The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Smart Call Home feature provides personalized, e-mail-based and web-based notification to you about critical events involving your individual systems, often before you know that a critical event has occurred.
The Anonymous Reporting feature is a subfeature of the Smart Call Home feature and allows Cisco to anonymously receive minimal error and health information from the device.
This chapter describes how to use and configure Anonymous Reporting and Smart Call Home, and it includes the following sections:
This section includes the following topics:
You can help to improve the ASA platform by enabling Anonymous Reporting, which allows Cisco to securely receive minimal error and health information from the device. If you enable the feature, your customer identity will remain anonymous, and no identifying information will be sent.
Enabling Anonymous Reporting creates a trust point and installs a certificate. A CA certificate is required for your ASA to validate the server certificate present on the Smart Call Home web server and to form the HTTPS session so that your ASA can send messages securely. Cisco imports a certificate that is predefined in the software. If you decide to enable Anonymous Reporting, a certificate is installed on the ASA with a hardcoded trust point name: _SmartCallHome_ServerCA. When you enable Anonymous Reporting, this trust point is created, the appropriate certificate is installed, and you receive a message about this action. The certificate then appears in your configuration.
If the appropriate certificate already exists in your configuration when you enable Anonymous Reporting, no trust point is created, and no certificate is installed.
Note When you enable Anonymous Reporting, you acknowledge your consent to transfer the specified data to Cisco or to vendors operating on Cisco’s behalf (including countries outside of the U.S.).
Cisco maintains the privacy of all customers. For information about Cisco’s treatment of personal information, see the Cisco Privacy Statement at the following URL:
http://www.cisco.com/web/siteassets/legal/privacy.html
A DNS server must be configured correctly for your ASA to reach the Cisco Smart Call Home server and send messages to Cisco. Because it is possible that your ASA resides in a private network and does not have access to the public network, Cisco verifies your DNS configuration and then configures it for you, if necessary, by doing the following:
1. Performing a DNS lookup for all DNS servers configured.
2. Getting the DNS server from the DHCP server by sending DHCPINFORM messages on the highest security-level interface.
3. Using the Cisco DNS servers for lookup.
4. Randomly using a static IP addresses for tools.cisco.com.
These tasks are performed without changing the current configuration. (For example, the DNS server that was learned from DHCP will not be added to the configuration.)
If there is no DNS server configured, and your ASA cannot reach the Cisco Smart Call Home Server, Cisco generates a syslog message with the warning severity level for each Smart Call Home message that is sent to remind you to configure DNS correctly.
For information about syslog messages, see the syslog messages guide.
When you enter configuration mode, you receive a prompt that requests you to enable the Anonymous Reporting and Smart Call Home features according to the following guidelines:
At the prompt, you may choose [Y]es, [N]o, [A]sk later. If you choose [A]sk later, then you are reminded again in seven days or when the ASA reloads. If you continue to choose [A]sk later, the ASA prompts two more times at seven-day intervals before it assumes a [N]o response and does not ask again.
At the ASDM prompt, you can select from the following options:
If you did not receive the prompt, you may enable Anonymous Reporting or Smart Call Home by performing the steps in the Configuring Anonymous Reporting or the Configuring Smart Call Home.
When fully configured, Smart Call Home detects issues at your site and reports them back to Cisco or through other user-defined channels (such as e-mail or directly to you), often before you know that these issues exist. Depending upon the seriousness of these problems, Cisco responds to you regarding your system configuration issues, product end-of-life announcements, security advisory issues, and so on.
In this manner, Smart Call Home offers proactive diagnostics and real-time alerts on the ASA and provides high network availability and increased operational efficiency through proactive and quick issue resolution by doing the following:
Smart Call Home offers increased operational efficiency by providing you with the ability to do the following:
The Smart Call Home Portal offers quick, web-based access to required information that provides you with the ability to do the following:
|
|
---|---|
Smart Call Home and Anonymous Reporting have the following prerequisite:
Supported in routed and transparent firewall modes.
