SNMP Monitoring for Virtual Appliances

The Cisco Secure Access Virtual appliances (VAs) support the Simple Network Management Protocol (SNMP), including versions SNMPv2c and SNMPv3. You can configure and enable SNMP in a VA to monitor the health of the VA and provide connectivity statistics. SNMP monitoring on a VA is disabled by default.

Table of Contents

Enable SNMP Monitoring

In the Secure Access VA, the SNMP configuration supports the SHA-1, DES-128, and AES-128 algorithms.

SNMPv2.x

Configure SNMPv2 with the config snmp command, for example:

config snmp configure -v2 <options> <args>

If your VA uses SNMP version 2.3 or earlier, configure SNMP with the support snmp command, for example:

support snmp <options> <args>

SNMPv3

When you configure SNMPv3 in your VA, provide a username and password. All other parameters are optional.

Configure SNMPv3 with the config snmp command, for example:

config snmp configure -v3 <options> <args>

Privacy Password

The SNMP privacy password is a string that can include 8–255 alphanumeric characters.

Note: The SNMP privacy password can not include special characters.

Configure SNMP in Secure Access Virtual Appliance

  1. Enter the Configuration Mode on the VA. Use the configure option with the SNMP command. See the SNMP Command Syntax for the list of command-line arguments.
  2. Enable SNMP monitoring.
    config snmp enable
  3. Enter exit to return to the VA console.

SNMP Command Syntax

 Usage: config snmp <options> <args>
 
         The options parameter must be one of the following: configure | enable | disable | status 
 
         configure      -v2 [ -c '<community string>' ]
                            Enables SNMP v2.
                            * c - Community string; The default Community string is 'public'.
                        -v3 -u '<username>' -p '<password>' [-a [MD5|SHA] -x [AES|DES] -X [password]]
                            Enables SNMP v3 with username and password.
                            * u - Username can include at most 32 alphanumeric characters.
                            * p - Password can include 8-12 alphanumeric characters.
                            * a - Optional password hash algorithm; Default SHA.
                            * x - Optional encryption algorithm; Default AES.
                            * X - Privacy password is used with the AES algorithm.
                                  The privacy password can include 8-255 alphanumeric characters.
                                  Special characters are not supported.
 
         enable         Enable SNMP.
         disable        Disable SNMP.
         status         Show the SNMP service status and Version information.
         -h, --help     Display this usage information. 
 

About SNMP Monitoring

The Secure Access VA listens on port 161 for SNMP queries. The VA supports SNMP monitoring of:

  • Health statistics—CPU, load, memory, disk space, and status.
  • Connectivity statistics—Connectivity to Secure Access resolvers, connectivity to the local DNS servers, connectivity to the Active Directory (AD) connector, and connectivity to the Secure Access API.

Standard OIDs Supported by the Virtual Appliance

InformationOIDNotes
LoadUCD-SNMP-MIB::laTable
Load-1 (1 minute load): .1.3.6.1.4.1.2021.10.1.3.1
Load-5 (5 minute load): .1.3.6.1.4.1.2021.10.1.3.2
Load-15 (15 minutes load): .1.3.6.1.4.1.2021.10.1.3.3
If the five minute load is consistently greater than .75 of the number of processor cores, the VA is running short of processing power.
CPUUCD-SNMP-MIB:systemStats
Percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0
Percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0
Percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0
Memory UtilizationUCD-SNMP-MIB::memory
Available swap: .1.3.6.1.4.1.2021.4.4.0
Total swap: .1.3.6.1.4.1.2021.4.3.0
If the ratio of Available swap to Total swap is consistently lower than 0.5, the VA is running low on memory.
Disk UsagePercentage of space used on data portion of disk: .1.3.6.1.4.1.8072.1.3.2.4.1.2.9.100.105.115.107.117.115.97.103.101.1If this value is consistently greater than 0.8, the VA may be running out of disk space.

Note: Virtual Appliances support querying of the system OIDs 1.3.6.1.2.1.1.1 to 1.3.6.1.2.1.1.7.

Extended OIDs Supported by the Virtual Appliance

InformationOID
VA status (dns).1.3.6.1.4.1.8072.1.3.2.4.1.2.7.116.104.105.115.100.110.115.1
Connectivity to Secure Access resolvers (dns).1.3.6.1.4.1.8072.1.3.2.4.1.2.3.100.110.115.1
Connectivity to local DNS servers (localdns).1.3.6.1.4.1.8072.1.3.2.4.1.2.8.108.111.99.97.108.100.110.115.1
Connectivity to Secure Access (cloud).1.3.6.1.4.1.8072.1.3.2.4.1.2.5.99.108.111.117.100.1
Connectivity to AD connectors (ad).1.3.6.1.4.1.8072.1.3.2.4.1.2.2.97.100.1
Queries per second over last 5 minutes*.1.3.6.1.4.1.8072.1.3.2.4.1.2.4.113.112.115.53
Queries per second over last 15 minutes*.1.3.6.1.4.1.8072.1.3.2.4.1.2.5.113.112.115.49.53

The asterisk (*) denotes an OID which returns the throughput of the VA—the number of queries handled per second.

For the first 5 OIDs in the table above, search for the following sub-strings in the output:

  • green—Indicates a status of Okay.
  • red—Indicates a status of Not Okay.
  • yellow—indicates a status of Partially Okay.
  • white—indicates a status of Not Configured.

Note: If an SNMP probe against any of these OIDs results in a timeout, we recommend that you increase the timeout value when issuing the probe.


Test Virtual Appliance Deployments < SNMP Monitoring for Virtual Appliances > Troubleshoot Virtual Appliances