IPS SNMP alarms
Hi,
My question concerns the way to send SNMP traps as an alert format.
I am totally aware that the AIP-SSM/IPS 4200 does not support syslog as an alert format.
The default method is through SDEE but I really don't want to use MARS to get my security events (I have more than 10 devices so don't think about IME )
I'e read that I have to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.
So is this correct?:
Is it possible to enable it "globally"? For example for all signatures with a level higher than informational? Is it done with this option? :
what is the first action "deny packet inline"? Is it really done because I am using the AIP-SSM in promiscuous mode...
Thanks a lot!
Hello,
You can use Event Action Overrides for set added action (SNMP trap) to all alarm which reach specific risk (maybe high risk, or medium risk, or low risk, or user defined risk as you need).
When you're talking about the "Event Action Overrides", are you referring to the second screenshot I've posted? In this configuration, all enabled signatures should trigger a SNMP trap, right? (even if I didn't set the "request SNMP trap" option in all signatures?)
Deny packet inline is usable only in inline mode. This action drop packet which is triggered by specific signature. You can use only TCP reset action to stop some kind of attack in promiscious mode.
Yes that's what I thought. But this action (Deny packet inline) is not removable from the HIGHRISK. So it is not taken into account when using the IPS in promicuous mode?
Thanks,
Regards.
Similar Messages
-
Hi
Multiple SNMP platforms report power supply failure . However CLI show command output does not report any fault.
SNMP alarm
Event Time: Wed 07 Aug 2011 14:46:24
Event ID: E060344
Khi_switch - Fault with Power Supply
Switch
Khi_switch #show env all
FAN 1 is OK
FAN 2 is OK
FAN PS-1 is OK
FAN PS-2 is OK
SYSTEM TEMPERATURE is OK
System Temperature Value: 31 Degree Celsius
System Temperature State: GREEN
Yellow Threshold : 46 Degree Celsius
Red Threshold : 60 Degree Celsius
Please help how can be troubleshoot.
Thanks
NomiHi Joseph,
thanks for you reply. I saw that MIB but as the mid- to low-end switches do not support MPLS it's definitely not the MIB to look at. VRF Lite must be hidden somewhere else or might have been forgotten.
Regards,
Mat -
Issuing snmp alarms in weblogic
Hi,
I think there is a way for WebLogic (or EM FMC Control) to be configured to generate an SNMP alarm when there are app or managed server problems ?
Regards,
HarshaTo communicate with the WebLogic SNMP agent, you need to load the WebLogic Server management information base (MIB)
data into the MIB Browser. Using the MIB Browser application's File menu, select the Load MIB menu item, browse to the
${WL_HOME}/server/lib directory, and select the BEA-WEBLOGIC-MIB.asn1 file. After expanding the BEA-WEBLOGIC-MIB folder
on the left, you should see a list of WebLogic SNMP MIB tables.
This is interesting, but the main reason to use SNMP is to send unsolicited messages to the SNMP manager whenever something
happens. These unsolicited messages are called SNMP traps. WebLogic SNMP can generate traps to notify the SNMP manager
of certain types of events. WebLogic Server comes with a set of predefined traps for server startup, server shutdown, cold start
(admin server startup), and authentication failure. You can also set up three other types of traps: attribute change traps,
log message traps, and monitor traps.
The first step is to configure the Trap Viewer to listen for traps. Using the MIB Browser's View menu, select the Trap Viewer
menu item. Use the Trap Viewer's Start button to tell it to start listening for traps on its default port, port 162, with a Community
of public. Now, you need to configure the WebLogic Server side. For each SNMP agent, use the agent's Trap Destinations Configuration
tab to create a new trap destination. Set the Name to WebNMSTrapViewer, the Community to public, the Host to the IP address or
hostname of the machine where Trap Viewer is running (for example, localhost), and the Port to 162. If you are using SNMP v1.0
style traps, you do not need to specify the Security Name or Security Level attributes, which only apply to SNMP v3 style traps.
Do not forget to target the SNMP agent to the admin server.
Monitor traps are used to monitor an attribute value of an MBean; they come in three types: counter, string, and gauge.
