Alarms for the Cisco ISA 3000

You can configure the alarm system on a Cisco ISA 3000 device to alert you when undesirable conditions occur.

About Alarms

You can configure the ISA 3000 to issue alarms for a variety of conditions. If any conditions do not match the configured settings, the system triggers an alarm, which is reported by way of LEDs, syslog messages, SNMP traps, and through external devices connected to the alarm output interface. By default, triggered alarms issue syslog messages only.

You can configure the alarm system to monitor the following:

  • Power supply.

  • Primary and secondary temperature sensors.

  • Alarm input interfaces.

The ISA 3000 has internal sensors plus two alarm input interfaces and one alarm output interface. You can connect external sensors, such as door sensors, to the alarm inputs. You can connect external alarm devices, such as buzzers or lights, to the alarm output interface.

The alarm output interface is a relay mechanism. Depending on the alarm conditions, the relay is either energized or de-energized. When it is energized, any device connected to the interface is activated. A de-energized relay results in the inactive state of any connected devices. The relay remains in an energized state as long as alarms are triggered.

For information about connecting external sensors and the alarm relay, see Cisco ISA 3000 Industrial Security Appliance Hardware Installation Guide.

Alarm Input Interfaces

You can connect the alarm input interfaces (or contacts) to external sensors, such as one that detects if a door is open.

Each alarm input interface has a corresponding LED. These LEDs convey the alarm status of each alarm input. You can configure the trigger and severity for each alarm input. In addition to the LED, you can configure the contact to trigger the output relay (to activate an external alarm), to send syslog messages, and to send SNMP traps.

The following table explains the statuses of the LEDs in response to alarm conditions for the alarm inputs. It also explains the behavior for the output relay, syslog messages, and SNMP traps, if you enable these responses to the alarm input.

Alarm Status

LED

Output Relay

Syslog

SNMP Trap

Alarm not configured

Off

No alarms triggered

Solid green

Alarm activated

Minor alarm—solid red

Major alarm—flashing red

Relay energized

Syslog generated

SNMP trap sent

Alarm end

Solid green

Relay de-energized

Syslog generated

Alarm Output Interface

You can connect an external alarm, such as a buzzer or light, to the alarm output interface.

The alarm output interface functions as a relay and also has a corresponding LED, which conveys the alarm status of an external sensor connected to the input interface, and internal sensors such as the dual power supply and temperature sensors. You configure which alarms should activate the output relay, if any.

The following table explains the statuses of the LEDs and output relay in response to alarm conditions. It also explains the behavior for syslog messages, and SNMP traps, if you enable these responses to the alarm.

Alarm Status

LED

Output Relay

Syslog

SNMP Trap

Alarm not configured

Off

No alarms triggered

Solid green

Alarm activated

Solid red

Relay energized

Syslog generated

SNMP trap sent

Alarm end

Solid green

Relay de-energized

Syslog generated

Syslog Alarms

By default, the system sends syslog messages when any alarm is triggered. You can disable syslog messaging if you do not want the messages.

For syslog alarms to work, you must also enable diagnostic logging on Device > System Settings > Logging Settings. Configure a syslog server, console logging, or internal buffer logging.

Without enabling a destination for diagnostic logging, the alarm system has nowhere to send syslog messages.

SNMP Trap Alarms

You can optionally configure the alarms to send SNMP traps to your SNMP server. For SNMP trap alarms to work, you must also configure SNMP settings.

Use the threat defense API to configure SNMP. Click the more options button (More options button. ), and choose API Explorer. Then, look for the SNMP resource and examine the model documentation for information on how to configure the feature. You can use SNMP versions 2c or 3; version 1 is not supported. For complete information on configuring SNMP, see the SNMP chapter of the CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide for the newest version of the ASA software. The guides are available at https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html.

Defaults for Alarms

The following table specifies the defaults for alarm input interfaces (contacts), redundant power supply, and temperature.

Alarm

Trigger

Severity

SNMP Trap

Output Relay

Syslog Message

Alarm Contact 1

Enabled

Closed State

Minor

Disabled

Disabled

Enabled

Alarm Contact 2

Enabled

Closed State

Minor

Disabled

Disabled

Enabled

Redundant Power Supply (when enabled)

Enabled

Disabled

Disabled

Enabled

Temperature

Enabled for the primary temperature alarm (default values of 92°C and -40°C for the high and low thresholds respectively)

Disabled for the secondary alarm.

