SolarWinds NCM “Device Template” for Cisco ACS 5.6. [TESTED]

By default, NCM don’t have a special “Device Template” for Cisco ACS 5.X, NCM chooses the closest template by SysObjectID. BTW, it differs and depends on particular ACS version. For example, ACS 5.6 has 1.3.6.1.4.1.9.1.1117. Default template for Cisco IOS works fine, but ADE-OS on ACS 5.X (at least on 5.5 and 5.6) requires proper SSH session closing (by using exit).

You can find a template for ACS on thwack, it’s ok, but it needs to be modified. Here are some important changes:

... Device="Cisco ACS 5.6" SystemOID="1.3.6.1.4.1.9.1.1117" ...
... Name="DownloadConfig Value="show ${ConfigType}${CRLF}exit" ...

SolarWinds - “Last Boot” OID - False positive ACS server restart.

This morning I’ve noticed an event in SolarWinds:

ACS-01.example.com rebooted at 2/28/2015 03:20:00 PM

Then I checked it from ADE-OS CLI:

ACS-01/admin# show uptime
97 day(s), 05:14:30
ACS-01/admin#

This output looks like an Uptime OID (HOST-RESOURCES-MIB::hrSystemUptime.0):

snmpwalk -c 'COMMUNITY' -v 2c 192.168.1.1 1.3.6.1.2.1.25.1.1.0
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (840434124) 97 days, 5:21:21.24

But SolarWinds uses another one OID to get “Last Boot” info - “DISMAN-EVENT-MIB::sysUpTimeInstance.0”. SolarWinds gets this info every “Polling Interval” (120 sec by default):

snmpwalk -c 'COMMUNITY' -v 2c 192.168.1.1 1.3.6.1.2.1.1.3.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (17154318) 1 day, 23:39:03.18

I checked log messages and found that snmpd has been rebooted, but nothing related to real cause of this reboot…

ACS-01/admin# show logging system | i snmp
         23 Feb 28 2015 09:40:01  snmpd.log
ACS-01/admin#
ACS-01/admin# show logging system snmpd.log
NET-SNMP version 5.7.1
ACS-01/admin#

That’s why I’ve opened TAC case and got an explanation - https://tools.cisco.com/bugsearch/bug/CSCte39351:

Symptom: ACS SNMP daemon stopping

Workaround:
- reboot ACS appliance
- restart ACS SNMP daemon

Per Cisco TAC reply, the fix for the bug will be released on ACS 5.7 which is planned for May of this year.

Some other links (not really useful):
A false alert, indicating that a monitored object has rebooted, is firing, when the monitored object is actually up and functioning as normal. - It recommends to create custom poller, but it will not replace existed one, so this is useless.
Polling and reporting real uptime - Good thing, but it’s too complicated.

SolarWinds - How to create a chart for active WebVPN sessions. [TESTED]

Real quick. The same as I did before for AnyConnect sessions, but for a another OID - CISCO-REMOTE-ACCESS-MONITOR-MIB::crasWebvpnNumSessions.0 - 1.3.6.1.4.1.9.9.392.1.3.38.0 - The number of currently active Webvpn sessions.

The same as you can get from CLI:

ASA# show vpn-sessiondb webvpn

Session Type: WebVPN

Username     : username               Index        : 4
Public IP    : 172.16.1.2
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 2686857                Bytes Rx     : 162442
Group Policy : DfltGrpPolicy          Tunnel Group : DefaultWEBVPNGroup
Login Time   : 18:02:49 UTC Fri Feb 6 2015
Duration     : 0h:06m:33s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

ASA#

SolarWinds - NCM - Basic steps. [TESTED]

Initial Installation

• Extract SolarWinds-NCM-v7.3.2-Eval.zip file.
• Run SolarWinds-Orion-NCM-v7.3.2-Eval.exe as Administrator.
• Enter your email > Next > Accept EULA > Express Install > Next. Node, that during installation process, SolarWinds’ processes will be stopped without any notice (You can see actual status of processes using “Orion Service Manager”).
• A new windows will be opened automatically “SolarWinds Configuration Wizard” > Next > Next > wait until it’s finished > Finish. Note that processes will be enabled automatically without any noticed.
• Login in to “SolarWinds Web Console”, new tab “CONFIGS” should be there.

Adding Cisco device

• Go to “Node Details” of a node > “Edit Node” > Switch “Manage node(s) with NCM” to “Yes”, configure “Connection Profile” > Test > SUBMIT.

