SNMP

This chapter describes how to configure Simple Network Management Protocol (SNMP) to monitor the ASA.

Information About SNMP

SNMP is an application-layer protocol that facilitates the exchange of management information between network devices and is part of the TCP/IP protocol suite.

The ASA, ASAv, and ASASM provide support for network monitoring using SNMP Versions 1, 2c, and 3, and supports the use of all three versions simultaneously. The SNMP agent running on the ASA interface lets you monitor the ASA and ASASM through network management systems (NMSs), such as HP OpenView. The ASA, ASAv, and ASASM support SNMP read-only access through issuance of a GET request. SNMP write access is not allowed, so you cannot make changes with SNMP. In addition, the SNMP SET request is not supported.

You can configure the ASA, ASAv, and ASASM to send traps, which are unsolicited messages from the managed device to the management station for certain events (event notifications) to an NMS, or you can use the NMS to browse the MIBs on the ASA. MIBs are a collection of definitions, and the ASA, ASAv, and ASASM maintain a database of values for each definition. Browsing a MIB means issuing a series of GET-NEXT or GET-BULK requests of the MIB tree from the NMS to determine values.

The ASA, ASAv, and ASASM have an SNMP agent that notifies designated management stations if events occur that are predefined to require a notification, for example, when a link in the network goes up or down. The notification it sends includes an SNMP OID, which identifies itself to the management stations. The ASA, ASAv, or ASASM SNMP agent also replies when a management station asks for information.

Information About SNMP Terminology

Table 47-1 lists the terms that are commonly used when working with SNMP:

 

Table 47-1 SNMP Terminology
Term
Description

Agent

The SNMP server running on the ASA. The SNMP agent has the following features:

  • Responds to requests for information and actions from the network management station.
  • Controls access to its Management Information Base, the collection of objects that the SNMP manager can view or change.
  • Does not allow set operations.

Browsing

Monitoring the health of a device from the network management station by polling required information from the SNMP agent on the device. This activity may include issuing a series of GET-NEXT or GET-BULK requests of the MIB tree from the network management station to determine values.

Management Information Bases (MIBs)

Standardized data structures for collecting information about packets, connections, buffers, failovers, and so on. MIBs are defined by the product, protocols, and hardware standards used by most network devices. SNMP network management stations can browse MIBs and request specific data or events be sent as they occur.

Network management stations (NMSs)

The PCs or workstations set up to monitor SNMP events and manage devices, such as the ASA, ASAv, and ASASM.

Object identifier (OID)

The system that identifies a device to its NMS and indicates to users the source of information monitored and displayed.

Trap

Predefined events that generate a message from the SNMP agent to the NMS. Events include alarm conditions such as linkup, linkdown, coldstart, warmstart, authentication, or syslog messages.

Information About MIBs and Traps

MIBs are either standard or enterprise-specific. Standard MIBs are created by the IETF and documented in various RFCs. A trap reports significant events occurring on a network device, most often errors or failures. SNMP traps are defined in either standard or enterprise-specific MIBs. Standard traps are created by the IETF and documented in various RFCs. SNMP traps are compiled into the ASA, ASAvor ASASM software.

If needed, you can also download RFCs, standard MIBs, and standard traps from the following locations:

http://www.ietf.org/

ftp://ftp-sj.cisco.com/pub/mibs

Download a complete list of Cisco MIBs, traps, and OIDs from the following location:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

In addition, download Cisco OIDs by FTP from the following location:

ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz

Note In software versions 7.2(1), 8.0(2), and later, the interface information accessed through SNMP refreshes about every 5 seconds. As a result, we recommend that you wait for at least 5 seconds between consecutive polls.

SNMP Object Identifiers

Each Cisco system-level product has an SNMP object identifier (OID) for use as a MIB-II sysObjectID. The CISCO-PRODUCTS-MIB includes the OIDs that can be reported in the sysObjectID object in the SNMPv2-MIB. You can use this value to identify the model type. Table 47-2 lists the sysObjectID OIDs for ASA models.

 

Table 47-2 SNMP Object Identifiers

Product Identifier
sysObjectID
Model Number

ASA 5505

ciscoASA5505 (ciscoProducts 745)

Cisco ASA 5505

ASA5585-SSP10

ciscoASA5585Ssp10 (ciscoProducts 1194)

ASA 5585-X SSP-10

ASA5585-SSP20

ciscoASA5585Ssp20 (ciscoProducts 1195)

ASA 5585-X SSP-20

ASA5585-SSP40

ciscoASA5585Ssp40 (ciscoProducts 1196)

ASA 5585-X SSP-40

ASA5585-SSP60

ciscoASA5585Ssp60 (ciscoProducts 1197)

ASA 5585-X SSP-60

ASA5585-SSP10

ciscoASA5585Ssp10sc (ciscoProducts 1198)

ASA 5585-X SSP-10 security context

ASA5585-SSP20

ciscoASA5585Ssp20sc (ciscoProducts 1199)

ASA 5585-X SSP-20 security context

ASA5585-SSP40

ciscoASA5585Ssp40sc (ciscoProducts 1200)

ASA 5585-X SSP-40 security context

ASA5585-SSP60

ciscoASA5585Ssp60sc (ciscoProducts 1201)

ASA 5585-X SSP-60 security context

ASA5585-SSP10

ciscoASA5585Ssp10sy (ciscoProducts 1202)

ASA 5585-X SSP-10 system context

ASA5585-SSP20

ciscoASA5585Ssp20sy (ciscoProducts 1203)

ASA 5585-X SSP-20 system context

ASA5585-SSP40

ciscoASA5585Ssp40sy (ciscoProducts 1204)

ASA 5585-X SSP-40 system context

ASA5585-SSP60

ciscoASA5585Ssp60sy (ciscoProducts 1205)

ASA 5585-X SSP-60 system context

ASA Services Module for Catalyst switches/7600 routers

ciscoAsaSm1 (ciscoProducts 1277)

Adaptive Security Appliance (ASA) Services Module for Catalyst switches/7600 routers

ASA Services Module for Catalyst switches/7600 routers security context

ciscoAsaSm1sc (ciscoProducts 1275)

Adaptive Security Appliance (ASA) Services Module for Catalyst switches/7600 routers security context

ASA Services Module for Catalyst switches/7600 routers security context with No Payload Encryption

ciscoAsaSm1K7sc (ciscoProducts 1334)

Adaptive Security Appliance (ASA) Services Module for Catalyst switches/7600 routers security context with No Payload Encryption

ASA Services Module for Catalyst switches/7600 routers system context

ciscoAsaSm1sy (ciscoProducts 1276)

Adaptive Security Appliance (ASA) Services Module for Catalyst switches/7600 routers system context

ASA Services Module for Catalyst switches system context/7600 routers with No Payload Encryption

ciscoAsaSm1K7sy (ciscoProducts 1335)

Adaptive Security Appliance (ASA) Services Module for Catalyst switches/7600 routers system context with No Payload Encryption

ASA Services Module for Catalyst switches/7600 routers system context with No Payload Encryption

ciscoAsaSm1K7 (ciscoProducts 1336)

Adaptive Security Appliance (ASA) Services Module for Catalyst switches/7600 routers with No Payload Encryption

ASA 5512

ciscoASA5512 (ciscoProducts 1407)

ASA 5512 Adaptive Security Appliance

ASA 5525

ciscoASA5525 (ciscoProducts 1408)

ASA 5525 Adaptive Security Appliance

ASA 5545

ciscoASA5545 (ciscoProducts 1409)

ASA 5545 Adaptive Security Appliance

ASA 5555

ciscoASA5555 (ciscoProducts 1410)

ASA 5555 Adaptive Security Appliance

ASA 5512 Security Context

ciscoASA5512sc (ciscoProducts 1411)

ASA 5512 Adaptive Security Appliance Security Context

ASA 5525 Security Context

ciscoASA5525sc (ciscoProducts 1412)

ASA 5525 Adaptive Security Appliance Security Context

ASA 5545 Security Context

ciscoASA5545sc (ciscoProducts 1413)

ASA 5545 Adaptive Security Appliance Security Context

ASA 5555 Security Context

ciscoASA5555sc (ciscoProducts 1414)

ASA 5555 Adaptive Security Appliance Security Context

ASA 5512 System Context

ciscoASA5512sy (ciscoProducts 1415)

ASA 5512 Adaptive Security Appliance System Context

ASA 5515 System Context

ciscoASA5515sy (ciscoProducts 1416)

ASA 5515 Adaptive Security Appliance System Context

ASA 5525 System Context

ciscoASA5525sy (ciscoProducts1417)

ASA 5525 Adaptive Security Appliance System Context

ASA 5545 System Context

ciscoASA5545sy (ciscoProducts 1418)

ASA 5545 Adaptive Security Appliance System Context

ASA 5555 System Context

ciscoASA5555sy (ciscoProducts 1419)

ASA 5555 Adaptive Security Appliance System Context

ASA 5515 Security Context

ciscoASA5515sc (ciscoProducts 1420)

ASA 5515 Adaptive Security Appliance System Context

ASA 5515

ciscoASA5515 (ciscoProducts 1421)

ASA 5515 Adaptive Security Appliance

ASAv

ciscoASAv (ciscoProducts 1902)

Cisco Adaptive Security Virtual Appliance (ASAv)

ASAv System Context

ciscoASAvsy (ciscoProducts 1903)

Cisco Adaptive Security Virtual Appliance (ASAv) System Context

ASAv Security Context

ciscoASAvsc (ciscoProducts 1904)

Cisco Adaptive Security Virtual Appliance (ASAv) Security Contex

SNMP Physical Vendor Type Values

Each Cisco chassis or standalone system has a unique type number for SNMP use. The entPhysicalVendorType OIDs are defined in the CISCO-ENTITY-VENDORTYPE-OID-MIB. This value is returned in the entPhysicalVendorType object from the ASA, ASAv,or ASASM SNMP agent. You can use this value to identify the type of component (module, power supply, fan, sensors, CPU, and so on). Table 47-3 lists the physical vendor type values for the ASA and ASASM models.

