[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SNMP - Not so "Simple"

Posted on 2014-08-05
12
Medium Priority
?
78 Views
Last Modified: 2016-10-28
Hello,

I was tasked with getting Solarwinds to communicate with all of our network equipment.  I have been able to get everything into Solarwinds and recognized through SNMP but our ASA is not returning SNMP information.

I have been running a tool called getsnmp.exe which I can run from my workstation and I can get a response from my workstation after adding my ip address into the asa host access list.  If I then add the SolarWinds server to the Host access list, snmp still times out.  If I try from another workstation and add it to the list, it also times out.  If I change the ip address of the server to match my workstation address, snmp works.  I am utterly confused as to why it is only working with my IP address of my workstation.  Everything is on the same subnet.  Any help please?
0
Comment
Question by:brianblaha
  • 6
  • 3
  • 3
12 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40241994
It sounds like the Solarwinds server is at the heart of the problem.  
Might the handshaking parameters such as the community string be different?  That seems a first thing to check.
0
 

Author Comment

by:brianblaha
ID: 40242047
No it is definitely some configuration on the ASA.  If I change the IP address of the server to match my workstation's ip address (which works), it then works in Solarwinds.  Obviously I only changed the IP for testing, I do not want to give my server a client IP address.  I would have thought I only need to add the host to the snmp host access list and it should work? All IP addresses involved are in the same subnet 10.13.84.0/22.  I double and triple checked the community string, unfortunately that is not it.

Also, I should mention, to take windows firewall completely out of the question I disabled it.  So I don't believe it is a windows firewall issue either.
0
 
LVL 3

Expert Comment

by:nickoarg
ID: 40242057
Try with a different SNMP Version on the client. Usually timouts are related to using a different snmp version (v1, v2c, v3)
0
 

Author Comment

by:brianblaha
ID: 40242072
I tried it, all versions time out.  ASA is set for v2c, as is the client.  From my workstation I am connecting successfully using v2c. From server, attempting v2c times out. I even went so far as disable v1 and v3 on the ASA to ensure it was using only v2c.  Do I need to open up anything else on the firewall? Other than adding the hosts to the snmp host access list and udp port 161?

I want to believe it is a setting on the ASA in regards to the firewall / ACL, but why only 10.13.85.112 is able to poll snmp?
0
 
LVL 3

Expert Comment

by:nickoarg
ID: 40242095
Does your community string include special characters such as "\"? Maybe it is escaping the next char.
Can you dump the tcp connection? (tcpdump or wireshark) Can you run a verbose snmp get?
0
 

Author Comment

by:brianblaha
ID: 40242312
Nope no special characters.  I reset it back to default public just to be sure for the time being.  Wireshark sees the packet leave but no response at all.  From my workstation wireshark sees the request and the response.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40242359
I'm getting confused with the terms being used.  "host" "server" ......
The server is the device running the Solarwinds software.
It need not be told IP addresses of the devices being monitored - but it may need the subnet(s).
But, the devices being monitored need the IP address of the server.
0
 

Author Comment

by:brianblaha
ID: 40243582
The "host" term is coming from the ASA. SNMP Host Access List - I must add the server (a host can be a client or a server but in this case it is the solarwinds server) to the snmp host access list (see image)

asasnmp1.png
Solarwinds monitors devices thru IP address and snmp / or wmi.  When I add a node into solarwinds to be monitored I add it with its ip address, so yes solarwinds needs the ip address of the device being monitored.  Also everything is on the same subnet.

Anyways netflow is working and that was the most important piece, would be nice to have snmp working as well though.  With our other Cisco ASA I had no problem adding solarwinds server to snmp hosts access list and it started polling snmp immediately.
0
 
LVL 3

Expert Comment

by:nickoarg
ID: 40243602
How about the network configuration of the Solarwinds?
Please verify the network mask and gateway.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40244159
OK.  Well, I'm used to using Paessler PRTG for this purpose.  It will just get all the devices that are set up to run SNMP.
But if the Solarwinds requires it then that's understandable as well.

I see no reason beyond setups that would cause this to happen.  
ASA security?
0
 

Accepted Solution

by:
brianblaha earned 0 total points
ID: 40776745
Issue went away on its own. I cannot explain the reason. Will close question.
0
 

Author Closing Comment

by:brianblaha
ID: 40784703
Closing question because issue went away on it's own.
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month19 days, 2 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question