Enabled for primary temperature alarm

Enabled for primary temperature alarm

Enabled for primary temperature alarm

Configuring Alarms for the ISA 3000

You use FlexConfig to configure alarms for the ISA 3000. The following topics explain how to configure the different types of alarms.

Configure Alarm Input Contacts

If you connect the alarm input contacts (interfaces) to external sensors, you can configure the contacts to issue alarms based on the input from the sensor. In fact, the contacts are enabled by default to send syslog messages if the contact is closed, that is, if the electrical current stops flowing through the contact. You need to configure the contact only if the defaults do not meet your requirements.

The alarm contacts are numbered 1 and 2, so you need to understand how you have wired the physical pins to configure the correct settings. You configure the contacts separately.

Procedure

Step 1

Click View Configuration in Device > Advanced Configuration.

Step 2

Click FlexConfig > FlexConfig Objects in the Advanced Configuration table of contents.

Step 3

Click the + button to create a new object.

Step 4

Enter a name for the object. For example, Enable_Alarm_Contact.

Step 5

In the Template editor, enter the commands needed to configure the contact.

  1. Configure a description for the alarm contact.

    alarm contact {1 | 2} description string

    For example, to set the description of contact 1 to "Door Open," enter the following: 

    
alarm contact 1 description Door Open

  2. Configure the severity for the alarm contact.

    alarm contact {1 | 2 | any} severity {major | minor | none}

    Instead of configuring one contact, you can specify any to change the severity for all contacts. The severity controls the behavior of the LED associated with the contact.

    • major —The LED blinks red.

    • minor—The LED is solid red. This is the default.

    • none—The LED is off.

    For example, to set the severity of contact 1 to Major, enter the following: 

    
alarm contact 1 severity major

  3. Configure the trigger for the alarm contact.

    alarm contact {1 | 2 | any} trigger {open | closed}

    Instead of configuring one contact, you can specify any to change the trigger for all contacts. The trigger determines the electrical condition that signals an alert.

    • open —The normal condition for the contact is closed, that is, the electrical current is running through the contact. An alert is triggered if the contact becomes open, that is, the electrical current stops flowing.

    • closed —The normal condition for the contact is open, that is, the electrical current does not run through the contact. An alert is triggered if the contact becomes closed, that is, the electrical current starts running through the contact. This is the default.

    For example, you connect a door sensor to alarm input contact 1, and its normal state has no electrical current flowing through the alarm contact (it is open). If the door is opened, the contact is closed and electrical current flows through the alarm contact. You would set the alarm trigger to closed so that the alarm goes off when the electrical current starts flowing. 

    
alarm contact 1 trigger closed

  4. Configure the actions to take when the alarm contact is triggered.

    alarm facility input-alarm {1 | 2} {relay | syslog | notifies}

    You can configure more than one action. For example, you can configure the device to activate the external alarm, send syslog messages, and also send SNMP traps.

    • relay—Energize the alarm output relay, which activates the external alarm that you attached to it, such as a buzzer or a flashing light. The output LED also goes red.

    • syslog—Send a syslog message. This option is enabled by default.

    • notifies—Send an SNMP trap.

    For example, to enable all actions for the alarm input contact 1, enter the following: 

    
alarm facility input-alarm 1 relay 
alarm facility input-alarm 1 syslog
alarm facility input-alarm 1 notifies

Step 6

In the Negate Template editor, enter the lines required to undo this configuration.

All of these commands take the no form to disable them and return to default settings. For example, if your template includes all of the command examples shown in this procedure, the negate template would be the following: 


no alarm contact 1 description Door Open
no alarm contact 1 severity major 
no alarm contact 1 trigger closed 
no alarm facility input-alarm 1 relay 
no alarm facility input-alarm 1 syslog
no alarm facility input-alarm 1 notifies

Step 7

Click OK to save the object.

Step 8

Add the object to the FlexConfig policy.

  1. Click FlexConfig Policy in the table of contents.

  2. Click + in the Group List.

  3. Select the Enable_Alarm_Contact object and click OK.

    The preview should update with the commands in the template. Verify you are seeing the expected commands.