 

Table 47-3 SNMP Physical Vendor Type Values

Item
entPhysicalVendorType OID Description

ASA Services Module for Catalyst switches/7600 routers

cevCat6kWsSvcAsaSm1 (cevModuleCat6000Type 169)

ASA Services Module for Catalyst switches/7600 routers with No Payload Encryption

cevCat6kWsSvcAsaSm1K7 (cevModuleCat6000Type 186)

ASA 5505 chassis

cevChassisASA5505 (cevChassis 560)

Cisco Adaptive Security Appliance (ASA) 5512 Adaptive Security Appliance

cevChassisASA5512 (cevChassis 1113)

Cisco Adaptive Security Appliance (ASA) 5512 Adaptive Security Appliance with No Payload Encryption

cevChassisASA5512K7 (cevChassis 1108)

Cisco Adaptive Security Appliance (ASA) 5515 Adaptive Security Appliance

cevChassisASA5515 (cevChassis 1114)

Cisco Adaptive Security Appliance (ASA) 5515 Adaptive Security Appliance with No Payload Encryption

cevChassisASA5515K7 (cevChassis 1109)

Cisco Adaptive Security Appliance (ASA) 5525 Adaptive Security Appliance

cevChassisASA5525 (cevChassis 1115)

Cisco Adaptive Security Appliance (ASA) 5525 Adaptive Security Appliance with No Payload Encryption

cevChassisASA5525K7 (cevChassis 1110)

Cisco Adaptive Security Appliance (ASA) 5545 Adaptive Security Appliance

cevChassisASA5545 (cevChassis 1116)

Cisco Adaptive Security Appliance (ASA) 5545 Adaptive Security Appliance with No Payload Encryption

cevChassisASA5545K7 (cevChassis 1111)

Cisco Adaptive Security Appliance (ASA) 5555 Adaptive Security Appliance

cevChassisASA5555 (cevChassis 1117)

Cisco Adaptive Security Appliance (ASA) 5555 Adaptive Security Appliance with No Payload Encryption

cevChassisASA5555K7 (cevChassis 1112)

Central Processing Unit for Cisco Adaptive Security Appliance 5512

cevCpuAsa5512 (cevModuleCpuType 229)

Central Processing Unit for Cisco Adaptive Security Appliance 5512 with no Payload Encryption

cevCpuAsa5512K7 (cevModuleCpuType 224)

Central Processing Unit for Cisco Adaptive Security Appliance 5515

cevCpuAsa5515 (cevModuleCpuType 230)

Central Processing Unit for Cisco Adaptive Security Appliance 5515 with no Payload Encryption

cevCpuAsa5515K7 (cevModuleCpuType 225)

Central Processing Unit for Cisco Adaptive Security Appliance 5525

cevCpuAsa5525 (cevModuleCpuType 231)

Central Processing Unit for Cisco Adaptive Security Appliance 5525 with no Payload Encryption

cevCpuAsa5525K7 (cevModuleCpuType 226)

Central Processing Unit for Cisco Adaptive Security Appliance 5545

cevCpuAsa5545 (cevModuleCpuType 232)

Central Processing Unit for Cisco Adaptive Security Appliance 5545 with no Payload Encryption

cevCpuAsa5545K7 (cevModuleCpuType 227)

Central Processing Unit for Cisco Adaptive Security Appliance 5555

cevCpuAsa5555 (cevModuleCpuType 233)

Central Processing Unit for Cisco Adaptive Security Appliance 5555 with no Payload Encryption

cevCpuAsa5555K7 (cevModuleCpuType 228)

CPU for ASA 5585 SSP-10

cevCpuAsa5585Ssp10 (cevModuleCpuType 204)

CPU for ASA 5585 SSP-10 No Payload Encryption

cevCpuAsa5585Ssp10K7 ( cevModuleCpuType 205)

CPU for ASA 5585 SSP-20

cevCpuAsa5585Ssp20 (cevModuleCpuType 206)

CPU for ASA 5585 SSP-20 No Payload Encryption

cevCpuAsa5585Ssp20K7 (cevModuleCpuType 207)

CPU for ASA 5585 SSP-40

cevCpuAsa5585Ssp40 (cevModuleCpuType 208)

CPU for ASA 5585 SSP-40 No Payload Encryption

cevCpuAsa5585Ssp40K7 (cevModuleCpuType 209)

CPU for ASA 5585 SSP-60

cevCpuAsa5585Ssp60 (cevModuleCpuType 210)

CPU for ASA 5585 SSP-60 No Payload Encryption

cevCpuAsa5585Ssp60K (cevModuleCpuType 211)

CPU for Cisco ASA Services Module for Catalyst switches/7600 routers

cevCpuAsaSm1 (cevModuleCpuType 222)

CPU for Cisco ASA Services Module with No Payload Encryption for Catalyst switches/7600 routers

cevCpuAsaSm1K7 (cevModuleCpuType 223)

Chassis Cooling Fan in Adaptive Security Appliance 5512

cevFanASA5512ChassisFan (cevFan 163)

Chassis Cooling Fan in Adaptive Security Appliance 5512 with No Payload Encryption

cevFanASA5512K7ChassisFan (cevFan 172)

Chassis Cooling Fan in Adaptive Security Appliance 5515

cevFanASA5515ChassisFan (cevFan 164)

Chassis Cooling Fan in Adaptive Security Appliance 5515 with No Payload Encryption

cevFanASA5515K7ChassisFan (cevFan 171)

Chassis Cooling Fan in Adaptive Security Appliance 5525

cevFanASA5525ChassisFan (cevFan 165)

Chassis Cooling Fan in Adaptive Security Appliance 5525 with No Payload Encryption

cevFanASA5525K7ChassisFan (cevFan 170)

Chassis Cooling Fan in Adaptive Security Appliance 5545

cevFanASA5545ChassisFan (cevFan 166)

Chassis Cooling Fan in Adaptive Security Appliance 5545 with No Payload Encryption

cevFanASA5545K7ChassisFan (cevFan 169)

Power Supply Fan in Adaptive Security Appliance 5545 with No Payload Encryption

cevFanASA5545K7PSFan (cevFan 161)

Power Supply Fan in Adapative Security Appliance 5545

cevFanASA5545PSFan (cevFan 159)

Chassis Cooling Fan in Adaptive Security Appliance 5555

cevFanASA5555ChassisFan (cevFan 167)

Chassis Cooling Fan in Adaptive Security Appliance 5555 with No Payload Encryption

cevFanASA5555K7ChassisFan (cevFan 168)

Power Supply Fan in Adaptive Security Appliance 5555

cevFanASA5555PSFan (cevFan 160)

Power Supply Fan in Adaptive Security Appliance 5555 with No Payload Encryption

cevFanASA5555PSFanK7 (cevFan 162)

Power supply fan for ASA 5585-X

cevFanASA5585PSFan (cevFan 146)

10-Gigabit Ethernet interface

cevPort10GigEthernet (cevPort 315)

Gigabit Ethernet port

cevPortGe (cevPort 109)

Power Supply unit in Adaptive Security Appliance 5545

cevPowerSupplyASA5545PSInput (cevPowerSupply 323)

Presence Sensor for Power Supply input in Adaptive Security Appliance 5545

cevPowerSupplyASA5545PSPresence (cevPowerSupply 321)

Power Supply unit in Adaptive Security Appliance 5555

cevPowerSupplyASA5555PSInput (cevPowerSupply 324)

Presence Sensor for Power Supply input in Adaptive Security Appliance 5555

cevPowerSupplyASA5555PSPresence (cevPowerSupply 322)

Power supply input for ASA 5585

cevPowerSupplyASA5585PSInput (cevPowerSupply 304)

Cisco Adaptive Security Appliance (ASA) 5512 Chassis Fan sensor

cevSensorASA5512ChassisFanSensor (cevSensor 120)

Chassis Ambient Temperature Sensor for Cisco Adaptive Security Appliance 5512

cevSensorASA5512ChassisTemp (cevSensor 107)

Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5512

cevSensorASA5512CPUTemp (cevSensor 96)

Cisco Adaptive Security Appliance (ASA) 5512 with No Payload Encryption Chassis Fan sensor

cevSensorASA5512K7ChassisFanSensor (cevSensor 125)

Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5512 with No Payload Encryption

cevSensorASA5512K7CPUTemp (cevSensor 102)

Sensor for Chassis Cooling Fan in Adaptive Security Appliance 5512 with No Payload Encryption

cevSensorASA5512K7PSFanSensor (cevSensor 116)

Sensor for Chassis Cooling Fan in Adaptive Security Appliance 5512

cevSensorASA5512PSFanSensor (cevSensor 119)

Cisco Adaptive Security Appliance (ASA) 5515 Chassis Fan sensor

cevSensorASA5515ChassisFanSensor (cevSensor 121)

Chassis Ambient Temperature Sensor for Cisco Adaptive Security Appliance 5515

cevSensorASA5515ChassisTemp (cevSensor 98)

Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5515

cevSensorASA5515CPUTemp (cevSensor 97)

Cisco Adaptive Security Appliance (ASA) 5515 with No Payload Encryption Chassis Fan sensor

cevSensorASA5515K7ChassisFanSensor (cevSensor 126)

Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5515 with No Payload Encryption

cevSensorASA5515K7CPUTemp (cevSensor 103)

Sensor for Chassis Cooling Fan in Adaptive Security Appliance 5515 with No Payload Encryption

cevSensorASA5515K7PSFanSensor (cevSensor 115)

Sensor for Chassis Cooling Fan in Adaptive Security Appliance 5515

cevSensorASA5515PSFanSensor (cevSensor 118)

Cisco Adaptive Security Appliance (ASA) 5525 Chassis Fan sensor

cevSensorASA5525ChassisFanSensor (cevSensor 122)

Chassis Ambient Temperature Sensor for Cisco Adaptive Security Appliance 5525

cevSensorASA5525ChassisTemp (cevSensor 108)

Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5525

cevSensorASA5525CPUTemp (cevSensor 99)

Cisco Adaptive Security Appliance (ASA) 5525 with No Payload Encryption Chassis Fan sensor

cevSensorASA5525K7ChassisFanSensor (cevSensor 127)

Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5525 with No Payload Encryption

cevSensorASA5525K7CPUTemp (cevSensor 104)

Sensor for Chassis Cooling Fan in Adaptive Security Appliance 5525 with No Payload Encryption

cevSensorASA5525K7PSFanSensor (cevSensor 114)

Sensor for Chassis Cooling Fan in Adaptive Security Appliance 5525

cevSensorASA5525PSFanSensor (cevSensor 117)

Cisco Adaptive Security Appliance (ASA) 5545 Chassis Fan sensor

cevSensorASA5545ChassisFanSensor (cevSensor 123)

Chassis Ambient Temperature Sensor for Cisco Adaptive Security Appliance 5545

cevSensorASA5545ChassisTemp (cevSensor 109)

Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5545

cevSensorASA5545CPUTemp (cevSensor 100)

Cisco Adaptive Security Appliance (ASA) 5545 with No Payload Encryption Chassis Fan sensor

cevSensorASA5545K7ChassisFanSensor (cevSensor 128)

Chassis Ambient Temperature Sensor for Cisco Adaptive Security Appliance 5545 with No Payload Encryption

cevSensorASA5545K7ChassisTemp (cevSensor 90)

Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5545 with No Payload Encryption

cevSensorASA5545K7CPUTemp (cevSensor 105)

Sensor for Chassis Cooling Fan in Adaptive Security Appliance 5545 with No Payload Encryption

cevSensorASA5545K7PSFanSensor (cevSensor 113)

Presence Sensor for Power Supply input in Adaptive Security Appliance 5545 with No Payload Encryption

cevSensorASA5545K7PSPresence (cevSensor 87)

Temperature Sensor for Power Supply Fan in Adaptive Security Appliance 5545 with No Payload Encryption

cevSensorASA5545K7PSTempSensor (cevSensor 94)

Sensor for Power Supply Fan in Adaptive Security Appliance 5545 with No Payload Encryption

cevSensorASA5545PSFanSensor (cevSensor 89)

Presence Sensor for Power Supply input in Adaptive Security Appliancce 5545

cevSensorASA5545PSPresence (cevSensor 130)

Presence Sensor for Power Supply input in Adaptive Security Appliancce 5555

cevSensorASA5545PSPresence (cevSensor 131)

Temperature Sensor for Power Supply Fan in Adaptive Security Appliance 5545

cevSensorASA5545PSTempSensor (cevSensor 92)

Cisco Adaptive Security Appliance (ASA) 5555 Chassis Fan sensor

cevSensorASA5555ChassisFanSensor (cevSensor 124)

Chassis Ambient Temperature Sensor for Cisco Adaptive Security Appliance 5555

cevSensorASA5555ChassisTemp (cevSensor 110)

Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5555

cevSensorASA5555CPUTemp (cevSensor 101)

Cisco Adaptive Security Appliance (ASA) 5555 with No Payload Encryption Chassis Fan sensor

cevSensorASA5555K7ChassisFanSensor (cevSensor 129)

Chassis Ambient Temperature Sensor for Cisco Adaptive Security Appliance 5555 with No Payload Encryption

cevSensorASA5555K7ChassisTemp (cevSensor 111)

Central Processing Unit Temperature Sensor for Cisco Adaptive Security Appliance 5555 with No Payload Encryption

cevSensorASA5555K7CPUTemp (cevSensor 106)

Sensor for Chassis Cooling Fan in Adaptive Security Appliance 5555 with No Payload Encryption

cevSensorASA5555K7PSFanSensor (cevSensor 112)

Presence Sensor for Power Supply input in Adaptive Security Appliance 5555 with No Payload Encryption

cevSensorASA5555K7PSPresence (cevSensor 88)

Temperature Sensor for Power Supply Fan in Adaptive Security Appliance 5555 with No Payload Encryption

cevSensorASA5555K7PSTempSensor (cevSensor 95)

Sensor for Power Supply Fan in Adaptive Security Appliance 5555

cevSensorASA5555PSFanSensor (cevSensor 91)

Temperature Sensor for Power Supply Fan in Adaptive Security Appliance 5555

cevSensorASA5555PSTempSensor (cevSensor 93)

Sensor for power supply fan for ASA 5585-X

cevSensorASA5585PSFanSensor (cevSensor 86)

Sensor for power supply input for ASA 5585-X

cevSensorASA5585PSInput (cevSensor 85)

CPU temperature sensor for ASA 5585 SSP-10

cevSensorASA5585SSp10CPUTemp (cevSensor 77)

CPU temperature sensor for ASA 5585 SSP-10 No Payload Encryption

cevSensorASA5585SSp10K7CPUTemp (cevSensor 78)

CPU temperature sensor for ASA 5585 SSP-20

cevSensorASA5585SSp20CPUTemp (cevSensor 79)

CPU temperature sensor for ASA 5585 SSP-20 No Payload Encryption

cevSensorASA5585SSp20K7CPUTemp (cevSensor 80)

CPU temperature sensor for ASA 5585 SSP-40

cevSensorASA5585SSp40CPUTemp (cevSensor 81)

CPU temperature sensor for ASA 5585 SSP-40 No Payload Encryption

cevSensorASA5585SSp40K7CPUTemp (cevSensor 82)

CPU temperature sensor for ASA 5585 SSP-60

cevSensorASA5585SSp60CPUTemp (cevSensor 83)

CPU temperature sensor for ASA 5585 SSP-60 No Payload Encryption

cevSensorASA5585SSp60K7CPUTemp (cevSensor 84)

Adaptive Security Appliance 5555-X Field-Replaceable Solid State Drive

cevModuleASA5555XFRSSD (cevModuleCommonCards 396)

Adaptive Security Appliance 5545-X Field-Replaceable Solid State Drive

cevModuleASA5545XFRSSD (cevModuleCommonCards 397)

Adaptive Security Appliance 5525-X Field-Replaceable Solid State Drive

cevModuleASA5525XFRSSD (cevModuleCommonCards 398)

Adaptive Security Appliance 5515-X Field-Replaceable Solid State Drive

cevModuleASA5515XFRSSD (cevModuleCommonCards 399)

Adaptive Security Appliance 5512-X Field-Replaceable Solid State Drive

cevModuleASA5512XFRSSD (cevModuleCommonCards 400)

Cisco Adaptive Security Virtual Appliance

cevChassisASAv (cevChassis 1451)

Supported Tables in (MIBs

Table 47-4 lists the supported tables and objects for the specified MIBs.

 

Table 47-4 Supported Tables and Objects in MIBs

MIB Name
Supported Tables and Objects

CISCO-ENHANCED-MEMPOOL-MIB

cempMemPoolTable, cempMemPoolIndex, cempMemPoolType, cempMemPoolName, cempMemPoolAlternate, cempMemPoolValid, cempMemPoolUsed, cempMemPoolFree, cempMemPoolUsedOvrflw, cempMemPoolHCUsed, cempMemPoolFreeOvrflw, cempMemPoolHCFree

CISCO-ENTITY-SENSOR-EXT-MIB

Note Not supported on the ASA Services Module for Catalyst 6500 switches/7600 routers.

ceSensorExtThresholdTable

CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB

ciscoL4L7ResourceLimitTable

CISCO-TRUSTSEC-SXP-MIB

Note Not supported on the Cisco Adaptive Security Virtual Appliance (ASAv).

ctsxSxpGlobalObjects, ctsxSxpConnectionObjects, ctsxSxpSgtObjects

DISMAN-EVENT-MIB

mteTriggerTable, mteTriggerThresholdTable, mteObjectsTable, mteEventTable, mteEventNotificationTable

DISMAN-EXPRESSION-MIB

Note Not supported on the ASA Services Module for Catalyst 6500 switches/7600 routers.

expExpressionTable, expObjectTable, expValueTable

ENTITY-SENSOR-MIB

Note Not supported on the ASA Services Module for Catalyst 6500 switches/7600 routers.

entPhySensorTable

NAT-MIB

natAddrMapTable, natAddrMapIndex, natAddrMapName, natAddrMapGlobalAddrType, natAddrMapGlobalAddrFrom, natAddrMapGlobalAddrTo, natAddrMapGlobalPortFrom, natAddrMapGlobalPortTo, natAddrMapProtocol, natAddrMapAddrUsed, natAddrMapRowStatus

Supported Traps (Notifications)

Table 47-5 lists the supported traps (notifications) and their associated MIBs.

