- Preface
- Introduction
- Before You Begin
- Getting Started
- Using Summaries
- Monitoring Remote Access VPN Services
- Monitoring Site-to-Site VPN Services
- Monitoring Firewall Services
- Monitoring Load-Balancing Services
- Monitoring SSL Services
- Using Trend Reports
- Managing and Grouping Devices
- Performance Monitor Administration
- Frequently Asked Questions About Performance Monitor
- Index
User Guide for Cisco Performance Monitor 4.0
- Updated:
- October 31, 2013
Chapter: Before You Begin
Before You Begin
Unless you configure certain options and features on your server and in your network, Performance Monitor cannot operate as designed. This chapter explains what you must do, and what we recommend that you do, so that you can use all the features Performance Monitor provides.
|
|
|
|---|---|
Step 1 |
Configure supported devices for access. You must configure your devices so that Performance Monitor can validate, poll, and monitor them. See Bootstrapping Devices. |
Step 2 |
Either import or add devices. Performance Monitor cannot monitor a device until it has a local record of important device attributes. See Using the Importing Devices Wizard to Import or Add Devices. |
Step 3 |
Validate devices. See Validating Devices. Note |
Step 4 |
Configure email settings. Your server cannot send event notifications or distribute scheduled reports through email until you configure it for that purpose. See Setting Common Services to Use Email. |
Step 5 |
Configure SNMP. See Receiving SNMP Traps. |
Step 6 |
Configure the polling time out. Performance Monitor stops polling all devices if even a single device fails to respond within the polling time out, which is 30 seconds by default. You might need to increase this value if you are polling over slow WAN links. See Configuring the Polling Time Out. |
After you complete the required high-level tasks, you can monitor your devices and perform device operations. For example, you can:
•
Organize your devices in groups. See Managing Device Groups, page 11-9.
•View populated reports. See Chapter 10, "Using Trend Reports."
Tip We recommend that you set a firewall filter to secure your network any time you enable an insecure protocol such as SNMP.
Bootstrapping Devices
You must set up devices so Performance Monitor can validate, poll, and monitor them, as described in the following topics:
•Setting Up SSL Services Modules
•Setting Up Catalyst 6500 Switches
•Setting Up ASA Appliances, PIX Devices, and Firewall Services Modules
•Setting Up VPN 3000 Concentrators
•Setting Up IPSec VPN Shared Port Adapters (VPN SPA)
Setting Up SSL Services Modules
The following table shows the required setup procedures for SSL services modules. For detailed documentation of Catalyst 6500 switches and SSL services modules, see Cisco.com.
Setting Up Routers
The following table shows the required setup procedures for supported Cisco routers. For detailed documentation of Cisco routers, see Cisco.com.
Setting Up Catalyst 6500 Switches
The following table shows the required setup procedures for Catalyst 6500 switches in which IPSec VPN services modules or CSM services modules are running. For detailed documentation of Catalyst 6500 switches and IPSec VPN or CSM services modules, see Cisco.com.
Setting Up ASA Appliances, PIX Devices, and Firewall Services Modules
The following table shows the required setup procedures for ASA appliances and PIX firewalls, and for Catalyst 6500 switches in which firewall services modules are running. For detailed documentation of these devices and technologies, see Cisco.com.
Setting Up VPN 3000 Concentrators
The following table shows the required setup procedures for VPN 3000 Concentrators.
For detailed documentation on VPN 3000 Concentrators, see Cisco.com. For detailed documentation on the VPN 3000 Concentrator Series Manager application, see VPN 3000 Series Concentrator Reference Volume I: Configuration and VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.
|
|
|
|---|---|
Step 1 |
Enable HTTPS for the VPN 3000 Concentrator Series Manager (4.01 and earlier releases). Although the VPN 3000 Concentrator Series Manager supports both HTTP and HTTPS connections, as a best practice, we recommend that you use HTTPS. An HTTPS connection requires an SSL certificate. 1. 2. 3. |
Step 2 |
Enable HTTPS for the VPN 3000 Concentrator Series Manager (4.1 and later releases). You can enable HTTPS on the concentrator in either of two ways—using your browser or the concentrator CLI. Note that an HTTPS connection requires an SSL certificate. • • |
Step 3 |
Enable HTTPS management sessions for the VPN 3000 Concentrator Series Manager (4.1 and later releases). 1. 2. 3. 4. 5. 6. 7. |
Step 4 |
Enable SNMP. 1. 2. 3. 4. 5. 