A counter trap simply generates a trap when a particular attribute value meets or exceeds the threshold value. For example,
you might want to define a counter monitor trap to let you know when a server is using all of the connections in the
connection pool. To do this, you need to use the ActiveConnectionsHighCount attribute of the JDBCConnectionPoolRuntimeMBean
with the Monitored MBean Name of MyDataSourceName on ServerName.
A string monitor trap compares the attribute value against a string and can raise a trap when the string matches or when it differs.
A gauge monitor trap will alert you whenever the attribute value meets or exceeds the Threshold High value and when it reaches
or falls below the Threshold Low. If you have a JDBC connection pool where the Initial Capacity and Maximum Capacity attributes
are different, you might want to create a gauge monitor to monitor the maximum and minimum number of connections. By setting
the Threshold Low value to be one less than the Initial Capacity, your gauge monitor trap could monitor the
ActiveConnectionsCurrentCount attribute of the JDBCDataSourceRuntime MBean and alert you whenever the number of active
connections are less than the Initial Capacity (which might indicate database connectivity problems). -
SNMP alarm regarding transceivers
Hello Community!
Have this client and one of the 6509s is reporting alarms on the SNMP tool, and we are seeing the following output:
SW101#sh interfaces transceiver detail
Transceiver monitoring is disabled for all interfaces.
mA: milliamperes, dBm: decibels (milliwatts), NA or N/A: not applicable.
++ : high alarm, + : high warning, - : low warning, -- : low alarm.
A2D readouts (if they differ), are reported in parentheses.
The threshold values are calibrated.
High Alarm High Warn Low Warn Low Alarm
Temperature Threshold Threshold Threshold Threshold
Port (Celsius) (Celsius) (Celsius) (Celsius) (Celsius)
Gi1/1/17 23.7 109.0 103.0 -13.0 -29.0
Gi1/1/18 24.5 109.0 103.0 -13.0 -29.0
Gi2/1/17 30.5 ++ 0.0 0.0 0.0 0.0
Gi2/1/18 23.7 ++ 0.0 0.0 0.0 0.0
High Alarm High Warn Low Warn Low Alarm
Voltage Threshold Threshold Threshold Threshold
Port (Volts) (Volts) (Volts) (Volts) (Volts)
Gi1/1/17 3.31 3.90 3.70 2.90 2.70
Gi1/1/18 3.32 3.90 3.70 2.90 2.70
Gi2/1/17 3.31 ++ 0.00 0.00 0.00 0.00
Gi2/1/18 3.25 ++ 0.00 0.00 0.00 0.00
High Alarm High Warn Low Warn Low Alarm
Current Threshold Threshold Threshold Threshold
Port (milliamperes) (mA) (mA) (mA) (mA)
Gi1/1/17 8.0 15.0 12.0 2.0 1.0
Gi1/1/18 7.2 15.0 12.0 2.0 1.0
Gi2/1/17 7.6 ++ 0.0 0.0 0.0 0.0
Gi2/1/18 5.3 ++ 0.0 0.0 0.0 0.0
Optical High Alarm High Warn Low Warn Low Alarm
Transmit Power Threshold Threshold Threshold Threshold
Port (dBm) (dBm) (dBm) (dBm) (dBm)
Gi1/1/17 -4.5 -2.0 -2.0 -11.0 -11.7
Gi1/1/18 -4.5 -2.0 -2.0 -11.0 -11.7
Gi2/1/17 -4.5 ++ -40.0 -40.0 -40.0 -40.0
Gi2/1/18 -5.5 ++ -40.0 -40.0 -40.0 -40.0
Optical High Alarm High Warn Low Warn Low Alarm
Receive Power Threshold Threshold Threshold Threshold
Port (dBm) (dBm) (dBm) (dBm) (dBm)
Gi1/1/17 -4.2 1.0 -1.0 -18.0 -20.0
Gi1/1/18 -5.1 1.0 -1.0 -18.0 -20.0
Gi2/1/17 -5.1 ++ -40.0 -40.0 -40.0 -40.0
Gi2/1/18 -4.7 ++ -40.0 -40.0 -40.0 -40.0
Is this something we should be concerned about?
