About Alarms
You can configure the ISA 3000 to issue alarms for a variety of conditions. If any conditions do not match the configured settings, the system triggers an alarm, which is reported by way of LEDs, syslog messages, SNMP traps, and through external devices connected to the alarm output interface. By default, triggered alarms issue syslog messages only.
You can configure the alarm system to monitor the following:
-
Power supply.
-
Primary and secondary temperature sensors.
-
Alarm input interfaces.
The ISA 3000 has internal sensors plus two alarm input interfaces and one alarm output interface. You can connect external sensors, such as door sensors, to the alarm inputs. You can connect external alarm devices, such as buzzers or lights, to the alarm output interface.
The alarm output interface is a relay mechanism. Depending on the alarm conditions, the relay is either energized or de-energized. When it is energized, any device connected to the interface is activated. A de-energized relay results in the inactive state of any connected devices. The relay remains in an energized state as long as alarms are triggered.
For information about connecting external sensors and the alarm relay, see Cisco ISA 3000 Industrial Security Appliance Hardware Installation Guide.
Alarm Input Interfaces
You can connect the alarm input interfaces (or contacts) to external sensors, such as one that detects if a door is open.
Each alarm input interface has a corresponding LED. These LEDs convey the alarm status of each alarm input. You can configure the trigger and severity for each alarm input. In addition to the LED, you can configure the contact to trigger the output relay (to activate an external alarm), to send syslog messages, and to send SNMP traps.
The following table explains the statuses of the LEDs in response to alarm conditions for the alarm inputs. It also explains the behavior for the output relay, syslog messages, and SNMP traps, if you enable these responses to the alarm input.
Alarm Status |
LED |
Output Relay |
Syslog |
SNMP Trap |
---|---|---|---|---|
Alarm not configured |
Off |
— |
— |
— |
No alarms triggered |
Solid green |
— |
— |
— |
Alarm activated |
Minor alarm—solid red Major alarm—flashing red |
Relay energized |
Syslog generated |
SNMP trap sent |
Alarm end |
Solid green |
Relay de-energized |
Syslog generated |
— |
Alarm Output Interface
You can connect an external alarm, such as a buzzer or light, to the alarm output interface.
The alarm output interface functions as a relay and also has a corresponding LED, which conveys the alarm status of an external sensor connected to the input interface, and internal sensors such as the dual power supply and temperature sensors. You configure which alarms should activate the output relay, if any.
The following table explains the statuses of the LEDs and output relay in response to alarm conditions. It also explains the behavior for syslog messages, and SNMP traps, if you enable these responses to the alarm.
Alarm Status |
LED |
Output Relay |
Syslog |
SNMP Trap |
---|---|---|---|---|
Alarm not configured |
Off |
— |
— |
— |
No alarms triggered |
Solid green |
— |
— |
— |
Alarm activated |
Solid red |
Relay energized |
Syslog generated |
SNMP trap sent |
Alarm end |
Solid green |
Relay de-energized |
Syslog generated |
— |
Syslog Alarms
By default, the system sends syslog messages when any alarm is triggered. You can disable syslog messaging if you do not want the messages.
For syslog alarms to work, you must also enable diagnostic logging on
. Configure a syslog server, console logging, or internal buffer logging.Without enabling a destination for diagnostic logging, the alarm system has nowhere to send syslog messages.
SNMP Trap Alarms
You can optionally configure the alarms to send SNMP traps to your SNMP server. For SNMP trap alarms to work, you must also configure SNMP settings.
Use FlexConfig to configure SNMP. For example, to enable an SNMP connection to the SNMP server at 192.168.1.25, which is available through the inside interface, and to use the SNMP server to receive traps only, create a FlexConfig object to issue the following commands. Replace the community string with the one configured on your SNMP server.
snmp-server host inside 192.168.1.25 trap
snmp-server community your-string
The negate template would be:
no snmp-server host inside 192.168.1.25 trap
no snmp-server community your-string
After you create the object, add it to the FlexConfig policy (
) and deploy the configuration.This is a minimal example, and it works for SNMP versions 1 and 2c. For complete information on configuring SNMP, including how to configure SNMP version 3, see the SNMP chapter of the CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide for the newest version of the ASA software. The guides are available at https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html.