 

Table 47-5 Supported Traps (Notifications)

Trap and MIB Name
Varbind List
Description

authenticationFailure

(SNMPv2-MIB)

For SNMP Version 1 or 2, the community string provided in the SNMP request is incorrect. For SNMP Version 3, a report PDU is generated instead of a trap if the auth or priv passwords or usernames are incorrect.

The snmp-server enable traps snmp authentication command is used to enable and disable transmission of these traps.

cefcFRUInserted

(CISCO-ENTITY-FRU-CONTROL-MIB)

The snmp-server enable traps entity fru-insert command is used to enable this notification.

cefcFRURemoved

(CISCO-ENTITY-FRU-CONTROL-MIB)

The snmp-server enable traps entity fru-remove command is used to enable this notification.

ceSensorExtThresholdNotification

(CISCO-ENTITY-SENSOR-EXT-MIB)

Note Not supported on the ASA Services Module for Catalyst 6500 switches/7600 routers.

ceSensorExtThresholdValue, entPhySensorValue, entPhySensorType, entPhysicalName

The snmp-server enable traps entity [ power-supply-failure | fan-failure | cpu-temperature ] command is used to enable transmission of the entity threshold notifications. This notification is sent for a power supply failure. The objects sent identify the fan and CPU temperature.

The snmp-server enable traps entity fan-failure command is used to enable transmission of the fan failure trap.

The snmp-server enable traps entity power-supply-failure command is used to enable transmission of the power supply failure trap.

The snmp-server enable traps entity chassis-fan-failure command is used to enable transmission of the chassis fan failure trap.

The snmp-server enable traps entity cpu-temperature command is used to enable transmission of the high CPU temperature trap.

The snmp-server enable traps entity power-supply-presence command is used to enable transmission of the power supply presence failure trap.

The snmp-server enable traps entity power-supply-temperature command is used to enable transmission of the power supply temperature threshold trap.

The snmp-server enable traps entity chassis-temperature command is used to enable transmission of the chassis ambient temperature trap.

cipSecTunnelStart

(CISCO-IPSEC-FLOW-MONITOR-MIB)

cipSecTunLifeTime, cipSecTunLifeSize

The snmp-server enable traps ipsec start command is used to enable transmission of this trap.

cipSecTunnelStop

(CISCO-IPSEC-FLOW-MONITOR-MIB)

cipSecTunActiveTime

The snmp-server enable traps ipsec stop command is used to enable transmission of this trap.

ciscoRasTooManySessions

(CISCO-REMOTE-ACCESS-MONITOR
-MIB)

crasNumSessions, crasNumUsers, crasMaxSessionsSupportable, crasMaxUsersSupportable, crasThrMaxSessions

The snmp-server enable traps remote-access session-threshold-exceeded command is used to enable transmission of these traps.

clogMessageGenerated

(CISCO-SYSLOG-MIB)

clogHistFacility, clogHistSeverity, clogHistMsgName, clogHistMsgText, clogHistTimestamp

Syslog messages are generated.

The value of the clogMaxSeverity object is used to decide which syslog messages are sent as traps.

The snmp-server enable traps syslog command is used to enable and disable transmission of these traps.

clrResourceLimitReached

(CISCO-L4L7MODULE-RESOURCE
-LIMIT-MIB)

crlResourceLimitValueType, crlResourceLimitMax, clogOriginIDType, clogOriginID

The snmp-server enable traps connection-limit-reached command is used to enable transmission of the connection-limit-reached notification. The clogOriginID object includes the context name from which the trap originated.

coldStart

(SNMPv2-MIB)

The SNMP agent has started.

The snmp-server enable traps snmp coldstart command is used to enable and disable transmission of these traps.

cpmCPURisingThreshold

(CISCO-PROCESS-MIB)

cpmCPURisingThresholdValue, cpmCPUTotalMonIntervalValue, cpmCPUInterruptMonIntervalValue,cpmCPURisingThresholdPeriod, cpmProcessTimeCreated, cpmProcExtUtil5SecRev

The snmp-server enable traps cpu threshold rising command is used to enable transmission of the cpu threshold rising notification. The cpmCPURisingThresholdPeriod object is sent with the other objects.

entConfigChange

(ENTITY-MIB)

The snmp-server enable traps entity config-change fru-insert fru-remove command is used to enable this notification.

Note This notification is only sent in multimode when a security context is created or removed.

linkDown

(IF-MIB)

ifIndex, ifAdminStatus, ifOperStatus

The linkdown trap for interfaces.

The snmp-server enable traps snmp linkdown command is used to enable and disable transmission of these traps.

linkUp

(IF-MIB)

ifIndex, ifAdminStatus, ifOperStatus

The linkup trap for interfaces.

The snmp-server enable traps snmp linkup command is used to enable and disable transmission of these traps.

mteTriggerFired

(DISMAN-EVENT-MIB)

mteHotTrigger, mteHotTargetName, mteHotContextName, mteHotOID, mteHotValue, cempMemPoolName, cempMemPoolHCUsed

The snmp-server enable traps memory-threshold command is used to enable the memory threshold notification. The mteHotOID is set to cempMemPoolHCUsed. The cempMemPoolName and cempMemPoolHCUsed objects are sent with the other objects.

mteTriggerFired

(DISMAN-EVENT-MIB)

Note Not supported on the ASA Services Module for Catalyst 6500 switches/7600 routers.

mteHotTrigger, mteHotTargetName, mteHotContextName, mteHotOID, mteHotValue, ifHCInOctets, ifHCOutOctets, ifHighSpeed, entPhysicalName

The snmp-server enable traps interface-threshold command is used to enable the interface threshold notification. The entPhysicalName objects are sent with the other objects.

natPacketDiscard

(NAT-MIB)

ifIndex

The snmp-server enable traps nat packet-discard command is used to enable the NAT packet discard notification. This notification is rate limited for 5 minutes and is generated when IP packets are discarded by NAT because mapping space is not available. The ifIndex gives the ID of the mapped interface.

warmStart

(SNMPv2-MIB)

The snmp-server enable traps snmp warmstart command is used to enable and disable transmission of these traps.

SNMP Version 3

This section describes SNMP Version 3.

SNMP Version 3 Overview

SNMP Version 3 provides security enhancements that are not available in SNMP Version 1 or SNMP Version 2c. SNMP Versions 1 and 2c transmit data between the SNMP server and SNMP agent in clear text. SNMP Version 3 adds authentication and privacy options to secure protocol operations. In addition, this version controls access to the SNMP agent and MIB objects through the User-based Security Model (USM) and View-based Access Control Model (VACM). The ASA and ASASM also support the creation of SNMP groups and users, as well as hosts, which is required to enable transport authentication and encryption for secure SNMP communications.

Security Models

For configuration purposes, the authentication and privacy options are grouped together into security models. Security models apply to users and groups, which are divided into the following three types:

  • NoAuthPriv—No Authentication and No Privacy, which means that no security is applied to messages.
  • AuthNoPriv—Authentication but No Privacy, which means that messages are authenticated.
  • AuthPriv—Authentication and Privacy, which means that messages are authenticated and encrypted.

SNMP Groups

An SNMP group is an access control policy to which users can be added. Each SNMP group is configured with a security model, and is associated with an SNMP view. A user within an SNMP group must match the security model of the SNMP group. These parameters specify what type of authentication and privacy a user within an SNMP group uses. Each SNMP group name and security model pair must be unique.

SNMP Users

SNMP users have a specified username, a group to which the user belongs, authentication password, encryption password, and authentication and encryption algorithms to use. The authentication algorithm options are MD5 and SHA. The encryption algorithm options are DES, 3DES, and AES (which is available in 128, 192, and 256 versions). When you create a user, you must associate it with an SNMP group. The user then inherits the security model of the group.

SNMP Hosts

An SNMP host is an IP address to which SNMP notifications and traps are sent. To configure SNMP Version 3 hosts, along with the target IP address, you must configure a username, because traps are only sent to a configured user. SNMP target IP addresses and target parameter names must be unique on the ASA and ASA Services Module. Each SNMP host can have only one username associated with it. To receive SNMP traps, after you have added the snmp-server host command, make sure that you configure the user credentials on the NMS to match the credentials for the ASA and ASASM.

Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software

The SNMP Version 3 implementation in the ASA and ASASM differs from the SNMP Version 3 implementation in the Cisco IOS software in the following ways:

  • The local-engine and remote-engine IDs are not configurable. The local engine ID is generated when the ASA or ASASM starts or when a context is created.
  • No support exists for view-based access control, which results in unrestricted MIB browsing.
  • Support is restricted to the following MIBs: USM, VACM, FRAMEWORK, and TARGET.
  • You must create users and groups with the correct security model.
  • You must remove users, groups, and hosts in the correct sequence.
  • Use of the snmp-server host command creates an ASA, ASAv, or ASASM rule to allow incoming SNMP traffic.

Licensing Requirements for SNMP

 

Model
License Requirement

ASAv

Standard or Premium License.

All other models

Base License.

Prerequisites for SNMP

SNMP has the following prerequisite:

You must have Cisco Works for Windows or another SNMP MIB-II compliant browser to receive SNMP traps or browse a MIB.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

Failover Guidelines

  • Supported in SNMP Version 3.
  • The SNMP client in each ASA, ASAv, or ASASM shares engine data with its peer. Engine data includes the engineID, engineBoots, and engineTime objects of the SNMP-FRAMEWORK-MIB. Engine data is written as a binary file to flash:/snmp/ contextname.

