ASA Smart Call Home common uses and periodic monitoring

ASA Smart Call Home common uses and periodic monitoring

 

Purpose of this document

Smart Call Home is a feature introduced into the ASA firewalls in version 8.2 that allows for periodic monitoring of the firewall device. This document how to leverage this feature to monitor and troubleshoot network issues.

Configuring Smart Call Home

To configure Smart Call Home, use the following document:
https://supportforums.cisco.com/docs/DOC-12801

Common Uses

Configuration Backups

Gathering configuration backups  periodically is useful in case of device replacement or change control.  It helps to identify the last working configuration and archives changes  made to the firewall.

hostname (config)# service call-home
hostname (config)# call-home
hostname (cfg-call-home)# contact-email-addr [email protected]
hostname (cfg-call-home)# mail-server 192.168.1.100 priority 1 hostname (cfg-call-home)# profile ConfigBackup-1 hostname (cfg-call-home-profile)# destination address email [email protected] hostname (cfg-call-home-profile)# destination transport-method email hostname (cfg-call-home-profile)# subscribe-to-alert-group configuration export full periodic monthly

The configuration alert-group (as configured above with the export full, non-default option) includes the commands:
- show call-home registered-module status | exclude disabled
- show running-config
- show startup-config
- show access-list | include elements

In the above example, the firewall will send these outputs to the email address [email protected] monthly.

Network Profiling using Snapshots

Network profiling is an important process that allows a network administrator to understand current utilization levels of their network. This is important for monitoring current load, feature usage as well as anamolous behaviour. Having good archived historical network profile data helps to troubleshoot the most complex networking problems such as oversubscription and load issues. Additionally, it provides an early warning system to help net admins to understand when their network is reaching capacity.

Snapshots are a Smart Call Home feature that allows the user to customize which commands are sent by the ASA.

In the below example, the network administrator is interested in understanding the network utilization of their ASA. As a result, the snapshot profile is built to gather outputs relevant to network utilization:
hostname (config)# service call-home
hostname (config)# call-home
hostname (cfg-call-home)# contact-email-addr [email protected]
hostname (cfg-call-home)# mail-server 192.168.1.100 priority 1
hostname (cfg-call-home)# alert-group-config snapshot
hostname (cfg-call-home-snapshot)# add-command "show traffic" hostname (cfg-call-home-snapshot)# add-command "show interface detail" hostname (cfg-call-home-snapshot)# add-command "show perfmon"
hostname (cfg-call-home-snapshot)# add-command "show conn count" hostname (cfg-call-home-snapshot)# add-command "show xlate count"
hostname (cfg-call-home-snapshot)# add-command "show service-policy"
hostname (cfg-call-home)# profile NetworkProfiling-1 hostname (cfg-call-home-profile)# destination address email [email protected] hostname (cfg-call-home-profile)# destination transport-method email hostname (cfg-call-home-profile)# subscribe-to-alert-group snapshot periodic interval 120

These outputs will be gathered periodically every 120 minutes as emails, which the network adminstrator can then parse and format into graphs or charts. In the above example, the network administrator will be able to graph the current traffic rate through all the interfaces, the current rate of connection as well as the current connection and xlate counts. Additionally, the net admin was interested in knowing how much traffic through the firewall was being sent through the service-policy, which is the last output included in the snapshot.

Device Oversubscription Issues

Networking profiling is very useful to monitor the current status of a network. But, when there is a network load related issue, snapshots can be used to more efficiently isolate the problem.

When a network adminsitrator suspects that the firewall is reaching a load limit, they can leverage Smart Call Home and the snapshot feature to provide very specific data that helps to isolate the oversubscription related issues. For more information regarding this specific issue, please refer to the following document:
https://supportforums.cisco.com/docs/DOC-12439

Specific to Smart Call Home, the following snapshot profile will help to gather the necessary data:
hostname (config)# service call-home
hostname (config)# call-home
hostname (cfg-call-home)# contact-email-addr [email protected]
hostname (cfg-call-home)# mail-server 192.168.1.100 priority 1
hostname (cfg-call-home)# alert-group-config snapshot
hostname (cfg-call-home-snapshot)# add-command "show cpu detailed"
hostname (cfg-call-home-snapshot)# add-command "show processes cpu-usage"
hostname (cfg-call-home-snapshot)# add-command "show processes cpu-hog"
hostname (cfg-call-home-snapshot)# add-command "show interface detail | i line|overrun|no buffer"
hostname (cfg-call-home-snapshot)# add-command "show memory detail"
hostname (cfg-call-home)# profile Oversubscription-1 hostname (cfg-call-home-profile)# destination address email [email protected] hostname (cfg-call-home-profile)# destination transport-method email hostname (cfg-call-home-profile)# subscribe-to-alert-group snapshot periodic interval 120
By using the document linked above, the net admin understands that oversubscription can be primarily caused by cpu utilization and network load. Since the net admin is already gathering network profile information, the only additional information required is with regards to device level utilization. The snapshot profile above gathers information regarding cpu utilization, interface oversubscription and memory levels.

The Smart Call Home information gathered in both the network profiling and device oversubscription can be graphed to better understand whether the oversubscription behaviour is periodic or consistent. A consistent problem may indicate a network attack or infected host, while a periodic behaviour tends to be caused by network load.

VPN Utilization

Since VPN features are licensed on the ASA platforms, it is important for a network administrator to understand utilization levels of the VPN deployment. This will help to forecast VPN expansion requirements to accomodate network growth.

Below is a profile that provides the necessary VPN information:
hostname (config)# service call-home
hostname (config)# call-home
hostname (cfg-call-home)# contact-email-addr [email protected]
hostname (cfg-call-home)# mail-server 192.168.1.100 priority 1
hostname (cfg-call-home)# alert-group-config snapshot
hostname (cfg-call-home-snapshot)# add-command "show vpn-sessiondb"
hostname (cfg-call-home-snapshot)# add-command "show crypto ipsec sa"
hostname (cfg-call-home-snapshot)# add-command "show crypto isakmp sa"
hostname (cfg-call-home-snapshot)# add-command "show webvpn statistics"
hostname (cfg-call-home-snapshot)# add-command "show crypto protocol statistics all"
hostname (cfg-call-home)# profile VPNUtilization-1 hostname (cfg-call-home-profile)# destination address email [email protected] hostname (cfg-call-home-profile)# destination transport-method email hostname (cfg-call-home-profile)# subscribe-to-alert-group snapshot periodic interval 120

found at: https://supportforums.cisco.com/docs/DOC-14958

Comments

Popular posts from this blog

Reduce (shrink) and resize raw disk at Proxmox

Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks

How to clean DB from old logs in Magento 1.x