Supported in single mode and multiple context mode.
Additional Guidelines for Anonymous Reporting
Additional Guidelines for Smart Call Home
– When a unit joins the cluster
– When a unit leaves the cluster
– When a cluster unit becomes the cluster master
– When a secondary unit fails in the cluster
Each message that is sent includes the following information:
– The active cluster member count
– The output of the show cluster info command and the show cluster history command on the cluster master
While Anonymous Reporting is a subfeature of the Smart Call Home feature and allows Cisco to anonymously receive minimal error and health information from the device, the Smart Call Home feature provides customized support of your system health, enabling Cisco TAC to monitor your devices and open a case when there is an issue, often before you know the issue has occurred.
Generally speaking, you can have both features configured on your system at the same time, yet configuring the Smart Call Home feature provides the same functionality as Anonymous reporting, plus customized services.
This section includes the following topics:
To configure Anonymous Reporting and securely provide minimal error and health information to Cisco, perform the following steps:
To enable Smart Call Home and activate your call-home profile, perform the following steps:
|
||
|
||
hostname(cfg-call-home)# contact-email-addr username@example.com |
Configures the mandatory contact address. The address should be the Cisco.com ID account associated with the device. This account is the e-mail address that you used to register the ASA with Cisco on Cisco.com. |
|
|
||
|
||
hostname(cfg-call-home-profile)# destination transport-method http |
Configures the destination transport method for the smart call-home message receiver. The default destination transport method is e-mail. To configure e-mail, see Enabling Smart Call Home. |
If Smart Call Home is configured to send messages to a web server through HTTPS, you need to configure the ASA to trust the certificate of the web server or the certificate of the Certificate Authority (CA) that issued the certificate. The Cisco Smart Call Home Production server certificate is issued by Verisign. The Cisco Smart Call Home Staging server certificate is issued by the Digital Signature Trust Co.
Note You should set the trust point for no client-types/no validation-usage to prevent it from being used for VPN validation.
To declare and authenticate the Cisco server security certificate and establish communication with the Cisco HTTPS server for Smart Call Home service, perform the following steps:
|
(Multiple Context Mode only) Installs the certificate in the admin context. |
|
|
Configures a trust point and prepares for certificate enrollment. Note If you use HTTP as the transport method, you must install a security certificate through a trust point, which is required for HTTPS. Find the specific certificate to install at the following URL: http://www.cisco.com/en/US/docs/switches/lan/smart_call_home/SCH31_Ch6.html#wp1035380 |
|
|
Specifies a manual cut-and-paste method of certificate enrollment. |
|
|
Authenticates the named CA. The CA name should match the trust point name specified in the crypto ca trustpoint command. At the prompt, paste the security certificate text. |
|
|
Specifies the end of the security certificate text and confirms acceptance of the entered security certificate. |
An alert group is a predefined subset of the Smart Call Home alerts that are supported on the ASA. Different types of Smart Call Home alerts are grouped into different alert groups, depending on their type. Each alert group reports the output of certains CLIs. The supported Smart Call Home alert groups are the following:
Alert groups have the following attributes:
Messages are sent to Cisco periodically and whenever the ASA reloads. These messages are categorized by alert groups.
Inventory alerts consist of output from the following commands:
Configuration alerts consist of output from the following commands:
Diagnostic alerts consist of output from the following commands:
Environment alerts consist of output from the following command:
Threat alerts consist of output from the following commands:
Snapshot alerts may consist of output from the following commands (for example):
Telemetry alerts consist of output from the following commands:
When you subscribe a destination profile to certain alert groups, you can set a threshold for sending alert group messages based on the message severity level. Any message with a value lower than the destination profile’s specified threshold is not sent to the destination.
Table 49-1 shows the mapping between message severity levels and syslog severity levels.
