取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

【原创】ASA With SFR模块的SNMP问题

2759
查看次数
50
有帮助
7
评论
本帖最后由 YuanLi6689071 于 2020-10-19 17:16 编辑
型号:ASA5516-FPWR-K9
问题描述:当客户将SFR模块的版本从6.2.3升级到6.4.0.9时出现了snmp功能异常,在6.2.3版本下是没有问题的。
尝试重新配置保存后,仍然显示disable。在snmp server抓包看到
PaesslerSNMP Tester 5.2.3 Computername: SECMANG3-PC Interface: 10.124.xx.xx
2020/10/1415:41:20 (51 ms) : Device: xx.xx.xx.xx
2020/10/1415:41:20 (71 ms) : SNMP V2c
2020/10/1415:41:20 (90 ms) : Uptime
2020/10/1415:41:23 (2162 ms) : SNMP Datatype: ASN_PRIMITIVE
2020/10/1415:41:23 (2183 ms) : -------
2020/10/1415:41:23 (2204 ms) : DISMAN-EVENT-MIB::sysUpTimeInstance = No response (check:firewalls, routing, snmp settings of device, IPs, SNMP version, community,passwords etc) (SNMP error # -2003) ( 0 seconds )
2020/10/1415:41:25 (4236 ms) : SNMP Datatype: ASN_PRIMITIVE
2020/10/1415:41:25 (4257 ms) : HOST-RESOURCES-MIB::hrSystemUptime.0 = No response (check:firewalls, routing, snmp settings of device, IPs, SNMP version, community,passwords etc) (SNMP error # -2003) ( 0 seconds )
2020/10/1415:41:25 (4277 ms) : Done

TAC的排查步骤
1.从SFR执行的snmpwalk失败,发生超时错误。
root@firepower:/etc# snmpwalk -v2c -c dymos localhost
Timeout: No Response from localhost
2.缺少snmp配置文件/var/net-snmp/snmpd.conf和/etc/snmpd.conf文件。
3.禁用snmp配置。 推送策略,然后再次重新配置策略并部署它。 仍然没有创建snmpd.conf文件。
root@firepower:/etc# ls
DIR_COLORS environment inittab login.access ntp.drift request-key.d sudoers.d
HOSTNAME ethertypes inputrc login.defs opasswd resolv.conf sudoers.dist
ImageMagick-7 fstab iproute2 logrotate-size.conf openldap resolv.conf.bak sudoers.rpmorig
acpi fstab.in issue logrotate-size.d os.conf rpc sysconfig
adjtime gettydefs issue.net logrotate.conf oshadow scl.conf sysctl.conf
audisp group jwhois.conf logrotate.d pam.d scsi_id.config syslog-ng.conf
audit group- kernel mke2fs.conf passwd securetty syslog-ng.d
certs gshadow keyfob.conf modprobe.conf passwd- security termcap
clish gshadow- ld.so.cache modprobe.d patterndb.d services termcap-BSD
cron.allow hardwareclock ld.so.conf motd pkcs11 sf termcap-Linux
cron.d host.conf ldap.conf motd.in platform_config shadow udev
cron.daily hosts libaudit.conf mtab platform_functions shadow- watchdog.conf
cron.deny hosts.IPv4 libnl my.cnf profile shells wgetrc
cron.hourly hosts.IPv6 lilo.conf my.cnf.bak profile.d skel xinetd.conf
cron.monthly hosts.allow lilo.conf.in my.cnf.rpmorig protocols slackware-version xinetd.d
cron.weekly hosts.bak lilo.conf.prev my.cnf.rpmsave raddb snmpd.conf
crontab hosts.deny lilo.conf_example networks radiusclient ssh
csh.login hotplug.d lilo.d nfsmount.conf rc.d ssl
default httpd limits nscd.conf redhat-release ssl-noasm
dhclient.conf initramfs localtime nsswitch.conf request-key.conf sudoers
root@firepower:/etc#
root@firepower:/etc#
root@firepower:/etc# ls | grep -i snmp
snmpd.conf
root@firepower:/etc# cat snmpd
cat: snmpd: No such file or directory
root@firepower:/etc#
root@firepower:/etc#
root@firepower:/etc# cat snmpd.conf
cat: snmpd.conf: No such file or directory
root@firepower:/etc# ls
DIR_COLORS environment inittab login.access ntp.drift request-key.d sudoers.dist
HOSTNAME ethertypes inputrc login.defs opasswd resolv.conf sudoers.rpmorig
ImageMagick-7 fstab iproute2 logrotate-size.conf openldap resolv.conf.bak sysconfig
acpi fstab.in issue logrotate-size.d os.conf rpc sysctl.conf
adjtime gettydefs issue.net logrotate.conf oshadow scl.conf syslog-ng.conf
audisp group jwhois.conf logrotate.d pam.d scsi_id.config syslog-ng.d
audit group- kernel mke2fs.conf passwd securetty termcap
certs gshadow keyfob.conf modprobe.conf passwd- security termcap-BSD
clish gshadow- ld.so.cache modprobe.d patterndb.d services termcap-Linux
cron.allow hardwareclock ld.so.conf motd pkcs11 sf udev
cron.d host.conf ldap.conf motd.in platform_config shadow watchdog.conf
cron.daily hosts libaudit.conf mtab platform_functions shadow- wgetrc
cron.deny hosts.IPv4 libnl my.cnf profile shells xinetd.conf
cron.hourly hosts.IPv6 lilo.conf my.cnf.bak profile.d skel xinetd.d
cron.monthly hosts.allow lilo.conf.in my.cnf.rpmorig protocols slackware-version
cron.weekly hosts.bak lilo.conf.prev my.cnf.rpmsave raddb ssh
crontab hosts.deny lilo.conf_example networks radiusclient ssl
csh.login hotplug.d lilo.d nfsmount.conf rc.d ssl-noasm
default httpd limits nscd.conf redhat-release sudoers
4. / etc /中的一个snmpd.conf文件,然后再次重新部署该策略。 它从/ etc /中删除了snmpd.conf
最终查询为当前版本的bug:
https://cdetsng.cisco.com/summary/#/defect/CSCvt41763
Symptom:
System Policy Changes pushed from ASDM to SFR (FirePOWER) module are not applied
1. Go to configuration > ASA Firepower Configuration > local > system Policy
2. Edit any option available e.g Time Synchronization to Manual configuration
3. Click on Save Policy and Exit
4. Deploy changes. Deployment is successful
5. Go to configuration > ASA Firepower Configuration > Device Management > Device in System > Policy click on Default it will show Default System Policy without the changes applied
Conditions:
SFR module managed via Onbox
Workaround:
For avoiding this issue, the below is available;
- Using FMC for managing SFR module
or
- Using FTD instead of ASA w/ SFR module
or
- Using FirePOWER module version 6.2.3 release (e.g. 6.2.3.15) instead of 6.4 or later release
workaround:1.降级SFR模块的版本;2.如果是ASDM管理的,则需要换成FMC管理



评论
Eccom-TAC
Beginner
学到了,感谢分享!
jack lee
Beginner
遇到过类似问题,感谢楼主分享!
tht1013
Beginner
非常有用的问题分享
jiahao xian
Beginner
厉害,谢谢!!!
likuo
Community Member
写的不错。
David Chou
Rising star
厲害了,謝謝分享
bo chen
Beginner
干货满满,感谢分享
Content for Community-Ad