Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SNMP works between networks even though routing isn't working.

Posted on 2011-09-30
5
Medium Priority
?
282 Views
Last Modified: 2012-05-12
I just ran into an interesting problem.  I have a network monitoring host on one network 10.5.0.0/16.  I have wireless access points on another network 10.6.1.0/24.  Access between the networks is controlled by a firewall.

I have enabled pings and SNMP on the firewall from 10.5.0.0/16 ---> 10.6.1.0/24.  All other traffic is blocked.  Pings fail, but the network monitoring host on 10.5.0.0/16 is successful in retrieving data from the access points over SNMP.  If I do a trace route, I clearly see a routing problem.  The first hop is the local gateway.  The 2nd hop is out to the internet then it times out.   So I understand that I have a routing problem and I know how to fix it.

My question is:

How can SNMP be working if the routing isn't working?  I am certain that SNMP is working from 10.5.0.0/16 to 10.6.1.0/24.  I set up monitoring on a host 10.5.1.5.  It is  retrieving real time data from 3 access points 10.6.1.6, 7, 8.  

I thought that SNMP relies on UDP which is routable.  How is this SNMP traffic traversing the network boundary when the routes are failing?

Just curious ...
0
Comment
Question by:sillz
5 Comments
 
LVL 16

Expert Comment

by:SteveJ
ID: 36896748
It isnt actually clear from your description whether it is really working or not. An SNMP trap only needs to work unidirectionally,that is, a trap from your wireless net to your other net may work even though the reverse does not. Ping is bidirectional, and must be open in both directions thru the fire wall.

If however you are saying the you can do an SNMP GET from one network to the wireless network and you successfully get data  then that means you have opened SNMP in both directions and ping is either not open in both directions or something else is misconfigured.

Steve
0
 
LVL 80

Expert Comment

by:arnold
ID: 36897177
"I have enabled pings and SNMP on the firewall from 10.5.0.0/16 ---> 10.6.1.0/24."
Check the routing table where 10.5.0.0/16 connects and 10.6.1.0/24 connect

Each segments sends its packet up to the default gateway.
Which system are you using to perform the traceroute?
windows uses icmp packet which should follow the route of a ping and be allowed through. linux/unix use UDP packets which you've not included in the allow rule, which likely means that it is only allowed to flow out the default gateway to the internet where it dies a non-routing death.
http://en.wikipedia.org/wiki/Traceroute
0
 

Author Comment

by:sillz
ID: 36897243
Thanks steve. I am doing an SNMP get from 10.5.1.5 to the 3 wireless access points in 10.6.1.0. The firewall policy allows ping and snmp. I know snmp is working because i see data in my interface utilization charts that match test traffic i create through one access point and i can do an snmpwalk from the solarwinds box against the access point. If i disable the firwall policy snmp stops working. Ping never works whether the policy is turned on or off.
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 36903815
There needs to be more than revealed. ICMP, UDP, TCP all require routing. If the 10.5.0.0/16 network has the router as default gateway (with a 10.5.0.0/16 address) which connects both networks, and the same applies to other network (with 10.6.1.0/24 addresses, of course), routing should be fine. As said by arnold, the default gateway is responsible for routing all traffic. And if it the same, as I assume, as your firewall, then you have a firewall issue, no routing issue.

There might be flaws in devices to ignore the subnet mask for one protocol and not the other. That might be an additional issue. Devices ignoring the subnet mask would expect both networks to be the same, no routing involved, which again would explain that some traffic cannot pass.
0
 

Author Closing Comment

by:sillz
ID: 37009247
Thanks Qlemo,

You were correct.  I had enabled the firewall policies on our main firewall, but there were "firewall filters" in place on our Juniper switch.  SNMP had been allowed, but PING had not been allowed.  Adding a firewall filter on the switch for PING resolved the problem.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question