A subscription profile allows you to associate the destination recipients with interested groups. When an event registered with a subscribed group in a profile is triggered, the message associated with the event is sent to the configured recipients. Subscription profiles have the following attributes:
A default profile, “Cisco TAC,” has been provided. The default profile has a predefined set of groups (diagnostic, environment, inventory, configuration, and telemetry) to monitor and predefined destination e-mail and HTTPS URLs. The default profile is created automatically when you initially configure Smart Call Home. The destination e-mail is callhome@cisco.com and the destination URL is https://tools.cisco.com/its/service/oddce/services/DDCEService.
Note You cannot change the destination e-mail or the destination URL of the default profile.
When you subscribe a destination profile to the configuration, inventory, telemetry, or snapshot alert groups, you can choose to receive the alert group messages asynchronously or periodically at a specified time.
Table 49-2 maps the default alert group to its severity level subscription and period (if applicable):
|
|
|
---|---|---|
To configure the environment and snapshot alert groups, enter the following command:
|
|
---|---|
|
To subscribe a destination profile to an alert group, perform the following steps:
|
|
|
---|---|---|
|
||
alert-group { all | configuration | diagnostic | environment | inventory | syslog } |
Enables the specified Smart Call Home alert group. Use the all keyword to enable all alert groups. By default, all alert groups are enabled. |
|
|
Enters the profile configuration submode for the specified destination profile. Note This is the same profile that you used in the Enabling Smart Call Home. |
|
ciscoasa(cfg-call-home-profile)# subscribe-to-alert-group all |
||
subscribe-to-alert-group configuration periodic { daily hh:mm | monthly date hh:mm | weekly day hh:mm } ciscoasa(cfg-call-home-profile)# subscribe-to-alert-group configuration periodic weekly Wednesday 23:30 |
Subscribes this destination profile to the configuration alert group. The periodic keyword configures the configuration alert group for periodic notification. The default period is daily. The daily keyword specifies the time of the day to send, in the hh:mm format, with a 24-hour clock (for example, 14:30). The weekly keyword specifies the day of the week and time of day in the day hh:mm format, where the day of the week is spelled out (for example, Monday). The monthly keyword specifies the numeric date, from 1 to 31, and the time of day, in the date hh:mm format. |
|
subscribe-to-alert-group environment [ severity ] { catastrophic | disaster | emergencies | alert | critical | errors | warnings | notifications | informational | debugging } ciscoasa(cfg-call-home-profile)# subscribe-to-alert-group environment severity critical |
Subscribes to environment events with the specified optional severity level. The severity keyword filters messages based on the severity level, as described in Table 49-1 . The default severity level is 6 (informational). |
|
subscribe-to-alert-group syslog [ severity ] { catastrophic | disaster | fatal | critical | major | minor | warning | notification | normal | debugging } [ pattern string ]] ciscoasa(cfg-call-home-profile)# subscribe-to-alert-group syslog severity notification pattern UPDOWN |
Subscribes to syslog events with an optional severity level or message ID. The severity keyword filters messages based on the severity level, as described in Table 49-1 . The default severity level is 6 (informational). The pattern string keyword argument pair is available only if you specify the optional syslog severity level or message ID. |
|
subscribe-to-alert-group inventory periodic { daily hh:mm | monthly date hh:mm | weekly day hh:mm } ciscoasa(cfg-call-home-profile)# subscribe-to-alert-group inventory periodic daily 06:30 |
Subscribes to inventory periodic events. The default period is daily. The daily keyword specifies the time of the day to send, in the hh:mm format, with a 24-hour clock (for example, 14:30). The weekly keyword specifies the day of the week and time of day in the day hh:mm format, where the day of the week is spelled out (for example, Monday). The monthly keyword specifies the numeric date, from 1 to 31, and the time of day, in the date hh:mm format. |
|
subscribe-to-alert-group telemetry periodic { hourly | daily | monthly day | weekly day [ hh:mm ]} |
