ASA Smart Call Home common uses and periodic monitoring
ASA Smart Call Home common uses and periodic monitoring
Purpose of this document
Smart Call Home is a feature introduced into the ASA firewalls in version 8.2 that allows for periodic monitoring of the firewall device. This document how to leverage this feature to monitor and troubleshoot network issues.Configuring Smart Call Home
To configure Smart Call Home, use the following document:https://supportforums.cisco.com/docs/DOC-12801
Common Uses
Configuration Backups
Gathering configuration backups periodically is useful in case of device replacement or change control. It helps to identify the last working configuration and archives changes made to the firewall.hostname (config)# service call-home hostname (config)# call-home hostname (cfg-call-home)# contact-email-addr [email protected]
hostname (cfg-call-home)# mail-server 192.168.1.100 priority 1 hostname (cfg-call-home)# profile ConfigBackup-1 hostname (cfg-call-home-profile)# destination address email [email protected] hostname (cfg-call-home-profile)# destination transport-method email hostname (cfg-call-home-profile)# subscribe-to-alert-group configuration export full periodic monthly
- show call-home registered-module status | exclude disabled
- show running-config
- show startup-config
- show access-list | include elements
Network Profiling using Snapshots
Network profiling is an important process that allows a network administrator to understand current utilization levels of their network. This is important for monitoring current load, feature usage as well as anamolous behaviour. Having good archived historical network profile data helps to troubleshoot the most complex networking problems such as oversubscription and load issues. Additionally, it provides an early warning system to help net admins to understand when their network is reaching capacity.hostname (config)# service call-home hostname (config)# call-home hostname (cfg-call-home)# contact-email-addr [email protected]
hostname (cfg-call-home)# mail-server 192.168.1.100 priority 1
hostname (cfg-call-home)# alert-group-config snapshot
hostname (cfg-call-home-snapshot)# add-command "show traffic" hostname (cfg-call-home-snapshot)# add-command "show interface detail" hostname (cfg-call-home-snapshot)# add-command "show perfmon"
hostname (cfg-call-home-snapshot)# add-command "show conn count" hostname (cfg-call-home-snapshot)# add-command "show xlate count"
hostname (cfg-call-home-snapshot)# add-command "show service-policy"
hostname (cfg-call-home)# profile NetworkProfiling-1 hostname (cfg-call-home-profile)# destination address email [email protected] hostname (cfg-call-home-profile)# destination transport-method email hostname (cfg-call-home-profile)# subscribe-to-alert-group snapshot periodic interval 120
These outputs will be gathered periodically every 120 minutes as emails, which the network adminstrator can then parse and format into graphs or charts. In the above example, the network administrator will be able to graph the current traffic rate through all the interfaces, the current rate of connection as well as the current connection and xlate counts. Additionally, the net admin was interested in knowing how much traffic through the firewall was being sent through the service-policy, which is the last output included in the snapshot.
Device Oversubscription Issues
Networking profiling is very useful to monitor the current status of a network. But, when there is a network load related issue, snapshots can be used to more efficiently isolate the problem.https://supportforums.cisco.com/docs/DOC-12439
hostname (config)# service call-home hostname (config)# call-home hostname (cfg-call-home)# contact-email-addr [email protected]By using the document linked above, the net admin understands that oversubscription can be primarily caused by cpu utilization and network load. Since the net admin is already gathering network profile information, the only additional information required is with regards to device level utilization. The snapshot profile above gathers information regarding cpu utilization, interface oversubscription and memory levels.
hostname (cfg-call-home)# mail-server 192.168.1.100 priority 1
hostname (cfg-call-home)# alert-group-config snapshot
hostname (cfg-call-home-snapshot)# add-command "show cpu detailed"
hostname (cfg-call-home-snapshot)# add-command "show processes cpu-usage"
hostname (cfg-call-home-snapshot)# add-command "show processes cpu-hog"
hostname (cfg-call-home-snapshot)# add-command "show interface detail | i line|overrun|no buffer"
hostname (cfg-call-home-snapshot)# add-command "show memory detail"
hostname (cfg-call-home)# profile Oversubscription-1 hostname (cfg-call-home-profile)# destination address email [email protected] hostname (cfg-call-home-profile)# destination transport-method email hostname (cfg-call-home-profile)# subscribe-to-alert-group snapshot periodic interval 120
VPN Utilization
Since VPN features are licensed on the ASA platforms, it is important for a network administrator to understand utilization levels of the VPN deployment. This will help to forecast VPN expansion requirements to accomodate network growth.hostname (config)# service call-home hostname (config)# call-home hostname (cfg-call-home)# contact-email-addr [email protected]
hostname (cfg-call-home)# mail-server 192.168.1.100 priority 1
hostname (cfg-call-home)# alert-group-config snapshot
hostname (cfg-call-home-snapshot)# add-command "show vpn-sessiondb"
hostname (cfg-call-home-snapshot)# add-command "show crypto ipsec sa"
hostname (cfg-call-home-snapshot)# add-command "show crypto isakmp sa"
hostname (cfg-call-home-snapshot)# add-command "show webvpn statistics"
hostname (cfg-call-home-snapshot)# add-command "show crypto protocol statistics all"
hostname (cfg-call-home)# profile VPNUtilization-1 hostname (cfg-call-home-profile)# destination address email [email protected] hostname (cfg-call-home-profile)# destination transport-method email hostname (cfg-call-home-profile)# subscribe-to-alert-group snapshot periodic interval 120
found at: https://supportforums.cisco.com/docs/DOC-14958
Comments
Post a Comment