import of Trustpool Certificates

Smart licensing uses the Smart Call Home infrastructure. When the ASA configures Smart Call Home anonymous reporting in the background, the ASA automatically creates a trustpoint containing the certificate of the CA that issued the Call Home server certificate. The ASA now supports validation of the certificate if the issuing hierarchy of the server certificate changes, without the need for customer involvement to adjust certificate hierarchy changes. You can automate the update of the trustpool bundle at periodic intervals so that Smart Call Home can remain active if the self-signed certificate of the CA server changes. This feature is not supported under multi-context deployments.

Automatic import of trustpool certificate bundles requires you to specify the URL that ASA uses to download and import the bundle. Use the following command so the import happens daily at a regular interval with the default Cisco URL and default time of 22 hours:

ciscoasa(config-ca-trustpool)# auto-import-url Default

You can also enable auto import with a custom URL with the following command:

ciscoasa(config-ca-trustpool)# auto-import url http://www.thawte.com

To give you more flexibility to set downloads during off peak hours or other convenient times, enter the following command which enables the import with a custom time:

ciscoasa(config-ca-trustpool)# auto-import time 23:23:23

Setting the automatic import with both a custom URL and custom time requires the following command:

ciscoasa(config-ca-trustpool)# auto-import time 23:23:23 url http://www.thawte.com

Monitoring Anonymous Reporting and Smart Call Home

See the following commands for monitoring Anonymous Reporting and Smart Call Home services. You can enter these commands using Tools > Command Line Interface.

  • show call-home detail

    This command shows the current Smart Call Home detail configuration.

  • show call-home mail-server status

    This command shows the current mail server status.

  • show call-home profile {profile name | all}

    This command shows the configuration of Smart Call Home profiles.

  • show call-home registered-module status [all]

    This command shows the registered module status.

  • show call-home statistics

    This command shows call-home detail status.

  • show call-home

    This command shows the current Smart Call Home configuration.

  • show running-config call-home

    This command shows the current Smart Call Home running configuration.

  • show smart-call-home alert-group

    This command shows the current status of Smart Call Home alert groups.

  • show running-config all

    This command shows details about the Anonymous Reporting user profile.

History for Anonymous Reporting and Smart Call Home

Table 1. History for Anonymous Reporting and Smart Call Home

Feature Name

Platform Releases

Description

Smart Call Home

8.2(2)

The Smart Call Home service offers proactive diagnostics and real-time alerts on the ASA, and provides higher network availability and increased operational efficiency.

We introduced the following screen:

Configuration > Device Management > Smart Call Home.

Anonymous Reporting

9.0(1)

You can help to improve the ASA platform by enabling Anonymous Reporting, which allows Cisco to securely receive minimal error and health information from a device.

We modified the following screen: Configuration > Device Management > Smart Call Home.

Smart Call Home

9.1(2)

The show local-host command was changed to the show local-host | include interface command for telemetry alert group reporting.

Smart Call Home

9.1(3)

A Smart Call Home message is sent to Cisco to report important cluster events if you have enabled clustering and configured Smart Call Home to subscribe to the Diagnostic alert group with a Critical severity level. A Smart Call Home clustering message is sent for only the following three events:

  • When a unit joins the cluster

  • When a unit leaves the cluster

  • When a cluster unit becomes the cluster control unit

Each message that is sent includes the following information:

  • The active cluster member count

  • The output of the show cluster info command and the show cluster history command on the cluster control unit

Reference Identities for Secure Smart Call Home Server connections

9.6(2)

TLS client processing now supports rules for verification of a server identity defined in RFC 6125, Section 6. Identity verification will be done during PKI validation for TLS connections to the Smart Call Home Server. If the presented identity cannot be matched against the configured reference identity, the connection is not established.

We modifed the following page: Configuration > Device Management > Smart Call Home.