The interfaces are functional, what more information could we get to see if there's a potential problem?
Thank you in advance!
Federico.
Just got more info.. the SFPs are Cisco, attached the ''sh idprom'' for those interfaces....
Message was edited by: Federico Coto Fajardo
Is there any threshold to adjust the values? There's another 6509 that is not reporting the alarm which are configured on that one, not on this one (which is the one generating the alarms).
Message was edited by: Federico Coto Fajardo
These are two 6509s in VSS mode.
As you can see only one chassis is reporting the alarms (where the thresholds are not configured), here's the output:
TAR0139SW101#sh interfaces transceiver
Transceiver monitoring is disabled for all interfaces.
If device is externally calibrated, only calibrated values are printed.
++ : high alarm, + : high warning, - : low warning, -- : low alarm.
NA or N/A: not applicable, Tx: transmit, Rx: receive.
mA: milliamperes, dBm: decibels (milliwatts).
Optical Optical
Temperature Voltage Current Tx Power Rx Power
Port (Celsius) (Volts) (mA) (dBm) (dBm)
Gi1/1/17 24.7 3.31 7.9 -4.5 -4.2
Gi1/1/18 25.1 3.32 7.2 -4.5 -5.1
Gi2/1/17 31.0 ++ 3.31 ++ 7.6 ++ -4.5 ++ -5.2 ++
Gi2/1/18 23.8 ++ 3.25 ++ 5.3 ++ -5.5 ++ -4.7 ++
Message was edited by: Federico Coto Fajardo
I just keep adding info :-)
Here's the ''show run int'' and ''show int'' for those interfaces.
Why are only the GBICs in one chassis of the VSS pair presenting the ++ high alarms?
Thanks!
Message was edited by: Federico Coto FajardoThanks Leo, but my question is with this output:
SW101#sh interfaces transceiver detail
Transceiver monitoring is disabled for all interfaces.
mA: milliamperes, dBm: decibels (milliwatts), NA or N/A: not applicable.
++ : high alarm, + : high warning, - : low warning, -- : low alarm.
A2D readouts (if they differ), are reported in parentheses.
The threshold values are calibrated.
High Alarm High Warn Low Warn Low Alarm
Temperature Threshold Threshold Threshold Threshold
Port (Celsius) (Celsius) (Celsius) (Celsius) (Celsius)
Gi1/1/17 23.7 109.0 103.0 -13.0 -29.0
Gi1/1/18 24.5 109.0 103.0 -13.0 -29.0
Gi2/1/17 30.5 ++ 0.0 0.0 0.0 0.0
Gi2/1/18 23.7 ++ 0.0 0.0 0.0 0.0
High Alarm High Warn Low Warn Low Alarm
Voltage Threshold Threshold Threshold Threshold
Port (Volts) (Volts) (Volts) (Volts) (Volts)
Gi1/1/17 3.31 3.90 3.70 2.90 2.70
Gi1/1/18 3.32 3.90 3.70 2.90 2.70
Gi2/1/17 3.31 ++ 0.00 0.00 0.00 0.00
Gi2/1/18 3.25 ++ 0.00 0.00 0.00 0.00
Why is that the thresholds are 0.00 for the Gi2/1/17 and Gi2/1/18 (the ones presenting the high alarm alerts on the SNMP manager)?
I just want to make sure that they are not going to die an horrible death! :-)
Federico. -
Hello all: Here is a typical snmp message I receive:
================================================== =========
The following alarm has occurred:
Alarm generator : SNMP
Alarm Category : CPQHLTH-MIB
Alarm type : Fan Degraded ( 6035 )
Alarm time : Tue Jul 24 10:29:44 EDT 2007
Summary : The Fan Degraded on Chassis 0 ,
Fan 2 .
================================================== =========
A SNMP alarm has been generated by a device on the GR
subnet.
As you can, there is not much information. I really need to
know the server which generated the error. How can I setup
ZfS7 to do this??
Thanks a bunch for the help, Chris.Yes, that is what I am looking for. THANKS VERY MUCH.