Caution SNMP is not a secure protocol. We recommend that you create a firewall filter to secure SNMP traffic.
|
Step 5 |
Enable the XML interface. You must enable the XML interface for at least one VPN concentrator in every remote access VPN cluster. It is not necessary to enable the XML interface on any concentrator that is not part of a cluster. 1. 2. |
Step 6 |
Configure linkup and linkdown traps. 1. 2. 3. 4. 5. 6. |
Step 7 |
Configure Syslog. The User Session Report feature under the Reports tab can operate only if you enable Syslog on your VPN concentrators. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. |
Setting Up IPSec VPN Shared Port Adapters (VPN SPA)
The following table shows the required setup procedure for VPN SPA.
|
|
|
|---|---|
Step 1 |
Enable HTTPS. Enter ip http secure server. |
Using the Importing Devices Wizard to Import or Add Devices
Performance Monitor requires information about your devices in order to communicate with them. Use the Importing Devices wizard to import devices or to manually enter the IP addresses, hostnames, and read-only community strings for supported devices in your network. Importing is a mechanism by which you transfer a descriptive list of device attributes (and sometimes device group membership lists) from an outside inventory to Performance Monitor.
Options in the Importing Devices wizard enable you to import device attributes from a comma-separated value (CSV) file or from the Device Credentials Repository (DCR) on a Common Services-based server, or you can add device attributes manually. For general information about using wizards, see Using Wizards, page 3-10.
You cannot add, import, or validate:
•Any usupported device type. For a list of supported devices, see Supported Devices and Software Versions for Cisco Security Manager.
•Any device when the MCP process has stopped. See MCP Process Maintenance, page 3-16.
•Any device that uses a dynamic IP address or lacks configured SNMP values.
•A VPN 3000 Series concentrator, unless you specify the correct SNMP and XML credentials, HTTPS is enabled, and the VPN 3000 Concentrator Series Manager is running.
Before You Begin
Make sure that you have the correct privileges to import or add devices. See Understanding User Permissions, page 3-2.
Procedure
Step 1 Select Devices > Importing Devices, then click Import.
Step 2 Select one of the following methods to add devices, then click Next.
•From CSV File, to use a comma-separated values file that contains the devices.
You can import device attributes from a comma-separated value file in CSV 2.0 format only. To display a valid CSV example, click See sample CSV file in the next step. Note that Performance Monitor cannot import and validate SSL services module attributes from a CSV file.
Before you can import devices from a CSV file, you must find or generate a CSV file of device attributes information and upload it to the server on which you installed Performance Monitor. Many element management systems enable you to export device inventory information. See your EMS software documentation to learn how to export inventory information in a CSV file. Performance Monitor has no default upload directory or configuration directory.
•Manually Add New Devices, to enter specific device information directly.
•From Device Credentials Repository, to import devices from the Common Services Device Credentials Repository (DCR). You must already have populated the DCR on this or another server to import the devices. Also, the DCR server must be configured as a master server. To learn how to configure a master DCR server, see the Common Services online help.
Step 3 If you selected From CSV File, complete the following procedure; otherwise, continue with the next step.
a. Enter the complete local (on your server) pathname of the CSV file to upload, then click Next.
For example, you might enter c:\temp\devicelist.csv. You can include or exclude any combination of devices you find in the CSV file.
b. Select the check boxes for one or more devices to mark device attributes for import. To select all of the devices, select the check box in the column heading row.
c. To save your selections, click Next.
d. To review a list of the devices whose attributes you selected, click Next.