IPv6 Guidelines

Does not support IPv6.

Additional Guidelines

  • Does not support view-based access control, but the VACM MIB is available for browsing to determine default view settings.
  • The ENTITY-MIB is not available in the non-admin context. Use the IF-MIB instead to perform queries in the non-admin context.
  • Does not support SNMP Version 3 for the AIP SSM or AIP SSC.
  • Does not support SNMP debugging.
  • Does not support retrieval of ARP information.
  • Does not support SNMP SET commands.
  • When using NET-SNMP Version 5.4.2.1, only supports the encryption algorithm version of AES128. Does not support the encryption algorithm versions of AES256 or AES192.
  • Changes to the existing configuration are rejected if the result places the SNMP feature in an inconsistent state.
  • For SNMP Version 3, configuration must occur in the following order: group, user, host.
  • Before a group is deleted, you must ensure that all users associated with that group are deleted.
  • Before a user is deleted, you must ensure that no hosts are configured that are associated with that username.
  • If users have been configured to belong to a particular group with a certain security model, and if the security level of that group is changed, you must do the following in this sequence:

Remove the users from that group.

Change the group security level.

Add users that belong to the new group.

  • The creation of custom views to restrict user access to a subset of MIB objects is not supported.
  • All requests and traps are available in the default Read/Notify View only.
  • The connection-limit-reached trap is generated in the admin context. To generate this trap. you must have at least one SNMP server host configured in the user context in which the connection limit has been reached.
  • You cannot query for the chassis temperature on the ASA 5585 SSP-40 (NPE).
  • You can add up to 4000 hosts. However, only 128 of this number can be for traps.
  • The total number of supported active polling destinations is 128.
  • You can specify a network object to indicate the individual hosts that you want to add as a host group.
  • You can associate more than one user with one host.
  • You can specify overlapping network objects in different host-group commands. The values that you specify for the last host group take effect for the common set of hosts in the different network objects.
  • If you delete a host group or hosts that overlap with other host groups, the hosts are set up again using the values that have been specified in the configured host groups.
  • The values that the hosts acquire depend on the specified sequence that you use to run the commands.
  • The limit on the message size that SNMP sends is 1472 bytes.
  • Members of a cluster do not synchronize their SNMPv3 engine IDs. Because of this, each unit in the cluster should have a unique SNMPv3 user configuration.

Configuring SNMP

This section describes how to configure SNMP.

Enabling SNMP

The SNMP agent that runs on the ASA performs two functions:

  • Replies to SNMP requests from NMSs.
  • Sends traps (event notifications) to NMSs.

To enable the SNMP agent and identify an NMS that can connect to the SNMP server, enter the following command:

 

Command
Purpose
snmp-server enable
 

ciscoasa(config)# snmp-server enable

Ensures that the SNMP server on the ASA, ASAv, or ASASM is enabled. By default, the SNMP server is enabled.

What to Do Next

See Configuring SNMP Traps.

Configuring SNMP Traps

To designate which traps that the SNMP agent generates and how they are collected and sent to NMSs, enter the following command:

 

Command
Purpose
snmp-server enable traps [ all | syslog | snmp [ authentication | linkup | linkdown | coldstart | warmstart ] | entity [ config-change | fru-insert | fru-remove | fan-failure | cpu-temperature | chassis-fan- failure | power-supply-failure ] | chassis-temperature | power-supply-presence | power-supply-temperature ] ikev2 [ start | stop ] | ipsec [ start | stop ] | remote-access [ session-threshold-exceeded ]| connection-limit-reached | cpu threshold rising | interface-threshold | memory-threshold | nat [ packet-discard ]
 

ciscoasa(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

Sends individual traps, sets of traps, or all traps to the NMS. Enables syslog messages to be sent as traps to the NMS. The default configuration has all SNMP standard traps enabled, as shown in the example. To disable these traps, use the no snmp-server enable traps snmp command. If you enter this command and do not specify a trap type, the default is the syslog trap. By default, the syslog trap is enabled. The default SNMP traps continue to be enabled with the syslog trap. You need to configure both the logging history command and the snmp-server enable traps syslog command to generate traps from the syslog MIB. To restore the default enabling of SNMP traps, use the clear configure snmp-server command. All other traps are disabled by default.

Keywords available in the admin context only:

  • connection-limit-reached
  • entity
  • memory-threshold

Traps generated through the admin context only for physically connected interfaces in the system context:

  • interface-threshold

Note The interface-threshold trap is not supported on the ASA Services Module for Catalyst 6500 switches/7600 routers.

All other traps are available in the admin and user contexts in single mode.

In multi-mode, the fan-failure trap, the power-supply-failure trap, and the cpu-temperature trap are generated only from the admin context, and not the user contexts (applies only to the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X). These traps do not apply to the ASA 5505.

If the CPU usage is greater than the configured threshold value for the configured monitoring period, the cpu threshold rising trap is generated.

When the used system context memory reaches 80 percent of the total system memory, the memory-threshold trap is generated from the admin context. For all other user contexts, this trap is generated when the used memory reaches 80 percent of the total system memory in that particular context.

Note SNMP does not monitor voltage sensors.

What to Do Next

See Configuring a CPU Usage Threshold.

Configuring a CPU Usage Threshold

To configure the CPU usage threshold, enter the following command:

 

Command
Purpose
snmp cpu threshold rising threshold_value monitoring_period
 

ciscoasa(config)# snmp cpu threshold rising 75% 30 minutes

Configures the threshold value for a high CPU threshold and the threshold monitoring period. To clear the threshold value and monitoring period of the CPU utilization, use the no form of this command. If the snmp cpu threshold rising command is not configured, the default for the high threshold level is over 70 percent, and the default for the critical threshold level is over 95 percent. The default monitoring period is set to 1 minute.

You cannot configure the critical CPU threshold level, which is maintained at a constant 95 percent. Valid threshold values for a high CPU threshold range from 10 to 94 percent. Valid values for the monitoring period range from 1 to 60 minutes.

What to Do Next

See Configuring a Physical Interface Threshold.

Configuring a Physical Interface Threshold

To configure the physical interface threshold, enter the following command:

 

Command
Purpose
snmp interface threshold threshold_value
 

ciscoasa(config)# snmp interface threshold 75%

 

Note Not supported on the ASA Services Module for Catalyst 6500 switches/7600 routers.

Configures the threshold value for an SNMP physical interface. To clear the threshold value for an SNMP physical interface, use the no form of this command. The threshold value is defined as a percentage of interface bandwidth utilization. Valid threshold values range from 30 to 99 percent. The default value is 70 percent.

The snmp interface threshold command is available only in the admin context.

Note Physical interface usage is monitored in single mode and multimode, and traps for physical interfaces in the system context are sent through the admin context. Only physical interfaces are used to compute threshold usage.

What to Do Next

Choose one of the following:

Using SNMP Version 1 or 2c

To configure parameters for SNMP Version 1 or 2c, perform the following steps:

Detailed Steps

 

Command
Purpose

Step 1
snmp-server host { interface hostname | ip_address } [ trap | poll ] [ community community-string ] [ version { 1 | 2c username }] [ udp-port port ]
 

ciscoasa(config)# snmp-server host mgmt 10.7.14.90 version 2

 

ciscoasa(config)# snmp-server host corp 172.18.154.159 community public

Specifies the recipient of an SNMP notification, indicates the interface from which traps are sent, and identifies the name and IP address of the NMS or SNMP manager that can connect to the ASA. The trap keyword limits the NMS to receiving traps only. The poll keyword limits the NMS to sending requests (polling) only. By default, SNMP traps are enabled. By default, the UDP port is 162. The community string is a shared secret key between the ASA, ASAv, or ASASM and the NMS. The key is a case-sensitive value up to 32 alphanumeric characters long. Spaces are not permitted. The default community string is public. The ASA uses this key to determine whether or not the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the ASA and the management station with the same string. The ASA, ASAv, and ASASM use the specified string and do not respond to requests with an invalid community string. After you have used an encrypted community string, only the encrypted form is visible to all systems (for example, CLI, ASDM, CSM, and so on). The clear text password is not visible. The encrypted community string is always generated by the ASA; you normally enter the clear text form.

Note If you downgrade from version 8.3(1) to a lower version of the ASA software and have configured encrypted passwords, you must first revert the encrypted passwords to clear text using the no key config-key password encryption command, then save the results.

To receive traps after you have added the snmp-server host command, make sure that you configure the user on the NMS with the same credentials as the credentials configured on the ASA, ASAv, and ASASM.

Step 2
snmp-server community community-string
 

ciscoasa(config)# snmp-server community onceuponatime

Sets the community string, which is for use only with SNMP Version 1 or 2c.

Step 3
snmp-server [ contact | location ] text
 

ciscoasa(config)# snmp-server location building 42

 

ciscoasa(config)# snmp-server contact EmployeeA

Sets the SNMP server location or contact information. The text argument specifies the name of the contact person or the ASA system administrator. The name is case sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.

Step 4
snmp-server listen-port lport
 

ciscoasa(config)# snmp-server lport 192

Sets the listening port for SNMP requests. The lport argument is the port on which incoming requests are accepted. The default listening port is 161. The snmp-server listen-port command is only available in admin context, and is not available in the system context. If you configure the snmp-server listen-port command on a port that is currently in use, the following message appears:

Warning The UDP port port is in use by another feature. SNMP requests to the device will fail until the snmp-server listen-port command is configured to use a different port.

