nv-l

RE: [nv-l] Cisco PIX / Firewall switch module in Netview

2004-09-21 09:17:01
Subject: RE: [nv-l] Cisco PIX / Firewall switch module in Netview
From: "Barr, Scott" <Scott_Barr AT csgsystems DOT com>
To: <nv-l AT lists.us.ibm DOT com>
Date: Tue, 21 Sep 2004 08:06:09 -0500
More precisely, the SNMP sysName is identical in both units. 

We used the traps from the firewall to detect the change in failover
state and only monitored the device interfaces to assure reachability. I
could share my perl script for the syslog traps if you need it. But you
are correct in all other aspect of your post. I don't know of any way to
get NetView to observe the interfaces changing units because of the
sysName always being the same.

-----Original Message-----
From: owner-nv-l AT lists.us.ibm DOT com [mailto:owner-nv-l AT lists.us.ibm DOT 
com]
On Behalf Of Francois Le Hir
Sent: Tuesday, September 21, 2004 8:00 AM
To: nv-l AT lists.us.ibm DOT com
Subject: Re: [nv-l] Cisco PIX / Firewall switch module in Netview





Leslie, The problem is not really about the correct discovery of the
devices. We have snmp access and are able to see the interface tables.
The
main problem is with some of the addresses changing side and not being
able
to see it correctly in Netview as the hostname is the same in the two
devices of the pair. Unless we do a nmdemandpoll to correct the
situation,
the failover cause some of the already discovered addresses to be
discovered again in the other device.

Salutations, / Regards,

Francois Le Hir
Network Projects & Consulting Services
IBM Global Services
Phone: (514) 964 2145


 

             Leslie Clark

             <lclark AT us.ibm DOT co

             m>
To 
             Sent by:                  nv-l AT lists.us.ibm DOT com

             [email protected]
cc 
             us.ibm.com

 
Subject 
                                       Re: [nv-l] Cisco PIX / Firewall

             09/20/2004 06:22          switch module in Netview

             PM

 

 

             Please respond to

                   nv-l

 

 






Francois, I have not run across this, but I wonder if it would be
possible
(or helpful) to discover the devices by those stateful interface by
doing
loadhosts (without the small p) listing also the inside address? If name
resolution was associated with the address that does not change, I
wonder
if that might help with one part of the problem.


Cordially,

Leslie A. Clark
IBM Global Services - Systems Mgmt & Networking
Detroit


 

 Francois Le Hir

 <flehir AT ca.ibm DOT com>

 Sent by:
To 
 owner-nv-l AT lists.us.ibm DOT com              nv-l AT lists.us.ibm DOT com

 
cc 
 

 09/20/2004 05:21 PM
Subject 
                                          [nv-l] Cisco PIX / Firewall

                                          switch module in Netview

        Please respond to

               nv-l

 

 

 

 

 










I am wondering what the best practice is for managing Cisco firewalls
with
statefull and/or failover interfaces.

Theses firewalls work in pair with a primary and a secondary. When there
is
a failover, all the interfaces of the primary end up in the secondary
and
all the interfaces of the secondary end up in the primary. Except that
the
statefull/failover interfaces stay in the original device.
The way this is seen by Netview is that the statefull/failover interface
looks like it is the one changing side as the selection name of the
devices
do not change in Netview.

To add to the difficulty, theses statefull/failover interfaces are not
reachable directly. Only the inside interface can be pinged by Netview
and
we configure netmon.seed to monitor the whole device with snmp so that
we
get the status of all the interfaces. Also the two devices in the pair
share the same configuration. That means that they have the same
hostname
and there seams to be no other way to configure it.

I tried configuring Netview with theses interfaces as HSRP in
netmon.seed
(%) but because the hostname of the two devices is the same I know it
can
not work correctly. The way it eventually end up is with both
statefull/failover in both devices (like a duplicate IP).

any idea on how to handle this ?

more specifically:
- do you configure theses interfaces as HSRP in netmon.seed ?
- do you have the "S" flag configured in oid_to_type for the oids
(1.3.6.1.4.1.9.1.392, 1.3.6.1.4.1.9.1.522,...)?

Thanks,
Salutations, / Regards,

Francois Le Hir
Network Projects & Consulting Services
IBM Global Services
Phone: (514) 964 2145