>>> On 7/30/2007 at 8:07 PM, in message
<[email protected]>, Steven
Lim<s.lim_nospam@4me_curtin.edu.au> wrote:
> Have a look in the autoexec.ncf and see if you can see
> sys:\system\nma\nma5.ncf
>
> It loads
> LOAD FLEXTRAP
> LOAD NDPSMIB
> LOAD NTREND
> LOAD HOSTMIB
> LOAD NWTRAP
> LOAD SERVINST
> LOAD NDSINST
> LOAD NDSTRAP
> LOAD MPKAGENT
> LOAD MONDATA
> LOAD NSSMIB
> LOAD NWTRPAGT
> LOAD DSTRPAGT
>
> but you must be loading them otherwise you wouldn't be
> gettting anything
> anyway.
>
> How do you receive the SNMP alert..via email? if so then
> it's probably just
> your rules for your site. Get properties of your site
> server in the ZFS
> namespace of ConsoleOne. This will open the ZFS MMS
> snapins. Go to the Rules
> pagetab. Edit the rule\s that send you the email.
>
> I use the following in the body of the message to show
> me the information
> that i want
>
> %-h [%n]%s
>
> have a look in the help to see what other options are
> there but the one that
> you want is %n which is the affected object\server.
>
> For the subject i use
>
> [%n] %t
>
> the square braces don't mean anything....i just use
> those the encase the
> server name.
>
> I've also renamed all my server objects in the atlas to
> be just the common
> name. It makes it all nice and short.
>
> hope that helps
> "Chris Mosentine" <cmosentine@N0_$pam.vrapc.com> wrote in
> message
> news:46ADB66E.08CB.0032.0@N0_$pam.vrapc.com...
>> How can I tell if I am running the NMA's. I am not all
> that
>> familiar with zfs.
>>
>> The servers are listed in the atlas.
>>
>> Thanks for the help, Chris.
>>
>>
>>
>>>>> On 7/26/2007 at 1:49 AM, in message
>> <[email protected]>,
Steven
>> Lim<s.lim_nospam@4me_curtin.edu.au> wrote:
>>> Is the server running ZFS NMAs?
>>> Can you find it in the Atlas? That's where ZFS
>>> monitoring gets the name from
>>>
>>> "Chris Mosentine" <cmosentine@N0_$pam.vrapc.com> wrote
in
>>
>>> message
>>> news:46A5DB58.08CB.0032.0@N0_$pam.vrapc.com...
>>>> Hello all: Here is a typical snmp message I receive:
>>>>
>>>>
>>>
> ================================================== =======
>>> ==
>>>> The following alarm has occurred:
>>>>
>>>> Alarm generator : SNMP
>>>> Alarm Category : CPQHLTH-MIB
>>>> Alarm type : Fan Degraded ( 6035 )
>>>> Alarm time : Tue Jul 24 10:29:44 EDT 2007
>>>> Summary : The Fan Degraded on Chassis
0
>>
>>> ,
>>>> Fan 2 .
>>>>
>>>
> ================================================== =======
>>> ==
>>>>
>>>>
>>>> A SNMP alarm has been generated by a device on the GR
>>>> subnet.
>>>>
>>>>
>>>>
>>>> As you can, there is not much information. I really
>>> need to
>>>> know the server which generated the error. How can I
>>> setup
>>>> ZfS7 to do this??
>>>>
>>>> Thanks a bunch for the help, Chris.
>>>>
>>>> -
I have an IDSM-2 version 6.1.1 E2 sig 353. The IPS is running in promiscuous mode. The IPS is alarming on impossible IP packets. To trace down the culprit, I decided to log the packet pair with the hopes that the layer 2 information would help guide the way. When I examined the packets with Wireshark, the IP address information showed different source and destination IP addresses. The packet appeared to be normal.
Any ideas why the IPS reports data differently from Wireshark?
I have several Cisco IPS sensors on this same version (6.1.1 E2 S353). This device is the only one reporting this type of error.There is a known bug CSCsr49100.
