search

netdisco / snmp-info

Other
39 stars 32 forks source link

Cisco ASA Interface Port ID Changes #229

Open freedombirdone opened 7 years ago

freedombirdone commented 7 years ago

I have a rather large network with a number of VPN sites using Cisco ISR 2900s and Cisco ASA 5505s that utilize L2L VPN IPSEC to connect back to an Cisco ASA 5520 at my main site. I've noticed NetDisco doesn't play well with displaying these neighbor relations.

Example

Left Device Left Port Right Device Right Port
REMOTE-ASA-5505 31902 (15) PSEUDO-ASA-5520 Port1
REMOTE-ISR-2901 GigabitEthernet0/0 PSEUDO-ASA-5520 Port2

After sometime the REMOTE-ASA-5505 Port 31902 (15) changes to something random such as Port 21560 (15). I've notice the (15) portion doesn't change. I'm not sure what that index is for. But I've noticed the Name column on the device never changes.

Expected Behavior

Current Behavior

I had to create a pseudo-device to emulate the outside interface of the main site ASA 5520 with numerous ports, then connect all of the remote sites VPN devices to the pseudo-device ports. These issue is that the port number identifiers for the ASA's change after sometime and the neighbors topology is missing all the manual data. I have to manually delete all the ASA connections and re-add them. Is snmp not querying this data properly?

Possible Solution

Cisco SNMP OID Link

Steps to Reproduce (for bugs)

  1. Add Manual Device Topology entries for Cisco ASA 5505 interfaces
  2. Wait after some time
  3. Check the Ports Pane on the device to discover interface port has changed

Context

This would be nice to populate the neighbor relation map automatically to include the VPN sites. If or when that can be implemented, it would be nice to not have the Ports change so frequently.

Your Environment

ollyg commented 7 years ago

Thanks for the very clear report, @michaelcrandolph.

My initial guess (not running any similar hardware myself) is that the changing port is the VPN tunnel which when re-established gets assigned a new ID and new name. However this will not be the case if the tunnel has a very long uptime.

At the moment Netdisco will only set up a neighbor relation when an L2 protocol (LLDP) reports the relationship. I imagine that is not an option in this case. However we have been discussing on IRC the possibility to add L3 neighbor relations (using /30 links or aspects of the routing table with next-hop or routed-via configurations). There may be some mileage in this for VPN setups such as yours.

With regards to your Possible Solution - can you tell me what SNMP::Info Device Class is assigned to these VPN devices (at each end)? You can see this in the Netdisco Device Details tab. We can either amend the class used or write a new class for these devices to override the returned information for port names, to use different (more useful) OIDs.

freedombirdone commented 7 years ago

The class is SNMP::Info::Layer3::CiscoASA. I'm not sure if it has to do with VPN tunnels or not since I have some ASA's that do not have VPN tunnels. It seems to be just querying the wrong OID.

jeneric commented 6 years ago

Can you provide a snmpwalk of the IF-MIB of one of these devices?

ollyg commented 5 years ago

When the Netdisco port name looks like "31902 (15)" it suggests that there is a duplicate in i_description as the (15) is the interface index being added in order to de-duplicate. If another table provides better and more consistent names then we should use that instead.

@freedombirdone if you are still listening to this old ticket ;-), can you please provide the output of:

netdisco-do show -d 1.2.3.4 -D -e i_index
netdisco-do show -d 1.2.3.4 -D -e i_description