The existing SNMP thread continues to poll every 60 seconds until the port is available, and issues syslog message %ASA-1-212001 if the port is still in use.

What to Do Next

See Monitoring SNMP.

Using SNMP Version 3

To configure parameters for SNMP Version 3, perform the following steps:

Detailed Steps

 

Command
Purpose

Step 1
snmp-server group group-name v3 [ auth | noauth | priv ]
 

ciscoasa(config)# snmp-server group testgroup1 v3 auth

Specifies a new SNMP group, which is for use only with SNMP Version 3. When a community string is configured, two additional groups with the name that matches the community string are autogenerated: one for the Version 1 security model and one for the Version 2 security model. For more information about security models, see Security Models. The auth keyword enables packet authentication. The noauth keyword indicates no packet authentication or encryption is being used. The priv keyword enables packet encryption and authentication. No default values exist for the auth or priv keywords.

Step 2
snmp-server user username group-name { v3 [ encrypted ]] [ auth { md5 | sha ]} auth-password [ priv [ des | 3des | aes ] [ 128 | 192 | 256 ] priv-password
 

ciscoasa(config)# snmp-server user testuser1 testgroup1 v3 auth md5 testpassword aes 128 mypassword

 

ciscoasa(config)# snmp-server user testuser1 public v3 encrypted auth md5 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF

Configures a new user for an SNMP group, which is for use only with SNMP Version 3. The username argument is the name of the user on the host that belongs to the SNMP agent. The group-name argument is the name of the group to which the user belongs. The v3 keyword specifies that the SNMP Version 3 security model should be used and enables the use of the encrypted, priv, and the auth keywords. The encrypted keyword specifies the password in encrypted format. Encrypted passwords must be in hexadecimal format. The auth keyword specifies which authentication level (md5 or sha) should be used. The priv keyword specifies the encryption level. No default values for the auth or priv keywords, or default passwords exist. For the encryption algorithm, you can specify either the des, 3des, or aes keyword. You can also specify which version of the AES encryption algorithm to use: 128, 192, or 256. The auth-password argument specifies the authentication user password. The priv-password argument specifies the encryption user password.

Note If you forget a password, you cannot recover it and you must reconfigure the user. You can specify a plain-text password or a localized digest. The localized digest must match the authentication algorithm selected for the user, which can be either MD5 or SHA. When the user configuration is displayed on the console or is written to a file (for example, the startup-configuration file), the localized authentication and privacy digests are always displayed instead of a plain-text password (see the second example). The minimum length for a password is 1 alphanumeric character; however, we recommend that you use at least 8 alphanumeric characters for security.

In clustering, you must manually update each clustered ASA with SNMPv3 users. You can do this by entering the snmp-server user username group-name v3 command on the master unit with the priv-password option and auth-password option in their non-localized forms.

An error message appears to inform you that the SNMPv3 user commands will not be replicated during clustering replication or configuration. You may then configure SNMPv3 user and group commands on slave ASAs independently. This also means that existing SNMPv3 user and group commands are not cleared during replication, and you may enter SNMPv3 user and group commands on all slaves in the cluster. For example:

On a master unit using commands entered with keys that have already been localized:

ciscoasa(config)# snmp-server user defe abc v3 encrypted auth sha c0:e7:08:50:47:eb:2e:e4:3f:a3:bc:45:f6:dd:c3:46:25:a0:22:9a priv aes 256 cf:ad:85:5b:e9:14:26:ae:8f:92:51:12:91:16:a3:ed:de:91:6b:f7:f6:86:cf:18:c0:f0:47:d6:94:e5:da:01

ERROR: This command cannot be replicated because it contains localized keys.

 

On a slave unit during cluster replication (appears only if an snmp-server user commands exist in the configuration):

ciscoasa(cfg-cluster)#

Detected Cluster Master.

Beginning configuration replication from Master.

WARNING: existing snmp-server user CLI will not be cleared.

Step 3
snmp-server host interface { hostname | ip_address } [ trap | poll ] [ community community-string ] [ version { 1 | 2c | 3 username }] [ udp-port port ]
 

ciscoasa(config)# snmp-server host mgmt 10.7.14.90 version 3 testuser1

 

ciscoasa(config)# snmp-server host mgmt 10.7.26.5 version 3 testuser2

Specifies the recipient of an SNMP notification. Indicates the interface from which traps are sent. Identifies the name and IP address of the NMS or SNMP manager that can connect to the ASA. The trap keyword limits the NMS to receiving traps only. The poll keyword limits the NMS to sending requests (polling) only. By default, SNMP traps are enabled. By default, the UDP port is 162. The community string is a shared secret key between the ASA and the NMS. The key is a case-sensitive value up to 32 alphanumeric characters. Spaces are not permitted. The default community-string is public. The ASA, ASAv, and ASASM use this key to determine whether the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the ASA, ASAv, or ASASM and the NMS with the same string. The ASA, ASAv, and ASASM use the specified string and do not respond to requests with an invalid community string. After you have used an encrypted community string, only the encrypted form is visible to all systems (for example, CLI, ASDM, CSM, and so on). The clear text password is not visible. The encrypted community string is always generated by the ASA; you normally enter the clear text form.

Note If you downgrade from version 8.3(1) to a lower version of the ASA software and have configured encrypted passwords, you must first revert the encrypted passwords to clear text using the no key config-key password encryption command, then save the results.

When SNMP Version 3 hosts are configured on the ASA, ASAv, and ASASM, a user must be associated with that host.

To receive traps after you have added the snmp-server host command, make sure that you configure the user on the NMS with the same credentials as the credentials configured on the ASA, ASAv, and ASASM. For more information about SNMP hosts, see SNMP Hosts.

Step 4
snmp-server [ contact | location ] text
 

ciscoasa(config)# snmp-server location building 42

 

ciscoasa(config)# snmp-server contact EmployeeA

Sets the SNMP server location or contact information. The text argument specifies the name of the contact person or the ASA system administrator. The name is case sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.

Step 5
snmp-server listen-port lport
 

ciscoasa(config)# snmp-server lport 192

Sets the listening port for SNMP requests. The lport argument is the port on which incoming requests are accepted. The default listening port is 161. The snmp-server listen-port command is only available in admin context, and is not available in the system context. If you configure the snmp-server listen-port command on a port that is currently in use, the following message appears:

Warning The UDP port port is in use by another feature. SNMP requests to the device will fail until the snmp-server listen-port command is configured to use a different port.

The existing SNMP thread continues to poll every 60 seconds until the port is available, and issues syslog message %ASA-1-212001 if the port is still in use.

What to Do Next

See Monitoring SNMP.

Configuring a Group of Users

To configure an SNMP user list with a group of specified users in it, enter the following command:

 

Command
Purpose
snmp-server user-list list_name username user_name
 

ciscoasa(config)# snmp-server user-list engineering username user1

The listname argument specifies the name of the user list, which may be up to 33 characters long. The username user_name keyword-argument pair specifies the users who may be configured in the user list. You configure the users in the user list with the snmp-server user username command, which is available only if you are using SNMP Version 3. The user list must have more than one user in it and can be associated with a hostname or a range of IP addresses.

What to Do Next

See Associating Users with a Network Object.

Associating Users with a Network Object

To associate a single user or a group of users in a user list with a network object, enter the following command:

 

Command
Purpose
snmp-server host-group net_obj_name [ trap | poll ] [ community community-string ] [ version { 1 | 2c | 3 { username | user-list list_name }] [ udp-port port ]
 

ciscoasa(config)# snmp-server host-group inside net1 trap community public version 1

 

ciscoasa(config)# snmp-server host-group inside net1 trap community public version 2c
 
ciscoasa(config)# snmp-server host-group inside net1 trap version 3 user1

 

ciscoasa(config)# snmp-server host-group inside net1 trap version 3 user-list engineering

The net_obj_name argument specifies the interface network object name with which a user or group of users is associated. The trap keyword specifies that only traps can be sent, and that this host is not allowed to browse (poll). The poll keyword specifies that the host is allowed to browse (poll), but no traps can be sent. The community keyword specifies that a non-default string is required for requests from the NMS, or when generating traps sent to the NMS. You can use this keyword only for SNMP Version 1 or 2c. The community-string argument specifies the password-like community string that is sent with the notification or in a request from the NMS. The community string can have a maximum of 32 characters. The version keyword sets the SNMP notification version to Version 1, 2c, or 3 to use for sending traps. The username argument specifies the name of the user if you are using SNMP Version 3. The user-list list_name keyword-argument pair specifies the name of the user list. The udp-port port keyword-argument pair specifies that SNMP traps must be sent to an NMS host on a non-default port and sets the UDP port number of the NMS host. The default UDP port is 162. The default version is 1. SNMP traps are enabled by default.

What to Do Next

See Monitoring SNMP.

Troubleshooting Tips

To ensure that the SNMP process that receives incoming packets from the NMS is running, enter the following command:

ciscoasa(config)# show process | grep snmp
 

To capture syslog messages from SNMP and have them appear on the ASA, ASAv, or ASASM console, enter the following commands:

ciscoasa(config)# logging list snmp message 212001-212015
ciscoasa(config)# logging console snmp
 

To make sure that the SNMP process is sending and receiving packets, enter the following commands:

ciscoasa(config)# clear snmp-server statistics
ciscoasa(config)# show snmp-server statistics
 

The output is based on the SNMP group of the SNMPv2-MIB.