There is a bug in the Fragmentation Reassemble/Normalizer code that can result in a false positive for the 1102 Impossible IP Packet signature.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr49100
Cisco is aware of the issue, and is in the process of fixing the issue. (Fix is not yet released)
Using the above link you can periodically check the status of the issue. When a version is released with the fixes a "Fixed-in" field will appear on the right side of the screen just beneath the "1st Found-in" versions. You will then need to upgrade to that version once it is released. -
Hi Experts,
Could someone please let me know the SNMP settings for my ACE failover.
Query:-
When my active 4710 ACE load balancer fails for any reason(due to s/w or h/w) and the second 4710 ACE load balancer take over (becoming active), will there be a SNMP alarm send from the ACE?
If so, which SNMP alarm will that be and which SNMP settings need to be applied for this?
Thanks in advance. Appriciate your comment on this.
Regards
FariHi Christopher,
I configured the SNMP but nothing is been seen on SYSLOG Server. But I am able to ping the syslog server from ACE as it is in the same subnet.
But the messeges are not getting recored to the syslog server. I reloaded the ACE and saw OID getting generated for link up/dow and restart but nothing been recorded on the syslog server.
Is this a bug?
Generating configuration....
Logging part config:
logging trap 3
logging history 4
logging host 10.10.10.5 udp/514
SNMP part config:
snmp-server host 10.10.10.5 traps version 2c private
snmp-server trap-source vlan 32
snmp-server enable traps snmp coldstart
snmp-server enable traps virtual-context
snmp-server enable traps license
snmp-server enable traps slb vserver
snmp-server enable traps slb real
snmp-server enable traps syslog
snmp-server enable traps snmp authentication
snmp-server enable traps snmp linkup
snmp-server enable traps snmp linkdown
However, I don’t see the OIDs you mentioned.Alsothere is no incoming syslog message from any of the ACE load balancer IP addresses shown.
Anyhelp would be appriciated. Thanks in advance.
Regards,
Fari -
Migration from Forefront TMG to Ironport c680
Hello,
We're planning to migrate replace Microsoft Forefront TMG with Cisco Ironport c680.
I am here to get an ideas for easy and smooth migration (change over).
Need experts advise to list down the tasks before migration / change over & important things to remember.
Best Regards,
JunedStandard it would be.
Port 25 SMTP -> Inbound and Outbound for mail delivery
Port 53 (TCP/UDP) DNS
Port 80 HTTP - GUI Access (for internal) and Updates/upgrades to download from internet
Port 443 HTTPS - (As above)
Port 22 SSH - CLI access (And possible for tunnel)
Port 23 Telnet - CLI access
A long list would be depending on required services:
Port Protocol In/Out Hostname Description
20/21 TCP In or Out AsyncOS IPs, FTP ServerFTP for aggregation of log files.
22 TCP In AsyncOS IPs SSH access to the CLI, aggregation of log files.
22 TCP Out SSH Server SSH aggregation of log files.
22 TCP Out SCP Server SCP Push to log server
23 Telnet In AsyncOS IPs Telnet access to the CLI, aggregation of log files.
23 Telnet Out Telnet Server Telnet upgrades, aggregation of log files
(not recommended).
25 TCP Out Any SMTP to send email.
25 TCP In AsyncOS IPs SMTP to receive bounced email or if injecting
email from outside firewall.
80 HTTP In AsyncOS IPs HTTP access to the GUI for system monitoring.
80 HTTP Out downloads.ironport.com Service updates, except for AsyncOS
upgrades and McAfee definitions.
80 HTTP Out updates.ironport.com AsyncOS upgrades and McAfee Anti-Virus
definitions.
80 HTTP Out cdn-microupdates.cloudmark.com Used for updates to
third-party spam component in Intelligent MultiScan. Appliance must also
connect to CIDR range 208.83.136.0/22 for third-party phone home updates.
82 HTTP In AsyncOS IPs Used for viewing the Cisco IronPort Anti-Spam
quarantine.
83 HTTPS In AsyncOS IPs Used for viewing the Cisco IronPort Anti-Spam
quarantine.
53 UDP/TCP In & Out DNS Servers DNS if configured to use Internet root
servers or other DNS servers outside the firewall. Also for SenderBase
queries.
