https://community.cisco.com/t5/network-security/snmpv3-hit-count-0/m-p/3360341#M975780 <P>I have just deleted snmp location, contact and community since snmp v3 doesn't use them.</P> <P>The issue is still there. I can only see snmptrap but snmp hit=0.</P> <P>In logging, I found %ASA-6-110002 error</P> <P>"Failed to local egress interface for protocol from src" --&gt; udp/161</P> <P>&nbsp;</P> <P>I conclude that it is a routing issue between zones.&nbsp;</P> <P>I have configured them with security-level 100 and globally "same-security-traffic permit inter-interface".</P> <P>&nbsp;</P> <P>Anyone can help?</P> <P>&nbsp;</P> <P>Regards.</P> Wed, 04 Apr 2018 12:21:27 GMT h.dam 2018-04-04T12:21:27Z https://community.cisco.com/t5/network-security/snmpv3-hit-count-0/m-p/3359669#M975778 <P>Hi everyone,</P> <P>I've configured snmpv3 client on my ASA with policies snmp and snmptrap.</P> <P>I found there are only snmptrap traffic from a switch (also configured snmpv3) on ASDM but snmp hit count stays 0.</P> <P>Then I run packet captures on this ASA ingress/engress traffic between NMS server and this switch.</P> <P>I saw traffic with ports 161, 162 talking between them =&gt; So ASA does its job well.</P> <P>&nbsp;</P> <P>My issue is: why I don't have traffic on snmp policy line while I saw it in wireshark capture.</P> <P>The policy is very simple. source = NMS server --&gt; destination = client port 161</P> <P>&nbsp;</P> <P>ASA version is 9.8(1), ASDM is 7.8(1)</P> <P>Thanks.</P> <P>&nbsp;</P> <P>Regards.</P> Fri, 21 Feb 2020 15:35:41 GMT https://community.cisco.com/t5/network-security/snmpv3-hit-count-0/m-p/3359669#M975778 h.dam 2020-02-21T15:35:41Z https://community.cisco.com/t5/network-security/snmpv3-hit-count-0/m-p/3359859#M975779 <P>Hi,</P> <P>I'm thinking about the difference between snmptrap (which matches the policy line) and snmp (which didn' match).</P> <P>snmptrap is v2, clear txt and unidirectional</P> <P>snmp is v3, encrypted and bidirectional</P> <P>&nbsp;</P> <P>Here's the snmp config on ASA:</P> <P>snmp-server group &lt;groupname&gt; v3 priv<BR />snmp-server user &lt;username&gt; &lt;groupname&gt; v3 encrypted auth sha &lt;auth-passwd&gt; priv aes 128 &lt;my-passwd&gt;</P> <P>snmp-server host &lt;interface&gt; 10.x.x.x version 3 &lt;username&gt;</P> <P>snmp-server contact 1.0<BR />snmp-server community *****<BR />snmp-server enable traps config<BR /><BR /></P> <P>Should I delete contact and/or community?</P> <P>&nbsp;</P> <P>Regards.</P> Tue, 03 Apr 2018 17:43:06 GMT https://community.cisco.com/t5/network-security/snmpv3-hit-count-0/m-p/3359859#M975779 h.dam 2018-04-03T17:43:06Z https://community.cisco.com/t5/network-security/snmpv3-hit-count-0/m-p/3360341#M975780 <P>I have just deleted snmp location, contact and community since snmp v3 doesn't use them.</P> <P>The issue is still there. I can only see snmptrap but snmp hit=0.</P> <P>In logging, I found %ASA-6-110002 error</P> <P>"Failed to local egress interface for protocol from src" --&gt; udp/161</P> <P>&nbsp;</P> <P>I conclude that it is a routing issue between zones.&nbsp;</P> <P>I have configured them with security-level 100 and globally "same-security-traffic permit inter-interface".</P> <P>&nbsp;</P> <P>Anyone can help?</P> <P>&nbsp;</P> <P>Regards.</P> Wed, 04 Apr 2018 12:21:27 GMT https://community.cisco.com/t5/network-security/snmpv3-hit-count-0/m-p/3360341#M975780 h.dam 2018-04-04T12:21:27Z https://community.cisco.com/t5/network-security/snmpv3-hit-count-0/m-p/3363707#M975781 <P>Hello,</P> <P>By using packet tracer and wireshark, I found the snmp traffic going in and out the FW (but no hit-count changes)</P> <P>On the NMS server side, if I run polling to devices, the snmp hit-count increases this time.</P> <P>The server is configured to poll every second. But if I do nothing the hit-count stays stable. I don't know if it is the FW security feature.</P> <P>Anyway, snmp works well.</P> <P>&nbsp;</P> <P>Regards.</P> Tue, 10 Apr 2018 19:45:58 GMT https://community.cisco.com/t5/network-security/snmpv3-hit-count-0/m-p/3363707#M975781 h.dam 2018-04-10T19:45:58Z