topic On an ASA you need to in Network Security

Monitoring an Interface on ASA

wesweber1 — Tue, 12 Mar 2019 05:51:23 GMT

I have a 5550, we want to poll the inside interface using a snmp monitoring app. I added the "management-access intfname" to allow the polling, but the snmp polling server isn't able to get info from the interface. The poller is getting info from interfaces on equipment inside the ASA.

Any suggestions as to why this isn't working?

On an ASA you need to

Marvin Rhoads — Tue, 28 Apr 2015 20:24:42 GMT

On an ASA you need to specifically allow the management servers to make SNMP queries. Only RO is supported on an ASA.

For SNMP v2c, the command would be:

snmp-server host <nameif> <server IP> community <snmp community string>

The snmp config was put on

wesweber1 — Tue, 28 Apr 2015 22:15:59 GMT

The snmp config was put on the ASA first and the snmp servers couldn't query the ASA. The management-access command was added to facilitate the snmp servers ability to talk to the ASA.

You might try capturing the

Marvin Rhoads — Wed, 29 Apr 2015 02:15:35 GMT

You might try capturing the traffic from the management server at the ASA and see what's happening.

Also, do you see any log messages when snmp polling fails? (assuming you have logging enabled at a sufficient level)

The solution is, there is a

wesweber1 — Fri, 29 May 2015 22:12:15 GMT

The solution is, there is a bug in v8.4 and above that prevents monitoring traffic (ping, ssh, snmptraffic, etc) from a VPN tunnel to pass through the ASA and connect to the interface with the management-access command applied on the ASA. This bug is documented in the release notes for 8.4.

The workaround is to add the keyword route-lookup to any nat statements that involve the subnet the "management" interface resides in.

I added the keyword to the nat statement and was able to ping and do snmp polls to the interface.