110 TCP Out POP Server POP authentication for end users for Cisco
IronPort Spam Quarantine
123 UDP In & Out NTP Server NTP if time servers are outside firewall.
143 TCP Out IMAP Server IMAP authentication for end users for Cisco
IronPort Spam Quarantine
161 UDP In AsyncOS IPs SNMP Queries
162 UDP Out Management Station SNMP Traps
389 LDAP Out LDAP Servers LDAP if LDAP directory servers are outside
firewall. LDAP authentication for Cisco IronPort Spam Quarantine
3268 LDAP Out LDAP Servers LDAP if LDAP directory servers are outside
firewall. LDAP authentication for Cisco IronPort Spam Quarantine
636 LDAPS Out LDAPS LDAPS ActiveDirectory Global Catalog Server
3269 LDAPS Out LDAPS LDAPS ActiveDirectory Global Catalog Server
443 TCP In AsyncOS IPs Secure HTTP (https) access to the GUI for system
monitoring.
443 TCP Out res.cisco.com Cisco Registered Envelope Service
443 TCP Out updates-static.ironport.com Verify the latest files for the
update server.
443 TCP Out phonehome.senderbase.org Receive/Send Outbreak Filters
514 UDP/TCP Out Syslog Server Syslog logging
628 TCP In AsyncOS IPs QMQP if injecting email from outside firewall.
2222 CCS In & Out AsyncOS IPs Cluster Communication Service (for
Centralized Management).
6025 TCP Out AsyncOS IPs Cisco IronPort Spam Quarantine
7025 TCP Out AsyncOS IPs Cisco Policy Virus Outbreak Quarantine. -
LMS 4.1 user tracking does not pull ip address from hosts on switches
New install discovered router and switches at same location with no issues. However when running an acquisition on those switches most fields are populated except the ip address of end host associated with port. Mac address, port speed, etc. but no ip address info on per port basis. Any ideas, using snmp v3 if that makes a difference.
Sent from Cisco Technical Support iPad AppThanks for this. This really clarified things in my head. I didn't realize that you were not seeing MACs in UT. This is a new feature of LMS 4.1. UT will show those ports that are up/up even if the MAC address cannot be determined. The reason the MAC address cannot be determined is that your switch code is too old. You need 12.2(25)SEE or higher to support SNMPv3 contexts necessary to poll MAC addresses. If you upgrade, then configure the following for each VLAN context (seen in "show snmp context") then you should see those MACs (then IPs):
snmp-server group v3group v3 context vlan-10 -
Hi experts,
I am deploying a new WSA, but seem unable to upgrade AsyncOS - when I check for available upgrades, I receive the following error:
Error
Failure downloading upgrade list.
Everything else seems to be OK - I have time via the default NTP servers, checks for new feature keys return a success, policy trace returns what I would expect.
I have noticed that the feature keys the client purchased are listed as Active with 30 days remaining and an expiration date of Dormant.
Does the appliance license need to be activated? I can't seem to locate a Claim Certificate to find the PAK...
Thanks.Hi,
The status Dormant means that the feature is currently not being used by the Device e.g as the HTTPS Proxy status shows Dormant this generally means that the device is currently not using this feature.
Regarding the Upgrade issue, I would request you to make sure the following ports are not being blocked by the firewall:
Firewall Ports:
Port Protocol In/Out Hostname use Description
===============================================
20/21 TCP In or out AsyncOS IPs FTP server FTP for aggregation of
log files.
22 TCP In AsyncOS IPs SSH access to the CLI,
aggregation of log files.
22 TCP Out SCP server SCP push to log server.
23 Telnet In AsyncOS IPs Telnet access to the CLI.
23 Telnet Out Telnet server Telnet upgrades.
25 TCP Out Any SMTP to send email.
25 TCP In AsyncOS IPs SMTP to receive bounced
email or if injecting email from outside firewall.
80 TCP In or out AsyncOS IPs,downloads.ironport.com HTTP access
to the GUI for system monitoring. AsyncOS and Sophos upgrades are retrieved via HTTP from
port 80.
82 HTTP In AsyncOS IPs Used for viewing the
IronPort Spam Quarantine.