Subscribes to telemetry periodic events. The default period is daily. The daily keyword specifies the time of the day to send, in the hh:mm format, with a 24-hour clock (for example, 14:30). The weekly keyword specifies the day of the week and time of day in the day hh:mm format, where the day of the week is spelled out (for example, Monday). The monthly keyword specifies the numeric date, from 1 to 31, and the time of day, in the date hh:mm format. |
|
ciscoasa(cfg-call-home-profile)# subscribe-to-alert-group snapshot periodic interval weekly wednesday 23:15 |
Subscribes to snapshot periodic events. The default period is daily. The interval keyword specifies the notification interval. The daily keyword specifies the time of the day to send, in the hh:mm format, with a 24-hour clock (for example, 14:30). The weekly keyword specifies the day of the week and time of day in the day hh:mm format, where the day of the week is spelled out (for example, Monday). The monthly keyword specifies the numeric date, from 1 to 31, and the time of day, in the date hh:mm format. |
You have already configured the customer e-mail address as part of the Enabling Smart Call Home. This section describes how to configure additional optional customer contact information. You can specify one or more of the following:
To configure customer contact information, perform the following steps:
The following example shows how to configure contact information:
ciscoasa(cfg-call-home)# contact-name contactname1234
We recommend that you use HTTPS for message transport because it is the most secure. However, you can configure an e-mail destination for Smart Call Home and then configure the mail server to use the e-mail message transport.
The following example shows how to configure a primary mail server (named”smtp.example.com”) and a secondary mail server at IP address 10.10.1.1:
You can configure this optional setting to specify the number of messages that Smart Call Home sends per minute.
To configure Smart Call Home traffic rate limiting, perform the following steps:
|
|
|
---|---|---|
|
||
|
Specifies the number of messages that Smart Call Home can send per minute. The default value is 10 messages per minute. |
The following example shows how to configure Smart Call Home traffic rate limiting:
You can optionally test Smart Call Home communications by sending messages manually using two command types.
To manually send a Smart Call Home test message, enter the following command:
|
|
---|---|
|
To manually trigger a Call Home alert group message, enter the following command:
To execute a CLI command and e-mail the command output to Cisco TAC or to an e-mail address that you specify, enter the following command:
This section includes the following topics:
Configuring a Destination Profile
To configure a destination profile for e-mail or for HTTP, perform the following steps:
|
||
|
Enters the profile configuration mode for the specified destination profile. If the specified destination profile does not exist, it is created. You can create a maximum of 10 active profiles. The default profile is to report back to Cisco TAC. If you want to send call home information to a different location (for example, your own server), you can configure a separate profile. |
|
ciscoasa(cfg-call-home-profile)# destination address email username@example.com ciscoasa(cfg-call-home-profile)# destination preferred-msg-format long-text |
Configures the destination, message size, message format, and transport method for the smart call-home message receiver. The default message format is XML, and the default enabled transport method is e-mail. The e-mail-address is the e-mail address of the smart call-home message receiver, which can be up to 100 characters long. By default, the maximum URL size is 5 MB. Use the short-text format to send and read a message on a mobile device, and use the long text format to send and read a message on a computer. If the message receiver is the Smart Call Home back-end server, ensure that the preferred-msg-format value is XML because the back-end server can accept messages in XML format only. The Enabling Smart Call Home specifies how to set the transport method to HTTP. You can use this command to change the transport method back to e-mail. |
To create a new destination profile by copying an existing profile, perform the following steps:
The following example shows how to copy an existing profile:
Renaming a Destination Profile
To change the name of an existing profile, perform the following steps:
The following example shows how to rename an existing profile:
To monitor the Anonymous Reporting and Smart Call Home features,enter one of the following commands:
|
|
---|---|
The following example shows how to configure the Smart Call Home feature:
Table 49-3 lists each feature change and the platform release in which it was implemented.