Step 4 If you selected Manually Add New Devices, complete the following procedure; otherwise, continue with the next step.
a. From the Device Type list, select the relevant device type.
When you add multiple devices simultaneously, they must all be of the same device type. Otherwise, Performance Monitor queries during polling are inappropriate and polling results are unreliable. You must complete this step each time you manually add a different kind of device.
b. To specify the IP addresses or DNS names of the devices you plan to add, enter one or more IP addresses or DNS names in the Device Names/IP Addresses text box. Separate multiple address entries with a space or a comma.
c. Click Next.
You can specify SNMP information and Telnet login credentials (if applicable) for devices you add, but validation and polling for a device take more time to complete if the number of SNMP retries or the SNMP timeout period is greater than the default.
d. Enter the read community string in the Read Community text box.
The read community string is a password that allows read-only access to the specified devices. A single entry in the Read Community text box can apply to multiple devices, provided all of the read community strings are identical on all devices. The default entry on most devices and in Performance Monitor is public. If the community strings on your devices differ from the default, you must specify the correct community strings before validation can begin and before you can configure the devices.
e. Select a value from the SNMP Timeout list.
This is the number of seconds Performance Monitor waits for a response from the device before it asks again for a response. The minimum is 1 second and the maximum is 60 seconds. The default is 3 seconds.
f. Select a value from the SNMP Retries list.
This is the number of attempts Performance Monitor makes to communicate with the device before declaring that the device has timed out. The default is 1.
g. Do one of the following:
•If you are using the local username database on the device or an external AAA server, such as TACACS, enter the administrative username in the Username field. As you enter the username, the labels of the fields beneath it are changed to User Password, and Confirm User Password respectively. Enter the administrative password in the User Password field, then in the Confirm User Password field.
Note The User Password and Confirm User Password fields toggle between the Enable Password and Confirm Enable Password fields, depending on whether you are using local database or an external AAA server, or enable password authentication.
•If you are using enable password authentication, leave the username blank, enter the enable password in the Enable Password text box, and then confirm it in the Confirm Enable Password field.
The enable password activates the privileged enable mode on a device when you access the device through a remote Telnet connection. Certain privileged operations can take place only when a device is running in enable mode.
h. Enter the HTTPS port number that the device uses for secure communication with Performance Monitor. The default port 443 is displayed in this field if you do not modify it.
The security appliance can support both SSL VPN connections and HTTPS connections for Performance Monitor sessions simultaneously on the same interface. Both HTTPS and SSL VPN use port 443 by default. Therefore, to enable both HTTPS and SSL VPN on the same interface, you must specify a different port number for either HTTPS or WebVPN. An alternative is to configure SSL VPN and HTTPS on different interfaces.
i. To save your selections and move to the next step, click Next.
Performance Monitor lists the devices whose attributes you added, so you can review your entries before validation occurs.
Step 5 If you selected From Device Credentials Repository, complete the following procedure; otherwise, continue with the next step.
a. Enter the following required information:
•Host—The IP address or hostname of the DCR server. If you populated the DCR inventory on the same server as Performance Monitor, you can use the loopback IP address 127.0.0.1.
•Port—The port number on which the DCR server receives HTTPS requests. The port by default is 443.
•Username—The username of any user with authority to export and import devices.
•Password—The password associated with the username.
b. Click Next.
c. Select the check boxes for one or more devices to mark device attributes for import. To select all of the devices, select the check box in the column heading row.
d. To save your selections and review a list of the devices whose attributes you selected, click Next.
Performance Monitor lists the devices so you can review your entries before validation occurs.
Step 6 To complete the process, click Finish. A one-time validation job starts immediately after you add or import devices. To learn about validation, see Validating Devices.
Tip If you imported device attributes from a CSV file, delete that file now to prevent unauthorized use of the confidential information that it contains. The unencrypted file contains important device credentials information. Its availability puts the security of your network at risk.