83 HTTPS In AsyncOS IPs Used for viewing the IronPort
Spam Quarantine.
53 UDP/TCP Out DNS servers DNS if configured to use
Internet root servers or other DNS servers outside the firewall. Also for SenderBase
110 TCP Out POP server POP authentication for end
users for IronPort Spam Quarantine.
123 UDP Out NTP server NTP if time servers are
outside firewall.
143 TCP Out IMAP server IMAP authentication for end
users for IronPort Spam Quarantine.
161 UDP In AsyncOS IPs SNMP queries.
162 UDP Out Management station SNMP traps.
389 or 3268 LDAP Out LDAP servers LDAP if LDAP directory servers
are outside firewall. LDAP authentication for IronPort Spam Quarantine.
636 or 3269 LDAPS Out LDAPS LDAPS ActiveDirectory's global
catalog server.
443 TCP In AsyncOS IPs Secure HTTP (https) access
to the GUI for system monitoring.
443 TCP Out update manifests, ironport.com -Verify the
latest files for the update server.
443 TCP Out phonehome.senderbase.org - Receive/send Virus
Outbreak Filters.
514 UDP/TCP Out Syslog server Syslog logging.
2222 CCS In/Out AsyncOS IPs Cluster Communication Service
(for centralized management).
6025 TCP In/Out AsyncOS IPs Send IronPort Spam Quarantine
data to the Security Management appliance if the external IronPort Spam Quarantine is
enabled.
If it still fails, please try to use the recommended P1 interface and then try to do the upgrade.
Regards,
Kush -
CISCO2911/K9
Router was running c2900-universalk9-mz.SPA.151-4.M2.bin
Upgraded IOS to c2900-universalk9-mz.SPA.151-4.M5.bin
There is no RPS installed, and we are getting SNMP alarms that the RPS has failed.
The power system is working fine. An incorrect alarm is being sent, but not sure why it is an alarm for a redundant power supply failure since there is not one installed.Had same issue , cisco 2901 upgraded to c2900-universalk9-mz.SPA.151-4.M5.bin configured CME and after restart it din come back , tried everything possible i was finally able to get it back but again after completing the configuration I restarted and nothing came back . Finally I raised RMA.
There is no way to goto Rommon even. -
Hi there,
I am encountering a problem with a number of Cisco IPS 4200 series devices. When we perform a walk using the MIB-II (rfc1213) OID's, the information that is returned is incorrect (interface status, speed, ...)...
After some searching, i found the following on the cisco site for these devices:
The following private MIBs are supported on the sensor:
• CISCO-CIDS-MIB
• CISCO-PROCESS-MIB
• CISCO-ENHANCED-MEMPOOL-MIB
• CISCO-ENTITY-ALARM-MIB
Note MIB II is available on the sensor, but we do not support it. We know that some elements are not correct (for example, the packet counts from the IF MIB on the sensing interfaces). While you can use elements from MIB II, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct.
Is there any way that we can correctly read the interface status, speed, etc. I cannot find similar OID's in the supported MIB's.
IPS4240 ver 7.0(4)E4
ThanksHi,
Unfortunately, there is currently no way to get the correct interface statistics through SNMP.
An enhancement request has been opened to have parts of MIB-II supported:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk41177
If this feature is important for you, you can contact your account team so that they can work with the IPS folks to have this feature prioritized for the next software release.
Regards,
Nicolas -
Hi Community,
i´m new to Cisco Security Manager. Is it possible to trigger an Email Alarm when a High Risk IPS Event comes in? How can i configure this task?
Thank you,
FlorianHi Miguel,
sadly i haven´t found Email Alarming directly in CSM. I solved it this way:
I configured a Trap Receiver directly in the Cisco IPS Module. Every high risk event triggers a SNMP Trap. On the Trap Receiver itself i configured Email Alarming when this Trap comes in. Now the Administrator is informed and could log in to CSM and do deeper analyzing of the event with the CSM Software.
Best Regards,
Florian -
Hi,
Is there a way to check if there is an active alarm on a cisco switch/router (M4900/4948 series and 2960 series) using SNMP ?
