Solved

SNMP works between networks even though routing isn't working.

Posted on 2011-09-30
5
278 Views
Last Modified: 2012-05-12
I just ran into an interesting problem.  I have a network monitoring host on one network 10.5.0.0/16.  I have wireless access points on another network 10.6.1.0/24.  Access between the networks is controlled by a firewall.

I have enabled pings and SNMP on the firewall from 10.5.0.0/16 ---> 10.6.1.0/24.  All other traffic is blocked.  Pings fail, but the network monitoring host on 10.5.0.0/16 is successful in retrieving data from the access points over SNMP.  If I do a trace route, I clearly see a routing problem.  The first hop is the local gateway.  The 2nd hop is out to the internet then it times out.   So I understand that I have a routing problem and I know how to fix it.

My question is:

How can SNMP be working if the routing isn't working?  I am certain that SNMP is working from 10.5.0.0/16 to 10.6.1.0/24.  I set up monitoring on a host 10.5.1.5.  It is  retrieving real time data from 3 access points 10.6.1.6, 7, 8.  

I thought that SNMP relies on UDP which is routable.  How is this SNMP traffic traversing the network boundary when the routes are failing?

Just curious ...
0
Comment
Question by:sillz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 16

Expert Comment

by:SteveJ
ID: 36896748
It isnt actually clear from your description whether it is really working or not. An SNMP trap only needs to work unidirectionally,that is, a trap from your wireless net to your other net may work even though the reverse does not. Ping is bidirectional, and must be open in both directions thru the fire wall.

If however you are saying the you can do an SNMP GET from one network to the wireless network and you successfully get data  then that means you have opened SNMP in both directions and ping is either not open in both directions or something else is misconfigured.

Steve
0
 
LVL 78

Expert Comment

by:arnold
ID: 36897177
"I have enabled pings and SNMP on the firewall from 10.5.0.0/16 ---> 10.6.1.0/24."
Check the routing table where 10.5.0.0/16 connects and 10.6.1.0/24 connect

Each segments sends its packet up to the default gateway.
Which system are you using to perform the traceroute?
windows uses icmp packet which should follow the route of a ping and be allowed through. linux/unix use UDP packets which you've not included in the allow rule, which likely means that it is only allowed to flow out the default gateway to the internet where it dies a non-routing death.
http://en.wikipedia.org/wiki/Traceroute
0
 

Author Comment

by:sillz
ID: 36897243
Thanks steve. I am doing an SNMP get from 10.5.1.5 to the 3 wireless access points in 10.6.1.0. The firewall policy allows ping and snmp. I know snmp is working because i see data in my interface utilization charts that match test traffic i create through one access point and i can do an snmpwalk from the solarwinds box against the access point. If i disable the firwall policy snmp stops working. Ping never works whether the policy is turned on or off.
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 36903815
There needs to be more than revealed. ICMP, UDP, TCP all require routing. If the 10.5.0.0/16 network has the router as default gateway (with a 10.5.0.0/16 address) which connects both networks, and the same applies to other network (with 10.6.1.0/24 addresses, of course), routing should be fine. As said by arnold, the default gateway is responsible for routing all traffic. And if it the same, as I assume, as your firewall, then you have a firewall issue, no routing issue.

There might be flaws in devices to ignore the subnet mask for one protocol and not the other. That might be an additional issue. Devices ignoring the subnet mask would expect both networks to be the same, no routing involved, which again would explain that some traffic cannot pass.
0
 

Author Closing Comment

by:sillz
ID: 37009247
Thanks Qlemo,

You were correct.  I had enabled the firewall policies on our main firewall, but there were "firewall filters" in place on our Juniper switch.  SNMP had been allowed, but PING had not been allowed.  Adding a firewall filter on the switch for PING resolved the problem.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
QoS on Cisco router 10 60
how to enable SSH in Nexus OS 1 32
HP 2530 switch and routing 4 100
Expand Verizon 3G to LTE - possible? 4 58
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question