  4. Click Save.

    You can now deploy the policy.

Step 9

After deployment completes, in CLI Console or an SSH session, use the show running-config command and verify that the running configuration has the correct changes. Test the external sensor to verify that alarms are getting triggered.

Configure Power Supply Alarms

The ISA 3000 has two power supplies. By default, the system operates in single-power mode. However, you can configure the system to operate in dual mode, where the second power supply automatically provides power if the primary power supply fails. When you enable dual-mode, the power supply alarm is automatically enabled to send syslog alerts, but you can disable the alert altogether, or also enable SNMP traps or the alarm hardware relay.

The following procedure explains how to enable dual mode, and how to configure the power supply alarms.

Procedure

Step 1

Click View Configuration in Device > Advanced Configuration.

Step 2

Click FlexConfig > FlexConfig Objects in the Advanced Configuration table of contents.

Step 3

Click the + button to create a new object.

Step 4

Enter a name for the object. For example, Enable_Power_Supply_Alarm.

Step 5

In the Template editor, enter the commands needed to configure the power supply alarm.

  1. Enable dual power supply mode.

    power-supply dual

    For example: 

    
power-supply dual

  2. Configure the actions to take when the power supply alarm is triggered.

    alarm facility power-supply rps {relay | syslog | notifies | disable}

    You can configure more than one action. For example, you can configure the device to activate the external alarm, send syslog messages, and also send SNMP traps.

    • relay—Energize the alarm output relay, which activates the external alarm that you attached to it, such as a buzzer or a flashing light. The output LED also goes red.

    • syslog—Send a syslog message. This option is enabled by default.

    • notifies—Send an SNMP trap.

    • disable—Disable the power supply alarm. Any other actions configured for the power supply alarm are inoperable.

    For example, to enable all actions for the power supply alarm, enter the following: 

    
alarm facility power-supply rps relay 
alarm facility power-supply rps syslog
alarm facility power-supply rps notifies

Step 6

In the Negate Template editor, enter the lines required to undo this configuration.

All of these commands take the no form to disable them and return to default settings. For example, if your template includes all of the command examples shown in this procedure, the negate template would be the following: 


no power-supply dual
no alarm facility power-supply rps relay 
no alarm facility power-supply rps syslog
no alarm facility power-supply rps notifies

Step 7

Click OK to save the object.

Step 8

Add the object to the FlexConfig policy.

  1. Click FlexConfig Policy in the table of contents.

  2. Click + in the Group List.

  3. Select the Enable_Power_Supply_Alarm object and click OK.

    The preview should update with the commands in the template. Verify you are seeing the expected commands.

  4. Click Save.

    You can now deploy the policy.

Step 9

After deployment completes, in CLI Console or an SSH session, use the show running-config command and verify that the running configuration has the correct changes.

Configure Temperature Alarms

You can configure alarms based on the temperature of the CPU card in the device.

You can set a primary and secondary temperature range. If the temperature drops below the low threshold, or exceeds the high threshold, the alarm is triggered.

The primary temperature alarm is enabled by default for all alarm actions: output relay, syslog, and SNMP. The default settings for the primary temperature range is -40°C to 92°C.

The secondary temperature alarm is disabled by default. You can set the secondary temperature within the range -35°C to 85°C.

Because the secondary temperature range is more restrictive than the primary range, if you set either the secondary low or high temperature, that setting disables the corresponding primary setting, even if you configure non-default values for the primary setting. You cannot enable two separate high and two separate low temperature alarms.

Thus, in practice, you should configure the primary only, or the secondary only, setting for high and low.

Procedure

Step 1

Click View Configuration in Device > Advanced Configuration.

Step 2

Click FlexConfig > FlexConfig Objects in the Advanced Configuration table of contents.

Step 3

Click the + button to create a new object.

Step 4

Enter a name for the object. For example, Enable_Temperature_Alarm.

Step 5

In the Template editor, enter the commands needed to configure the temperature alarm.

  1. Configure the acceptable temperature range.

    alarm facility temperature {primary | secondary} {low | high} temperature

    The temperature is in Celsius. The allowed range for the primary alarm is -40 to 92, which is also the default range. The allowed range for the secondary alarm is -35 to 85. The low value must be lower than the high value.