To make sure that SNMP packets are going through the ASA, ASAv, or ASASM and to the SNMP process, enter the following commands:

ciscoasa(config)# clear asp drop
ciscoasa(config)# show asp drop
 

If the NMS cannot request objects successfully or is not handing incoming traps from the ASA, ASAv, or ASASM correctly, use a packet capture to isolate the problem, by entering the following commands:

hostname (config)# access-list snmp permit udp any eq snmptrap any
hostname (config)# access-list snmp permit udp any any eq snmp
hostname (config)# capture snmp type raw-data access-list snmp interface mgmt
hostname (config)# copy /pcap capture:snmp tftp://192.0.2.5/exampledir/snmp.pcap
 

If the ASA, ASAv, or ASASM is not performing as expected, obtain information about network topology and traffic by doing the following:

  • For the NMS configuration, obtain the following information:

Number of timeouts

Retry count

Engine ID caching

Username and password used

  • Run the following commands:

show block

show interface

show process

show cpu

show vm

If a fatal error occurs, to help in reproducing the error, send a traceback file and the output of the show tech-support command to Cisco TAC.

If SNMP traffic is not being allowed through the ASA, ASAv, or ASASM interfaces, you might also need to permit ICMP traffic from the remote SNMP server using the icmp permit command.

Interface Types and Examples

The interface types that produce SNMP traffic statistics include the following:

  • Logical—Statistics collected by the software driver, which are a subset of physical statistics.
  • Physical—Statistics collected by the hardware driver. Each physical named interface has a set of logical and physical statistics associated with it. Each physical interface may have more than one VLAN interface associated with it. VLAN interfaces only have logical statistics.

Note For a physical interface that has multiple VLAN interfaces associated with it, be aware that SNMP counters for ifInOctets and ifOutoctets OIDs match the aggregate traffic counters for that physical interface.

  • VLAN-only—SNMP uses logical statistics for ifInOctets and ifOutOctets.

The examples in Table 47-6 show the differences in SNMP traffic statistics. Example 1 shows the difference in physical and logical output statistics for the show interface command and the show traffic command. Example 2 shows output statistics for a VLAN-only interface for the show interface command and the show traffic command. The example shows that the statistics are close to the output that appears for the show traffic command.

 

Table 47-6 SNMP Traffic Statistics for Physical and VLAN Interfaces
Example 1
Example 2

ciscoasa# show interface GigabitEthernet3/2

interface GigabitEthernet3/2
description fullt-mgmt
nameif mgmt
security-level 10
ip address 10.7.14.201 255.255.255.0
management-only
 
ciscoasa# show traffic
(Condensed output)
 
Physical Statistics
GigabitEthernet3/2:
received (in 121.760 secs)
36 packets 3428 bytes
0 pkts/sec 28 bytes/sec
 
Logical Statistics
mgmt:
received (in 117.780 secs)
36 packets 2780 bytes
0 pkts/sec 23 bytes/sec
 

The following examples show the SNMP output statistics for the management interface and the physical interface. The ifInOctets value is close to the physical statistics output that appears in the show traffic command output but not to the logical statistics output.

ifIndex of the mgmt interface:

IF_MIB::ifDescr.6 = Adaptive Security Appliance ‘mgmt’ interface
 

ifInOctets that corresponds to the physical interface statistics:

IF-MIB::ifInOctets.6 = Counter32:3246
ciscoasa# show interface GigabitEthernet0/0.100
interface GigabitEthernet0/0.100
vlan 100
nameif inside
security-level 100
ip address 10.7.1.101 255.255.255.0 standby 10.7.1.102
 
ciscoasa# show traffic
inside
received (in 9921.450 secs)
1977 packets 126528 bytes
0 pkts/sec 12 bytes/sec
transmitted (in 9921.450 secs)
1978 packets 126556 bytes
0 pkts/sec 12 bytes/sec
 

ifIndex of VLAN inside:

IF-MIB::ifDescr.9 = Adaptive Security Appliance ‘inside’ interface
IF-MIB::ifInOctets.9 = Counter32: 126318

Monitoring SNMP

NMSs are the PCs or workstations that you set up to monitor SNMP events and manage devices, such as the ASA.You can monitor the health of a device from an NMS by polling required information from the SNMP agent that has been set up on the device. Predefined events from the SNMP agent to the NMS generate syslog messages.

SNMP Syslog Messaging

SNMP generates detailed syslog messages that are numbered 212 nnn. Syslog messages indicate the status of SNMP requests, SNMP traps, SNMP channels, and SNMP responses from the ASA or ASASM to a specified host on a specified interface.

For detailed information about syslog messages, see the syslog messages guide.

Note SNMP polling fails if SNMP syslog messages exceed a high rate (approximately 4000 per second).

SNMP Monitoring

To monitor SNMP, enter one of the following commands:

 

Command
Purpose

show running-config snmp-server [ default ]

 

Shows all SNMP server configuration information.

show running-config snmp-server group

 

Shows SNMP group configuration settings.

show running-config snmp-server host

 

Shows configuration settings used by SNMP to control messages and notifications sent to remote hosts.

show runing-config snmp-server host-group

 

Shows SNMP host group configurations.

show running-config snmp-server user

 

Shows SNMP user-based configuration settings.

show running-config snmp-server user-list

 

Shows SNMP user list configurations.

show snmp-server engineid

 

Shows the ID of the SNMP engine configured.

show snmp-server group

 

Shows the names of configured SNMP groups.

Note If the community string has already been configured, two extra groups appear by default in the output. This behavior is normal.

show snmp-server statistics

 

Shows the configured characteristics of the SNMP server.

To reset all SNMP counters to zero, use the clear snmp-server statistics command.

show snmp-server user

 

Shows the configured characteristics of users.

Examples

The following example shows how to display SNMP server statistics:

ciscoasa(config)# show snmp-server statistics
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Get-bulk PDUs
0 Set-request PDUs (Not supported)
0 SNMP packets output
0 Too big errors (Maximum packet size 512)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
 

The following example shows how to display the SNMP server running configuration:

ciscoasa(config)# show running-config snmp-server
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
 

Configuration Examples for SNMP

Configuration Example for SNMP Versions 1 and 2c

The following example shows how the ASA can receive SNMP requests from host 192.0.2.5 on the inside interface but does not send any SNMP syslog requests to any host:

ciscoasa(config)# snmp-server host 192.0.2.5
ciscoasa(config)# snmp-server location building 42
ciscoasa(config)# snmp-server contact EmployeeA
ciscoasa(config)# snmp-server community ohwhatakeyisthee
 

Configuration Example for SNMP Version 3

The following example shows how the ASA can receive SNMP requests using the SNMP Version 3 security model, which requires that the configuration follow this specific order: group, followed by user, followed by host:

ciscoasa(config)# snmp-server group v3 vpn-group priv
ciscoasa(config)# snmp-server user admin vpn group v3 auth sha letmein priv 3des cisco123
ciscoasa(config)# snmp-server host mgmt 10.0.0.1 version 3 priv admin
 

Where to Go Next

To configure the syslog server, see Chapter46, “Logging”

Additional References

For additional information related to implementing SNMP, see the following sections:

RFCs for SNMP Version 3

 

RFC
Title

3410

Introduction and Applicability Statements for Internet Standard Management Framework

3411

An Architecture for Describing SNMP Management Frameworks

3412

Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)

3413

Simple Network Management Protocol (SNMP) Applications

3414

User-based Security Model (USM) for Version 3 of the Simple Network Management Protocol (SNMP)

3826

The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model

MIBs

For a list of supported MIBs and traps for the ASA, ASAv, and ASASM by release, see the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Not all OIDs in MIBs are supported. To obtain a list of the supported SNMP MIBs and OIDs for a specific ASA or ASASM, enter the following command:

hostname(config)# show snmp-server oidlist
 

Note Although the oidlist keyword does not appear in the options list for the show snmp-server command help, it is available. However, this command is for Cisco TAC use only. Contact the Cisco TAC before using this command.

The following is sample output from the show snmp-server oidlist command:

