ASA 5525-X SNMP not responding

tfabian-smith — Fri, 21 Feb 2020 15:40:12 GMT

Hi All,

I'm trying to set up SNMPv3 on one of my production ASA 5525-Xs. From what I'm seeing, the ASA is never responding to the SNMP GET requests being sent from my NMS. I've also tried configuring SNMPv2c and have gotten the same result.

I am running ASA version 9.2(2)4 and ASDM version 7.3(1)101 on this device currently.

On this particular ASA, my network management subnet is associated with an interface called "P-Config". It is not using the "Management" port, but a regular gigabit Ethernet port. This interface is separate from my "Inside" interface. Additionally, the "Inside" interface is designated as the "Management Access Interface" in ASDM under "Management Access > Management Interface". As part of my testing, I have configured hosts in the "SNMP Host Access List" section of the SNMP config to use the "Inside" interface and the issue occurred on that interface as well. I am normally trying to set up the SNMP Host Access List entries using the P-Config interface. Both the "P-Config" and the "Inside" interface are security level 100.

On the P-Config interface, I have rules allowing UDP ports 161 and 162 from the network management subnet to my NMS and vice versa. I have also added a "permit ip any any" rule at the top of the ACL for the P-Config interface as part of testing. Unfortunately, none of these rules make a difference. Just in case it wasn't clear - the P-Config interface and my NMS are on the same subnet.

I have another ASA - a 5510 - that I use for testing purposes. It is running a similar code base, 9.1(5), and I was able to get SNMPv3 up and running for that device. It is communicating on my network management subnet and is using the same SNMPv3 credentials that I am entering into my production ASA. Same USM, same SNMP user, same SNMP user group.

Doing a wireshark packet trace from the NMS to the ASA shows SNMP GET packets getting to the P-Config interface on the ASA, but I never receive a response. And yes, I have turned on SNMP on the ASA. Using the Packet Trace tool in ASDM and from the CLI, when I trace with the Source IP set as the IP of the P-Config interface to the IP of the NMS, I get an ACL-drop response due to the "Implicit Deny" rule... even when I have the "permit ip any any" rule enabled at the top of my P-Config ACL.

Here is a santizied version of my SNMP config (not including location, traps, etc):

snmp-server group snmp-asa v3 priv
snmp-server user nms snmp-asa v3 encrypted auth md5 HASH priv des HASH
snmp-server user-list snmp-grp-asa username nms
snmp-server host P-Config 172.x.x.x version 3 nms

At this point, I'm stumped. I've been through all the documentation, forums, blog posts, etc, I can find. I have an open case with Cisco TAC as well and so far they've been unable to find the problem.

Any assistance is appreciated.

Re: ASA 5525-X SNMP not responding

Florin Barhala — Thu, 26 Apr 2018 08:39:56 GMT

Two quick ideas:
- I would search the release notes of the software version for any SNMP related bug/info
- please share the output of the "capture solve_snmp type asp-drop match ip snmp_server_IP"

Re: ASA 5525-X SNMP not responding

tfabian-smith — Thu, 03 May 2018 13:58:00 GMT

Hey there - sorry for the delayed response.

Turns out the answer was to reload the ASA. Ah, the first rule of IT troubleshooting: "Turn it off and back on."

Thanks for the reply!

Re: ASA 5525-X SNMP not responding

Florin Barhala — Fri, 04 May 2018 08:48:10 GMT

Ok - glad it worked !

topic ASA 5525-X SNMP not responding in Network Security

ASA 5525-X SNMP not responding

Re: ASA 5525-X SNMP not responding

Re: ASA 5525-X SNMP not responding

Re: ASA 5525-X SNMP not responding