sillz
asked on
SNMP works between networks even though routing isn't working.
I just ran into an interesting problem. I have a network monitoring host on one network 10.5.0.0/16. I have wireless access points on another network 10.6.1.0/24. Access between the networks is controlled by a firewall.
I have enabled pings and SNMP on the firewall from 10.5.0.0/16 ---> 10.6.1.0/24. All other traffic is blocked. Pings fail, but the network monitoring host on 10.5.0.0/16 is successful in retrieving data from the access points over SNMP. If I do a trace route, I clearly see a routing problem. The first hop is the local gateway. The 2nd hop is out to the internet then it times out. So I understand that I have a routing problem and I know how to fix it.
My question is:
How can SNMP be working if the routing isn't working? I am certain that SNMP is working from 10.5.0.0/16 to 10.6.1.0/24. I set up monitoring on a host 10.5.1.5. It is retrieving real time data from 3 access points 10.6.1.6, 7, 8.
I thought that SNMP relies on UDP which is routable. How is this SNMP traffic traversing the network boundary when the routes are failing?
Just curious ...
I have enabled pings and SNMP on the firewall from 10.5.0.0/16 ---> 10.6.1.0/24. All other traffic is blocked. Pings fail, but the network monitoring host on 10.5.0.0/16 is successful in retrieving data from the access points over SNMP. If I do a trace route, I clearly see a routing problem. The first hop is the local gateway. The 2nd hop is out to the internet then it times out. So I understand that I have a routing problem and I know how to fix it.
My question is:
How can SNMP be working if the routing isn't working? I am certain that SNMP is working from 10.5.0.0/16 to 10.6.1.0/24. I set up monitoring on a host 10.5.1.5. It is retrieving real time data from 3 access points 10.6.1.6, 7, 8.
I thought that SNMP relies on UDP which is routable. How is this SNMP traffic traversing the network boundary when the routes are failing?
Just curious ...
"I have enabled pings and SNMP on the firewall from 10.5.0.0/16 ---> 10.6.1.0/24."
Check the routing table where 10.5.0.0/16 connects and 10.6.1.0/24 connect
Each segments sends its packet up to the default gateway.
Which system are you using to perform the traceroute?
windows uses icmp packet which should follow the route of a ping and be allowed through. linux/unix use UDP packets which you've not included in the allow rule, which likely means that it is only allowed to flow out the default gateway to the internet where it dies a non-routing death.
http://en.wikipedia.org/wiki/Traceroute
Check the routing table where 10.5.0.0/16 connects and 10.6.1.0/24 connect
Each segments sends its packet up to the default gateway.
Which system are you using to perform the traceroute?
windows uses icmp packet which should follow the route of a ping and be allowed through. linux/unix use UDP packets which you've not included in the allow rule, which likely means that it is only allowed to flow out the default gateway to the internet where it dies a non-routing death.
http://en.wikipedia.org/wiki/Traceroute
ASKER
Thanks steve. I am doing an SNMP get from 10.5.1.5 to the 3 wireless access points in 10.6.1.0. The firewall policy allows ping and snmp. I know snmp is working because i see data in my interface utilization charts that match test traffic i create through one access point and i can do an snmpwalk from the solarwinds box against the access point. If i disable the firwall policy snmp stops working. Ping never works whether the policy is turned on or off.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Qlemo,
You were correct. I had enabled the firewall policies on our main firewall, but there were "firewall filters" in place on our Juniper switch. SNMP had been allowed, but PING had not been allowed. Adding a firewall filter on the switch for PING resolved the problem.
You were correct. I had enabled the firewall policies on our main firewall, but there were "firewall filters" in place on our Juniper switch. SNMP had been allowed, but PING had not been allowed. Adding a firewall filter on the switch for PING resolved the problem.
If however you are saying the you can do an SNMP GET from one network to the wireless network and you successfully get data then that means you have opened SNMP in both directions and ping is either not open in both directions or something else is misconfigured.
Steve