Validating Devices
When you validate a device of any kind, you confirm that it exists and is reachable, has the required features and interfaces enabled, has the correct credentials, uses a static (non-dynamic) IP address, and has configured SNMP values. Device validation also confirms that a VPN 3000 Series concentrator uses the correct XML credentials, has enabled HTTPS, and has enabled the VPN 3000 Concentrator Series Manager.
During device validation, Performance Monitor sets all validated devices to a managed state by default — meaning that polling is enabled. If you choose to move a device to an unmanaged state, you must revalidate it before you can monitor its health or performance.
By default, device validation occurs automatically once every day, at midnight. It occurs also at other times and intervals that you specify. You can perform an immediate, one-time validation at any time.
Performance Monitor cannot validate:
•Any usupported device type. For a list of supported devices, see Supported Devices and Software Versions for Cisco Security Manager.
•Any device when the MCP process has stopped. See MCP Process Maintenance, page 3-16.
•Any device that uses a dynamic IP address or lacks configured SNMP values.
•A VPN 3000 Series concentrator, unless you specify the correct SNMP and XML credentials, HTTPS is enabled, and the VPN 3000 Concentrator Series Manager is running.
The following topics explain how to schedule device validations, review the results of completed validation tasks, and run unscheduled validations.
•Scheduling Device Validations
•Viewing Historical Validation Tasks
Scheduling Device Validations
You can specify that device validation tasks occur at times of your choosing and recur at intervals of your choosing, or you can run an immediate, one-time validation.
Before You Begin
Make sure that you have the correct privileges to use this option. See Understanding User Permissions, page 3-2.
Procedure
Step 1 Select Devices > Importing Devices.
Step 2 In the Device Validation Tasks page, click Revalidate, then select options from the lists in the Start Time area.
Tip The Start Time lists signify these values in this order from left to right: Month, calendar date, year, hour, and minute.
Step 3 (Optional) To repeat validation at a specific interval:
a. Select the Repeat check box.
b. Enter a numeral in the Every text box.
c. Select an interval type (for example, hours) from the list.
Step 4 Do one of the following:
•To save and implement your changes, click Apply.
•To discard your changes, close the Schedule Validation Task page, and return to the Device Validation Tasks page, click Cancel.
Tip To run an unscheduled validation once, immediately, click Run Now.
Viewing Historical Validation Tasks
You can display the results of past device validations.
Before You Begin
Make sure that you have the correct privileges to use this option. See Understanding User Permissions, page 3-2.
Procedure
Step 1 Select Devices > Importing Devices.
Performance Monitor lists the 15 most recent validation tasks and describes their status.
Step 2 Click a radio button in the Device Validation Tasks list, then click Details.
The Validation Task Details window displays the historical validation results.
Step 3 Do one of the following:
•To update the Validation Task Details window if you believe that its displayed values are out-of-date, click Refresh.
•To close the Validation Task Details window, click OK.
Validation Status
Historical task status messages are as follows.
Validation Details
There is only one kind of task detail message for a successful validation:
The device DNS name | IP address was imported successfully.
That message applies to any and every successful validation, regardless of service type or device type.
Historical validation task detail messages for validation failure vary by service type. Validation failure messages are as follows. (Generic messages might apply to the types of services and devices named in this table, or to other supported devices and services, such as IPSec VPN services modules or load-balancing services provided by CSM services modules.)
|
|
|
|---|---|
(Generic) |
The device DNS name | IP address could not be imported because the SNMP request timed out. |
The device DNS name | IP address could not be imported because the object identifier is not supported. |
|
The device DNS name | IP address could not be imported. Either HTTPS was not enabled or the credentials are not correct. |
|
The device DNS name | IP address could not be imported. The device name could not be resolved into an IP address. Verify that the device has a static IP address. Performance Monitor does not support dynamic IP addressing.
