SNMP monitoring 4

[EchoAlertcom]

Hello,

We are using GFI's Server Monitor in our network. One of the devices we want it to watch is our PIX. The way to do this is SNMP, however, I am unable to find a document that is like a case study to show me what on the PIX I should monitor and what thresholds are recommended.

Can anybody shed some light on this for me please? I found an OID / Object Name translator on cisco.com

http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en

and a way to browse the tree

http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&substep=2&translate=Translate&tree=NO

but these don't tell me what I should be monitoring and what isn't important.

I was unable to search past threads on tek-tips because the Search page is down.

Thanks for any input and guidance.

Regards,
Steve

 

[lgarner]

Monitor whatever's important to you. I watch CPU and memory utilization, connection counts and traffic. There's relatively little information available from a Pix compared to other device types. 1.3.6.1.41.9 (Cisco specific) and 1.3.6.1.2 (interface and IP) as bases will yield some info.

 

[EchoAlertcom]

Could you give a few examples that I could see?

I am using GFI Server Monitor. One of the checks is for SNMP. I can put a OID, (<,>,=,=<.=>),type of data (Int, string etc) and value. I am struggling finding a test that will work.

When I do a "show snmp" on the firewall this is what I get:

pixfirewall# show snmp
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
pixfirewall#

Is this correct for being able to read? We're not using traps at this point.

I appreciate your help.

Regards,
Steve

 

[308win]

You also need to specify a server on a specific interface and allow polls from it.

snmp-server host inside 192.168.85.102 poll

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1191051

There is mention that the snmp-server host command behaves differently with older versions of the pix code.

 

[EchoAlertcom]

Hi,

I have added the entry but I'm not sure I did it correctly.

Here is what it looks like now:
pixfirewall# show snmp
snmp-server host inside 10.224.1.1 poll
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
pixfirewall#

10.224.1.1 is the inside ip address on our PIX. With that being the case is the line I entered correct?

I have tried to test it but I still get a timeout.
I am using NET-SNMP on the same Windows server that the GFI Server Monitor is running on. (On the LAN - inside of the firewall.)

I run:
C:\usr\bin>snmpget 10.224.1.1 public 1.3.6.1.41.9
snmpget: Timeout

I appreciate everyone's help.

Regards,
Steve

 

[lgarner]

snmp-server host inside <address>" needs the address of the SNMP poller, not the Pix's own address.

 

[EchoAlertcom]

Thanks that finally worked.

I am getting a new error.

Error:
C:\usr\bin>snmpget 10.224.1.1 public 1.3.6.1.41.9
snmpget: No securityName specified

Any ideas?

Thanks,
Steve

 

[mbilgrav]

woot!: OID shpuld be .1.3.6.1.4.1.9

plus verify that you dont have any ACL on inside interface that might prevent the SNMP host to reach the PIX ?

The PIX has very limited SNMP support - If you like I can post a running MRTG config that polls all the supported PIX objects.

 

[EchoAlertcom]

mbilgrav,

Thank you would be great if you could post that. I would like to see the config.

I will look for an ACL that may be stopping it.

Regards,
Steve