I'm looking for a simple quick way to verify if an alarm is active (any alarm)
is there some sort of general OID that gives me a '1' or '0' ?
thanks !
grtz
ThijsLike a table that hold all alarms. No there is no such thing.
There are so many reasons there could be an alarm. Hardware state, error rates, utilisation, etc
There are hardware state OID's that can give you a hardware component status.
Usually you will find that you have an OID for a component, like a fan.
1.3.6.1.4.1.9.9.13.1.4.1.3
You can then walk this OID to find the instances of that OID.
E.g, a fan for the device and another fan for the power supply, or a fan for each stack member.
When you know these instances lets say the walk return .1001and .2004 you can query
1.3.6.1.4.1.9.9.13.1.4.1.3.1001 and 1.3.6.1.4.1.9.9.13.1.4.1.3.2004.
The values returned can be:
Specific Object Information
Object
ciscoEnvMonFanState
OID
1.3.6.1.4.1.9.9.13.1.4.1.3
Type
CiscoEnvMonState
1:normal
2:warning
3:critical
4:shutdown
5:notPresent
6:notFunctioning
Permission
read-only
Status
current
MIB
CISCO-ENVMON-MIB ; - View Supporting Images
Description
The current state of the fan being instrumented.
So then you have an alarm for the fan's.
It is similar for other components like a power supply or temperature sensors, etc.
http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2&mibName=CISCO-ENVMON-MIB
And then there are operational alarms not related to hardware.
For this you need to monitor values like CPU utilization and define a threshold.
Good luck,
Michel -
ISE Alarm : Critical : Profiler SNMP Request Failure : Server
Ok, so this alarm is coming in repeatedly and is now on my projects list. I get email alerts from the server that list thr NAD IP as the endpoint device and the Endpoint IP address is correct. I've checked the settings and the endpoint is not listed as a NAD in ISE (ver 1.2).
Profiler SNMP Request Failure
Details :
Profiler SNMP Request Failure : Server=xxx-xxx-xxx; NAD Address=10.253.124.194; Endpoint IP Address=10.253.124.194
Description :
SNMP request times out, or SNMP community/user auth data is incorrect.
Suggested Actions :
Please ensure if SNMP is running on the NAD and verify that SNMP configuration on ISE matches on NAD
*** This message is generated by Cisco Identity Services Engine (ISE) ***
Has anyone seen this come in before?
PS - Why is the IOS for ISE so cut down? Looks like something you would get from an Apple product.
Thanks,
ClarkHello,
Please follow below CiscoLink:
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mnt.html
Profiler SNMP Request Failure
Either the SNMP request timed out or the SNMP community or user authentication data is incorrect.
Ensure that SNMP is running on the NAD and verify that SNMP configuration on Cisco ISE matches with NAD.
Also ensure what snmp version device is using.
Thanks,
Maybe you are looking for
-
Few questions - game loop, data types, speed
Hello, I have a few questions after studying some topics in this forum regarding game creation: 1) What's the fastest way to wait in the game loop? I've seen two approaches: thread.sleep(10)andsynchronized(this) { wait(10); }2) What data types shall
-
Exchange 2013 CU2 - Mailbox Databases and Active Sync - update when new item arrive
Hi, Maybe it will be a silly question but I don't know what exactly is going on. We are running Ex2013CU2 Evironment (1 CAS, 2 MBX Servers with 4 Mailbox Databases). User mailboxes are in MDB01 and they are allowed to connect to mail via activesync a
-
Vendor line item transfer from one profit center to another profit center
Dear All We have posted vendor line item in wrong profit center. now we want to transfer to correct profit center what is the procedure? Vishvas
-
Updated my computer today and - all of the sudden all of my keynote files are now associated with 3.0.2 and want me to get iwork 06. I've got iwork 08 and never had version 3.0.2. What happened? I've already read "Topic : Keynote 3.03 and 4.01" and i
-
Ios8 failed update now iPad 2 is frozen, with iTunes icon on screen
My kid saw that the iOS 8 update was available for my iPad 2 and he proceeded to try to do the update but after a while when he checked how it was going there was only a black screen with the iTunes icon in the middle and what looks like a cord point