|
|
The device DNS name | IP address could not be imported. The chassis does not contain any supported services modules. Note |
|
SSL |
The device DNS name | IP address could not be imported. Either the version of SSL is not supported or the IP address is not for an SSL module. |
The device DNS name | IP address could not be imported because the SSL module credentials are unknown. |
|
The device DNS name | IP address could not be imported because Performance Monitor could not communicate with the SSL module. |
|
The device DNS name | IP address could not be imported because the SSL login credentials are not correct. |
|
Firewalls |
The device DNS name | IP address could not be imported. Either the firewall HTTPS interface was not enabled or the credentials are not correct. |
The device DNS name | IP address could not be imported. The device must be imported using the Admin context IP address or DNS name. |
|
Routers |
The device DNS name | IP address could not be imported because this router does not support the IPSec MIB. |
RAS VPN |
The device DNS name | IP address import was partially successful. To monitor the cluster clustername, you must import the device IP address. |
The device DNS name | IP address import was partially successful. To monitor the cluster, you must enable the XML interface or enter the correct login credentials. Note |
|
The device DNS name | IP address could not be imported. Performance Monitor cannot establish an HTTPS connection with the VPN 3000 Concentrator Series Manager. Please verify that HTTPS is enabled. |
|
The device DNS name | IP address could not be imported. Performance Monitor cannot validate the device credentials against the VPN 3000 Concentrator Series Manager. Please verify that you entered the correct device credentials. |
|
The device DNS name | IP address could not be imported. Performance Monitor cannot establish an HTTPS connection with the VPN 3000 Concentrator Series Manager: HTTP < HTTPCode > - < HTTPResponse >. Please verify that Management HTTPS sessions are allowed. |
|
Adaptive Security Appliances |
Some of the ASA Series clusters failed to be validated. Note |
Performance Monitor displays these additional RAS VPN validation details if at least one device has been validated or if at least one cluster was not validated: • • • |
|
Setting Common Services to Use Email
You must configure Common Services to use an email server before Performance Monitor can send notifications of events or distribute scheduled reports through email.
Before You Begin
To complete this procedure, your user role must be either System Administrator or Network Administrator. See Understanding User Permissions, page 3-2.
Procedure
Step 1 From the https://<server_name>/cwhp/cwhp.applications.do page on the server where you installed Performance Monitor, select Common Services > Server > Admin.
A new browser window opens to the Admin page in Common Services.
Step 2 In the TOC, click System Preferences, then do the following:
a. In the SMTP Server field, enter localhost, or specify the IP address or fully qualified DNS name of a different mail server to use, such as: mailserver.example.com.
b. In the CiscoWorks Email ID field, enter the fully qualified email return address, such as: admin@example.com.
Step 3 Click Apply.
Receiving SNMP Traps
Note For a list of the SNMP traps that Performance Monitor can process, see Working with Notifications, page 12-1.
If any other application on your server receives SNMP traps through UDP port 162, your installed copy of Performance Monitor will not receive any SNMP traps or display any information about events that are based on SNMP traps. In such cases, you must configure the conflicting application to forward its traps to another port and you must configure Performance Monitor to listen for traps on a different port.
Procedure
Step 1 To open a DOS prompt window, select Start > Run, enter cmd, then click OK.
Step 2 Enter the following at the command line: $NMSROOT\bin\perl.exe $NMSROOT\mcp\bin\modifyTrapReceiverPort.pl port
where port is the identifying number of the UDP port at which Performance Monitor should receive its SNMP traps, and $NMSROOT is the directory in which you installed Performance Monitor, for example, C:\Program Files\CSCOpx.
Step 3 Press Enter.
Configuring the Polling Time Out
Performance Monitor stops polling all devices that are enabled for monitoring even if one device takes more than 30 seconds to return results. When Performance Monitor tries to retrieve the output of show commands from devices using HTTPS, retrieval of a single show command on a device might take more than 30 seconds, causing stoppage of polling. This problem might occur if Performance Monitor polls the device over a very slow WAN link.
The polling time out period for CLI commands is set by default to 30 seconds in the device.properties file available in the NMSROOT\mcp\conf\devices directory, where NMSROOT is the directory in which you installed Performance Monitor. If polling a device takes a long time, change the time out value by modifying the following line in the device.properties file:
Polling.CLIQuery.Timeout=timeout_value
where timeout_value is the polling time out period in seconds.
Feedback