    For example, to set a more restrictive temperature range of -20 to 80, which falls within the allowed range for the secondary alarm, configure the secondary alarm as follows: 

    
alarm facility temperature secondary low -20
alarm facility temperature secondary high 80

  2. Configure the actions to take when the temperature alarm is triggered.

    alarm facility temperature {primary | secondary} {relay | syslog | notifies}

    You can configure more than one action. For example, you can configure the device to activate the external alarm, send syslog messages, and also send SNMP traps.

    • relay—Energize the alarm output relay, which activates the external alarm that you attached to it, such as a buzzer or a flashing light. The output LED also goes red.

    • syslog—Send a syslog message.

    • notifies—Send an SNMP trap.

    For example, to enable all actions for the secondary temperature alarm, enter the following: 

    
alarm facility temperature secondary relay 
alarm facility temperature secondary syslog
alarm facility temperature secondary notifies

Step 6

In the Negate Template editor, enter the lines required to undo this configuration.

All of these commands take the no form to return to default settings (for the primary alarm) or disable them (for the secondary alarm). For example, if your template includes all of the command examples shown in this procedure, the negate template would be the following: 


no alarm facility temperature secondary low -20
no alarm facility temperature secondary high 80 
no alarm facility temperature secondary relay 
no alarm facility temperature secondary syslog
no alarm facility temperature secondary notifies

Step 7

Click OK to save the object.

Step 8

Add the object to the FlexConfig policy.

  1. Click FlexConfig Policy in the table of contents.

  2. Click + in the Group List.

  3. Select the Enable_Temperature_Alarm object and click OK.

    The preview should update with the commands in the template. Verify you are seeing the expected commands.

  4. Click Save.

    You can now deploy the policy.

Step 9

After deployment completes, in CLI Console or an SSH session, use the show running-config command and verify that the running configuration has the correct changes.

Monitoring Alarms

The following topics explain how to monitor and manage alarms.

Monitoring Alarm Status

You can use the following commands in the CLI to monitor alarms.

  • show alarm settings

    Shows the current configuration for each possible alarm.

  • show environment alarm-contact

    Shows information about the physical status of the input alarm contacts.

  • show facility-alarm relay

    Shows information about the alarms that have triggered the output relay.

  • show facility-alarm status [info | major | minor]

    Shows information on all alarms that have been triggered. You can limit the view by filtering on major or minor status. The info keyword provides the same output as using no keyword.

Monitoring Syslog Messages for Alarms

Depending on the type of alarms you configure, you might see the following syslog messages.

Dual Power Supply Alarms

  • %FTD-1-735005: Power Supply Unit Redundancy OK

  • %FTD-1-735006: Power Supply Unit Redundancy Lost

Temperature Alarms

In these alarms, Celsius is replaced by the temperature detected on the device, in Celsius.

  • %FTD-6-806001: Primary alarm CPU temperature is High Celsius

  • %FTD-6-806002: Primary alarm for CPU high temperature is cleared

  • %FTD-6-806003: Primary alarm CPU temperature is Low Celsius

  • %FTD-6-806004: Primary alarm for CPU Low temperature is cleared

  • %FTD-6-806005: Secondary alarm CPU temperature is High Celsius

  • %FTD-6-806006: Secondary alarm for CPU high temperature is cleared

  • %FTD-6-806007: Secondary alarm CPU temperature is Low Celsius

  • %FTD-6-806008: Secondary alarm for CPU Low temperature is cleared

Alarm Input Contact Alarms

In these alarms, description is the description for the contact that you configured.

  • %FTD-6-806009: Alarm asserted for ALARM_IN_1 alarm_1_description

  • %FTD-6-806010: Alarm cleared for ALARM_IN_1 alarm_1_description

  • %FTD-6-806011: Alarm asserted for ALARM_IN_2 alarm_2_description

  • %FTD-6-806012: Alarm cleared for ALARM_IN_2 alarm_2_description

Turning Off the External Alarm

If you are using an external alarm that is attached to the alarm output, and the alarm is triggered, you can turn off the external alarm from the device CLI using the clear facility-alarm output command. This command de-energizes the output pin and also turns off the output LED.