Solved

SNMP works between networks even though routing isn't working.

Posted on 2011-09-30
5
274 Views
Last Modified: 2012-05-12
I just ran into an interesting problem.  I have a network monitoring host on one network 10.5.0.0/16.  I have wireless access points on another network 10.6.1.0/24.  Access between the networks is controlled by a firewall.

I have enabled pings and SNMP on the firewall from 10.5.0.0/16 ---> 10.6.1.0/24.  All other traffic is blocked.  Pings fail, but the network monitoring host on 10.5.0.0/16 is successful in retrieving data from the access points over SNMP.  If I do a trace route, I clearly see a routing problem.  The first hop is the local gateway.  The 2nd hop is out to the internet then it times out.   So I understand that I have a routing problem and I know how to fix it.

My question is:

How can SNMP be working if the routing isn't working?  I am certain that SNMP is working from 10.5.0.0/16 to 10.6.1.0/24.  I set up monitoring on a host 10.5.1.5.  It is  retrieving real time data from 3 access points 10.6.1.6, 7, 8.  

I thought that SNMP relies on UDP which is routable.  How is this SNMP traffic traversing the network boundary when the routes are failing?

Just curious ...
0
Comment
Question by:sillz
5 Comments
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
It isnt actually clear from your description whether it is really working or not. An SNMP trap only needs to work unidirectionally,that is, a trap from your wireless net to your other net may work even though the reverse does not. Ping is bidirectional, and must be open in both directions thru the fire wall.

If however you are saying the you can do an SNMP GET from one network to the wireless network and you successfully get data  then that means you have opened SNMP in both directions and ping is either not open in both directions or something else is misconfigured.

Steve
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
"I have enabled pings and SNMP on the firewall from 10.5.0.0/16 ---> 10.6.1.0/24."
Check the routing table where 10.5.0.0/16 connects and 10.6.1.0/24 connect

Each segments sends its packet up to the default gateway.
Which system are you using to perform the traceroute?
windows uses icmp packet which should follow the route of a ping and be allowed through. linux/unix use UDP packets which you've not included in the allow rule, which likely means that it is only allowed to flow out the default gateway to the internet where it dies a non-routing death.
http://en.wikipedia.org/wiki/Traceroute
0
 

Author Comment

by:sillz
Comment Utility
Thanks steve. I am doing an SNMP get from 10.5.1.5 to the 3 wireless access points in 10.6.1.0. The firewall policy allows ping and snmp. I know snmp is working because i see data in my interface utilization charts that match test traffic i create through one access point and i can do an snmpwalk from the solarwinds box against the access point. If i disable the firwall policy snmp stops working. Ping never works whether the policy is turned on or off.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
There needs to be more than revealed. ICMP, UDP, TCP all require routing. If the 10.5.0.0/16 network has the router as default gateway (with a 10.5.0.0/16 address) which connects both networks, and the same applies to other network (with 10.6.1.0/24 addresses, of course), routing should be fine. As said by arnold, the default gateway is responsible for routing all traffic. And if it the same, as I assume, as your firewall, then you have a firewall issue, no routing issue.

There might be flaws in devices to ignore the subnet mask for one protocol and not the other. That might be an additional issue. Devices ignoring the subnet mask would expect both networks to be the same, no routing involved, which again would explain that some traffic cannot pass.
0
 

Author Closing Comment

by:sillz
Comment Utility
Thanks Qlemo,

You were correct.  I had enabled the firewall policies on our main firewall, but there were "firewall filters" in place on our Juniper switch.  SNMP had been allowed, but PING had not been allowed.  Adding a firewall filter on the switch for PING resolved the problem.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now