Why is the ASA ARP table not being used?

Help
1

I’m new to LibreNMS, so far I like what I see. My current employer has a very small network infrastructure. We use ASA’s for routing LAN subnets at each of our locations, as opposed to layer-3 switches.

Why won’t the ARP entries appear from our ASA’s? For example, I have a couple routers at one locaiton for internet access, and I see those ARP entries associated with switchports in librenms, however I don’t see the ASA ARP table entries associated with any switchports in librenms. Is there a way to make this work for ASA’s?

Further below is the output from discovery.php, where as far as I can tell the call isn’t using the ASA doesn’t know how to process the ARP table get request.

Any help or guidance will be greatly appreciated!

[librenms@librenms ~]$ ./discovery.php -h 10.1.25.1 -d -m arp-table
LibreNMS 2015.master Discovery
Version info:
Commit SHA: 2489e70d8a3c34ae5c00204264dc01f41a22ada4
DB Schema: 126
PHP: 7.0.9
MySQL: 5.5.47-MariaDB
RRDTool: 1.4.8
SNMP: NET-SNMP version: 5.7.2

DEBUG!

SQL[SELECT version FROM dbSchema ORDER BY version DESC LIMIT 1]
SQL[SELECT revision FROM dbSchema] DB Schema already up to date.

SQL[SELECT * FROM devices WHERE status = 1 AND disabled = 0 AND hostname LIKE ‘10.1.25.1’ ORDER BY device_id DESC]
SQL[SELECT * FROM devices_attribs WHERE device_id = ‘2’] 10.1.25.1 2 asa (cisco)

Load disco module arp-table

SQL[SELECT attrib_value FROM devices_attribs WHERE device_id = ‘2’ AND attrib_type = ‘snmp_max_repeaters’ ] /usr/bin/snmpbulkwalk -v2c -c COMMUNITY -Oq -m IP-MIB -M /opt/librenms/mibs udp:HOSTNAME:161 ipNetToMediaPhysAddressIP-MIB::ipNetToMediaPhysAddress No Such Object available on this agent at this OID

SQL[SELECT * from ipv4_mac AS M, ports as I WHERE M.port_id = I.port_id and I.device_id = ‘2’]

Runtime for discovery module ‘arp-table’: 0.126 seconds

Unload disco module arp-table

SQL[SELECT attrib_value FROM devices_attribs WHERE device_id = ‘2’ AND attrib_type = ‘poll_mib’ ]
SQL[UPDATE devices set last_discovered =NOW(),type =‘firewall’,last_discovered_timetaken =‘0.126’ WHERE device_id = ‘2’] Discovered in 0.126 seconds

SQL[INSERT INTO perf_times (type,doing,start,duration,devices) VALUES (‘discover’,‘10.1.25.1’,‘1483031442.464’,‘0.307’,‘1’)] ./discovery.php 10.1.25.1 2016-12-29 17:10:42 - 1 devices discovered in 0.307 secs
MySQL: Cell[1/0s] Row[5/0.01s] Rows[2/0s] Column[0/0s] Update[1/0.01s] Insert[1/0.01s] Delete[0/0s]
[librenms@librenms ~]$

2

Does snmpwalk IP-MIB::ipNetToPhysicalTable return anything? Running the poller again with -d will show the snmp output.

3

I just learned that Cisco does not support retrieval of the ARP table via SNMP. I’m a bit shocked, and can’t figure out why they would limit this. Some sort of work around sure would be nice.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/monitor-snmp.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/monitor_snmp.pdf

FWIW, if I run the snmpwalk, I get No Such Object.

[librenms@librenms ~]$ snmpwalk -v2c -c [scrubbed] 10.1.25.1 IP-MIB::ipNetToPhysicalTable
IP-MIB::ipNetToPhysicalTable = No Such Object available on this agent at this OID
[librenms@librenms ~]$

discovery.php shows the same.

[librenms@librenms ~]$ ./discovery.php -h 10.1.25.1 -d -m arp-table
LibreNMS 2015.master Discovery
Version info:
Commit SHA: 2489e70d8a3c34ae5c00204264dc01f41a22ada4
DB Schema: 126
PHP: 7.0.9
MySQL: 5.5.47-MariaDB
RRDTool: 1.4.8
SNMP: NET-SNMP version: 5.7.2

DEBUG!

SQL[SELECT version FROM dbSchema ORDER BY version DESC LIMIT 1]
SQL[SELECT revision FROM dbSchema] DB Schema already up to date.

SQL[SELECT * FROM devices WHERE status = 1 AND disabled = 0 AND hostname LIKE ‘10.1.25.1’ ORDER BY device_id DESC]
SQL[SELECT * FROM devices_attribs WHERE device_id = ‘2’] 10.1.25.1 2 asa (cisco)

Load disco module arp-table

SQL[SELECT attrib_value FROM devices_attribs WHERE device_id = ‘2’ AND attrib_type = ‘snmp_max_repeaters’ ] /usr/bin/snmpbulkwalk -v2c -c COMMUNITY -Oq -m IP-MIB -M /opt/librenms/mibs udp:HOSTNAME:161 ipNetToMediaPhysAddressIP-MIB::ipNetToMediaPhysAddress No Such Object available on this agent at this OID

SQL[SELECT * from ipv4_mac AS M, ports as I WHERE M.port_id = I.port_id and I.device_id = ‘2’]

Runtime for discovery module ‘arp-table’: 0.104 seconds

Unload disco module arp-table

SQL[SELECT attrib_value FROM devices_attribs WHERE device_id = ‘2’ AND attrib_type = ‘poll_mib’ ]
SQL[UPDATE devices set last_discovered =NOW(),type =‘firewall’,last_discovered_timetaken =‘0.105’ WHERE device_id = ‘2’] Discovered in 0.105 seconds

SQL[INSERT INTO perf_times (type,doing,start,duration,devices) VALUES (‘discover’,‘10.1.25.1’,‘1483036550.9965’,‘0.235’,‘1’)] ./discovery.php 10.1.25.1 2016-12-29 18:35:51 - 1 devices discovered in 0.235 secs
MySQL: Cell[1/0s] Row[5/0s] Rows[2/0s] Column[0/0s] Update[1/0.02s] Insert[1/0.01s] Delete[0/0s]
[librenms@librenms ~]$

4

Yeah seems pretty silly that ASAs don’t support arp table, almost all other Cisco gear does. LibreNMS currently only supports getting data from SNMP.

5

Silly indeed. I’ve contacted the local acct mgr SE already. With more and more org’s making firewalls the default-gateways for more and more networks, I’m surprised this hasn’t come up already. Oh well. Thanks anyhow for the quick pointer, it made the issue clear right away.