hostname(config)# show snmp-server oidlist
[0] 1.3.6.1.2.1.1.1. sysDescr
[1] 1.3.6.1.2.1.1.2. sysObjectID
[2] 1.3.6.1.2.1.1.3. sysUpTime
[3] 1.3.6.1.2.1.1.4. sysContact
[4] 1.3.6.1.2.1.1.5. sysName
[5] 1.3.6.1.2.1.1.6. sysLocation
[6] 1.3.6.1.2.1.1.7. sysServices
[7] 1.3.6.1.2.1.2.1. ifNumber
[8] 1.3.6.1.2.1.2.2.1.1. ifIndex
[9] 1.3.6.1.2.1.2.2.1.2. ifDescr
[10] 1.3.6.1.2.1.2.2.1.3. ifType
[11] 1.3.6.1.2.1.2.2.1.4. ifMtu
[12] 1.3.6.1.2.1.2.2.1.5. ifSpeed
[13] 1.3.6.1.2.1.2.2.1.6. ifPhysAddress
[14] 1.3.6.1.2.1.2.2.1.7. ifAdminStatus
[15] 1.3.6.1.2.1.2.2.1.8. ifOperStatus
[16] 1.3.6.1.2.1.2.2.1.9. ifLastChange
[17] 1.3.6.1.2.1.2.2.1.10. ifInOctets
[18] 1.3.6.1.2.1.2.2.1.11. ifInUcastPkts
[19] 1.3.6.1.2.1.2.2.1.12. ifInNUcastPkts
[20] 1.3.6.1.2.1.2.2.1.13. ifInDiscards
[21] 1.3.6.1.2.1.2.2.1.14. ifInErrors
[22] 1.3.6.1.2.1.2.2.1.16. ifOutOctets
[23] 1.3.6.1.2.1.2.2.1.17. ifOutUcastPkts
[24] 1.3.6.1.2.1.2.2.1.18. ifOutNUcastPkts
[25] 1.3.6.1.2.1.2.2.1.19. ifOutDiscards
[26] 1.3.6.1.2.1.2.2.1.20. ifOutErrors
[27] 1.3.6.1.2.1.2.2.1.21. ifOutQLen
[28] 1.3.6.1.2.1.2.2.1.22. ifSpecific
[29] 1.3.6.1.2.1.4.1. ipForwarding
[30] 1.3.6.1.2.1.4.20.1.1. ipAdEntAddr
[31] 1.3.6.1.2.1.4.20.1.2. ipAdEntIfIndex
[32] 1.3.6.1.2.1.4.20.1.3. ipAdEntNetMask
[33] 1.3.6.1.2.1.4.20.1.4. ipAdEntBcastAddr
[34] 1.3.6.1.2.1.4.20.1.5. ipAdEntReasmMaxSize
[35] 1.3.6.1.2.1.11.1. snmpInPkts
[36] 1.3.6.1.2.1.11.2. snmpOutPkts
[37] 1.3.6.1.2.1.11.3. snmpInBadVersions
[38] 1.3.6.1.2.1.11.4. snmpInBadCommunityNames
[39] 1.3.6.1.2.1.11.5. snmpInBadCommunityUses
[40] 1.3.6.1.2.1.11.6. snmpInASNParseErrs
[41] 1.3.6.1.2.1.11.8. snmpInTooBigs
[42] 1.3.6.1.2.1.11.9. snmpInNoSuchNames
[43] 1.3.6.1.2.1.11.10. snmpInBadValues
[44] 1.3.6.1.2.1.11.11. snmpInReadOnlys
[45] 1.3.6.1.2.1.11.12. snmpInGenErrs
[46] 1.3.6.1.2.1.11.13. snmpInTotalReqVars
[47] 1.3.6.1.2.1.11.14. snmpInTotalSetVars
[48] 1.3.6.1.2.1.11.15. snmpInGetRequests
[49] 1.3.6.1.2.1.11.16. snmpInGetNexts
[50] 1.3.6.1.2.1.11.17. snmpInSetRequests
[51] 1.3.6.1.2.1.11.18. snmpInGetResponses
[52] 1.3.6.1.2.1.11.19. snmpInTraps
[53] 1.3.6.1.2.1.11.20. snmpOutTooBigs
[54] 1.3.6.1.2.1.11.21. snmpOutNoSuchNames
[55] 1.3.6.1.2.1.11.22. snmpOutBadValues
[56] 1.3.6.1.2.1.11.24. snmpOutGenErrs
[57] 1.3.6.1.2.1.11.25. snmpOutGetRequests
[58] 1.3.6.1.2.1.11.26. snmpOutGetNexts
[59] 1.3.6.1.2.1.11.27. snmpOutSetRequests
[60] 1.3.6.1.2.1.11.28. snmpOutGetResponses
[61] 1.3.6.1.2.1.11.29. snmpOutTraps
[62] 1.3.6.1.2.1.11.30. snmpEnableAuthenTraps
[63] 1.3.6.1.2.1.11.31. snmpSilentDrops
[64] 1.3.6.1.2.1.11.32. snmpProxyDrops
[65] 1.3.6.1.2.1.31.1.1.1.1. ifName
[66] 1.3.6.1.2.1.31.1.1.1.2. ifInMulticastPkts
[67] 1.3.6.1.2.1.31.1.1.1.3. ifInBroadcastPkts
[68] 1.3.6.1.2.1.31.1.1.1.4. ifOutMulticastPkts
[69] 1.3.6.1.2.1.31.1.1.1.5. ifOutBroadcastPkts
[70] 1.3.6.1.2.1.31.1.1.1.6. ifHCInOctets
--More--
 

Application Services and Third-Party Tools

For information about SNMP support, see the following URL:

http://www.cisco.com/en/US/tech/tk648/tk362/tk605/tsd_technology_support_sub-protocol_home.html

For information about using third-party tools to walk SNMP Version 3 MIBs, see the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa83/snmp/snmpv3_tools.html

Feature History for SNMP

Table 47-7 lists each feature change and the platform release in which it was implemented.

 

Table 47-7 Feature History for SNMP

Feature Name
Platform Releases
Feature Information

SNMP Versions 1 and 2c

7.0(1)

Provides ASA, ASAv, and ASASM network monitoring and event information by transmitting data between the SNMP server and SNMP agent through the clear text community string.

SNMP Version 3

8.2(1)

Provides 3DES or AES encryption and support for SNMP Version 3, the most secure form of the supported security models. This version allows you to configure users, groups, and hosts, as well as authentication characteristics by using the USM. In addition, this version allows access control to the agent and MIB objects and includes additional MIB support.

We introduced or modified the following commands: show snmp-server engineid, show snmp-server group, show snmp-server user, snmp-server group, snmp-server user, snmp-server host.

Password encryption

8.3(1)

Supports password encryption.

We modified the following commands: snmp-server community, snmp-server host.

SNMP traps and MIBs

8.4(1)

Supports the following additional keywords: connection-limit-reached, cpu threshold rising, entity cpu-temperature, entity fan-failure, entity power-supply, ikev2 stop | start, interface-threshold, memory-threshold, nat packet-discard, warmstart.

The entPhysicalTable reports entries for sensors, fans, power supplies, and related components.

Supports the following additional MIBs: CISCO-ENTITY-SENSOR-EXT-MIB, CISCO-ENTITY-FRU-CONTROL-MIB, CISCO-PROCESS-MIB, CISCO-ENHANCED-MEMPOOL-MIB, CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB, DISMAN-EVENT-MIB, DISMAN-EXPRESSION-MIB, ENTITY-SENSOR-MIB, NAT-MIB.

Supports the following additional traps: ceSensorExtThresholdNotification, clrResourceLimitReached, cpmCPURisingThreshold, mteTriggerFired, natPacketDiscard, warmStart.

We introduced or modified the following commands: snmp cpu threshold rising, snmp interface threshold, snmp-server enable traps.

IF-MIB ifAlias OID support

8.2(5)/8.4(2)

The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias OID will be set to the value that has been set for the interface description.

ASA Services Module (ASASM)

8.5(1)

The ASASM supports all MIBs and traps that are present in 8.4(1), except for the following:

Unsupported MIBs in 8.5(1):

  • CISCO-ENTITY-SENSOR-EXT-MIB (Only objects under the entPhySensorTable group are supported).
  • ENTITY-SENSOR-MIB (Only objects in the entPhySensorTable group are supported).
  • DISMAN-EXPRESSION-MIB (Only objects in the expExpressionTable, expObjectTable, and expValueTable groups are supported).

Unsupported traps in 8.5(1):

  • ceSensorExtThresholdNotification (CISCO-ENTITY-SENSOR-EXT-MIB). This trap is only used for power supply failure, fan failure, and high CPU temperature events.
  • InterfacesBandwidthUtilization.

SNMP traps

8.6(1)

Supports the following additional keywords for the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X: entity power-supply-presence, entity power-supply-failure, entity chassis-temperature, entity chassis-fan-failure, entity power-supply-temperature.

We modified the following command: snmp-server enable traps.

VPN-related MIBs

9.0(1)

An updated version of the CISCO-IPSEC-FLOW-MONITOR-MIB.my MIB has been implemented to support the next generation encryption feature.

The following MIBs have been enabled for the ASASM:

  • ALTIGA-GLOBAL-REG.my
  • ALTIGA-LBSSF-STATS-MIB.my
  • ALTIGA-MIB.my
  • ALTIGA-SSL-STATS-MIB.my
  • CISCO-IPSEC-FLOW-MONITOR-MIB.my
  • CISCO-REMOTE-ACCESS-MONITOR-MIB.my

Cisco TrustSec MIB

9.0(1)

Support for the following MIB was added: CISCO-TRUSTSEC-SXP-MIB.

SNMP OIDs

9.1(1)

Five new SNMP Physical Vendor Type OIDs have been added to support the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X.

NAT MIB

9.1(2)

Added the cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support the xlate_count and max_xlate_count entries, which are the equivalent to allowing polling using the show xlate count command.

SNMP hosts, host groups, and user lists

9.1(5)

You can now add up to 4000 hosts. The number of supported active polling destinations is 128. You can specify a network object to indicate the individual hosts that you want to add as a host group. You can associate more than one user with one host.

We introduced or modified the following commands: snmp-server host-group, snmp-server user-list, show running-config snmp-server, clear configure snmp-server.

SNMP message size

9.2(1)

The limit on the message size that SNMP sends has been increased to 1472 bytes.

SNMP MIB

The CISCO-VPN-LIC-USAGE-MONITOR-MIB, a new SNMP MIB for monitoring VPN shared license usage, has been added. The OID has the following index: 1.3.6.1.4.1.9.9.816.x.x. This new OID polls the number of active and max-session connections.

We did not introduce or modify any commands.

SNMP OIDs and MIBs

The ASA now supports the cpmCPUTotal5minRev OID.

The ASAv has been added as a new product to the SNMP sysObjectID OID and entPhysicalVendorType OID.

The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASAv platform.