SNMP - Not so "Simple"


I was tasked with getting Solarwinds to communicate with all of our network equipment.  I have been able to get everything into Solarwinds and recognized through SNMP but our ASA is not returning SNMP information.

I have been running a tool called getsnmp.exe which I can run from my workstation and I can get a response from my workstation after adding my ip address into the asa host access list.  If I then add the SolarWinds server to the Host access list, snmp still times out.  If I try from another workstation and add it to the list, it also times out.  If I change the ip address of the server to match my workstation address, snmp works.  I am utterly confused as to why it is only working with my IP address of my workstation.  Everything is on the same subnet.  Any help please?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
It sounds like the Solarwinds server is at the heart of the problem.  
Might the handshaking parameters such as the community string be different?  That seems a first thing to check.
brianblahaAuthor Commented:
No it is definitely some configuration on the ASA.  If I change the IP address of the server to match my workstation's ip address (which works), it then works in Solarwinds.  Obviously I only changed the IP for testing, I do not want to give my server a client IP address.  I would have thought I only need to add the host to the snmp host access list and it should work? All IP addresses involved are in the same subnet  I double and triple checked the community string, unfortunately that is not it.

Also, I should mention, to take windows firewall completely out of the question I disabled it.  So I don't believe it is a windows firewall issue either.
Try with a different SNMP Version on the client. Usually timouts are related to using a different snmp version (v1, v2c, v3)
brianblahaAuthor Commented:
I tried it, all versions time out.  ASA is set for v2c, as is the client.  From my workstation I am connecting successfully using v2c. From server, attempting v2c times out. I even went so far as disable v1 and v3 on the ASA to ensure it was using only v2c.  Do I need to open up anything else on the firewall? Other than adding the hosts to the snmp host access list and udp port 161?

I want to believe it is a setting on the ASA in regards to the firewall / ACL, but why only is able to poll snmp?
Does your community string include special characters such as "\"? Maybe it is escaping the next char.
Can you dump the tcp connection? (tcpdump or wireshark) Can you run a verbose snmp get?
brianblahaAuthor Commented:
Nope no special characters.  I reset it back to default public just to be sure for the time being.  Wireshark sees the packet leave but no response at all.  From my workstation wireshark sees the request and the response.
Fred MarshallPrincipalCommented:
I'm getting confused with the terms being used.  "host" "server" ......
The server is the device running the Solarwinds software.
It need not be told IP addresses of the devices being monitored - but it may need the subnet(s).
But, the devices being monitored need the IP address of the server.
brianblahaAuthor Commented:
The "host" term is coming from the ASA. SNMP Host Access List - I must add the server (a host can be a client or a server but in this case it is the solarwinds server) to the snmp host access list (see image)

Solarwinds monitors devices thru IP address and snmp / or wmi.  When I add a node into solarwinds to be monitored I add it with its ip address, so yes solarwinds needs the ip address of the device being monitored.  Also everything is on the same subnet.

Anyways netflow is working and that was the most important piece, would be nice to have snmp working as well though.  With our other Cisco ASA I had no problem adding solarwinds server to snmp hosts access list and it started polling snmp immediately.
How about the network configuration of the Solarwinds?
Please verify the network mask and gateway.
Fred MarshallPrincipalCommented:
OK.  Well, I'm used to using Paessler PRTG for this purpose.  It will just get all the devices that are set up to run SNMP.
But if the Solarwinds requires it then that's understandable as well.

I see no reason beyond setups that would cause this to happen.  
ASA security?
brianblahaAuthor Commented:
Issue went away on its own. I cannot explain the reason. Will close question.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
brianblahaAuthor Commented:
Closing question because issue went away on it's own.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.