Tips

How to enable NCM debug

• “SolarWinds Web Console” > “CONFIGS” > “NCM Settings” > “Advanced Settings” > “Enable Session Tracing” > SIBMIT.
• Test it again, then go to the “C:Program Files (x86)SolarWindsOrionNCMSession-Trace” folder, you will find “X.X.X.X-trace”. In my case it was like this:

-->StateChange: Connecting to server<--

[2/4/2015 11:20:52 PM] Got HostFingerPrint: 60:e3:d5:ce:10:d6:03:0e:0e:af:96:6c:31:8d:b4:aa
[2/4/2015 11:20:52 PM] SWTelnet9 Crypto Information Begin
[2/4/2015 11:20:52 PM] Protocol = SSH2
[2/4/2015 11:20:52 PM] RemoteName = SSH-1.99-Cisco-1.25
[2/4/2015 11:20:52 PM] SCcipher = aes128-cbc
[2/4/2015 11:20:52 PM] CSCipher = aes128-cbc
[2/4/2015 11:20:52 PM] Keys = ssh-rsa
[2/4/2015 11:20:52 PM] SWTelnet9 Crypto Information End
[2/4/2015 11:20:52 PM] Solarwinds.Net SWTelnet9 Version 9.0.27
[2/4/2015 11:20:52 PM] Connected! Invalid username or password reported by server, or bad private key.
[2/4/2015 11:20:52 PM]
-->StateChange: Disconnected from server<--

[2/4/2015 11:20:52 PM] Disconnected - From: 192.168.1.1

You will also find SWTelnetDebug which contains error ID:

*** OnConnect received, err = 30016

Here is a normal trace:

-->StateChange: Connecting to server<--

[2/4/2015 11:51:16 PM] Got HostFingerPrint: 60:e3:d5:ce:10:d6:03:0e:0e:af:96:6c:31:8d:b4:aa
[2/4/2015 11:51:16 PM] SWTelnet9 Crypto Information Begin
[2/4/2015 11:51:16 PM] Protocol = SSH2
[2/4/2015 11:51:16 PM] RemoteName = SSH-1.99-Cisco-1.25
[2/4/2015 11:51:16 PM] SCcipher = aes128-cbc
[2/4/2015 11:51:16 PM] CSCipher = aes128-cbc
[2/4/2015 11:51:16 PM] Keys = ssh-rsa
[2/4/2015 11:51:16 PM] SWTelnet9 Crypto Information End
[2/4/2015 11:51:16 PM]
-->StateChange: Connected to server - idle<--

[2/4/2015 11:51:16 PM] Solarwinds.Net SWTelnet9 Version 9.0.27
[2/4/2015 11:51:16 PM] Connected!
[2/4/2015 11:51:16 PM] --> Type help or '?' for a list of available commands.
[2/4/2015 11:51:16 PM] -->
[2/4/2015 11:51:16 PM] --> ASA1>
[2/4/2015 11:51:16 PM] ProcessLogin State: 0
[2/4/2015 11:51:18 PM] TimerTick: mstrData= > State=3 - Connected to server - idle
[2/4/2015 11:51:18 PM] Pending Disconnect = False
[2/4/2015 11:51:18 PM] Sending to get a banner!
[2/4/2015 11:51:18 PM] <-- 

[2/4/2015 11:51:18 PM] -->
[2/4/2015 11:51:18 PM] -->
[2/4/2015 11:51:18 PM] ProcessLogin State: 0
[2/4/2015 11:51:18 PM] -->
[2/4/2015 11:51:18 PM] --> ASA1>
...

SWTelnetDebug will contain full log of the session, unfortunately with "echo":

*** OnConnect received, err = 0
Type help or '?' for a list of available commands.
ASA1>
ASA1> 

ASA1> enable
enable
Password:
ASA1# 

ASA1# terminal pager 0
terminal pager 0

ASA1# show version
show version

Cisco Adaptive Security Appliance Software Version 8.2(5)55
...

SolarWinds - How to create a chart for active AnyConnect sessions. [TESTED]

I wanted to know how many active sessions we have throughout the day. Here is an example how to solve it using SolarWinds.

We are going to use the following SNMP OID: CISCO-REMOTE-ACCESS-MONITOR-MIB::crasSVCNumSessions.0 which has a description “The number of currently active SVC sessions”.

Procedure

• Start > “Universtal Device Poller” > “New Universal Device Poller”
– OID: 1.3.6.1.4.1.9.9.392.1.3.35.0
– Name: CiscoASA_AnyConnect_Active_Sessions
– Description: The number of currently active SVC (AnyConnect) sessions.
– MIB Value Type: Raw Value
– Format: None
– SNMP Get Type: GET
– Polling Type: Node
– Polling Interval: 1 minutes.
– Keep Historical Data: Yes
– Status: Enabled
– Group: Cisco
• Then “Next”.
• After that select test node and click “Test” > Next.
– Do you want to display results on your Orion website?: Yes
– Select “Chart” for “Note Details - Summary”.
– Do not show this poller if it is not assigned
• Finish
• Then go to the Node Detail, find created chart and by clicking “Edit” modify description, zoom properties, etc.

Admin area