cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2141
Views
5
Helpful
13
Replies
Highlighted
Enthusiast

SNMP and ACI

So Tomas de Leon has put together a really excellent guide for configuring SNMP and its also just been recently updated and so is very current (Sept 2016)   Having followed his instructions, I'm still not able to query the APICs.

The leafs are all fine.

----------------------- New Test -----------------------
Paessler SNMP Tester 5.2.3 Computername: PARADISEDANCER Interface: 10.1.12.198
10/20/2016 12:46:43 PM (4 ms) : Device: 10.5.1.41
10/20/2016 12:46:43 PM (7 ms) : SNMP V2c
10/20/2016 12:46:43 PM (9 ms) : Custom OID 1.3.6.1.2.1.1.1.0
10/20/2016 12:46:43 PM (93 ms) : SNMP Datatype: ASN_OCTET_STR
10/20/2016 12:46:43 PM (99 ms) : -------
10/20/2016 12:46:43 PM (101 ms) : Value: Cisco NX-OS(tm) aci, Software (aci-n9000-system), Version 12.0(1o), RELEASE SOFTWARE Copyright (c) 2002-2015 by Cisco Systems, Inc. Compiled 2016/07/16 20:44:43
10/20/2016 12:46:43 PM (103 ms) : Done

I searched for exactly which MIBs were supported on the APICs and looked for a generid OID I might use.  I made sure each apic node had a static management address.

Cisco System MIB

csy Clock Date And Time
1.3.6.1.4.1.9.9.131.1.1.1
Here is the error. There are no firewalls, all host firewalls have been disabled and I know that works because I'm using the same host to get SNMP from the leafs and spines.  I have the OOB contract defined with filters for udp 161 and 162.
Any suggestions or pointers would be most welcome!
I'm using technote-aci-snmp_external-v3-0.pdf dated Sept 15 2016.
----------------------- New Test -----------------------
Paessler SNMP Tester 5.2.3 Computername: PARADISEDANCER Interface: 10.1.12.198
10/20/2016 12:50:57 PM (5 ms) : Device: 10.5.1.13
10/20/2016 12:50:57 PM (6 ms) : SNMP V2c
10/20/2016 12:50:57 PM (8 ms) : Custom OID 1.3.6.1.4.1.9.9.131.1.1.1
10/20/2016 12:50:59 PM (2010 ms) : SNMP Datatype: ASN_PRIMITIVE
10/20/2016 12:50:59 PM (2012 ms) : -------
10/20/2016 12:50:59 PM (2013 ms) : Value: No response (check: firewalls, routing, snmp settings of device, IPs, SNMP version, community, passwords etc) (SNMP error # -2003)
10/20/2016 12:50:59 PM (2014 ms) : Done


----------------------- New Test -----------------------
Paessler SNMP Tester 5.2.3 Computername: PARADISEDANCER Interface: 10.1.12.198
10/20/2016 12:51:05 PM (9 ms) : Device: 10.5.1.13
10/20/2016 12:51:05 PM (12 ms) : SNMP V2c
10/20/2016 12:51:05 PM (14 ms) : Custom OID 1.3.6.1.4.1.9.9.131.1.1.1.0
10/20/2016 12:51:07 PM (2022 ms) : SNMP Datatype: ASN_PRIMITIVE
10/20/2016 12:51:07 PM (2027 ms) : -------
10/20/2016 12:51:07 PM (2034 ms) : Value: No response (check: firewalls, routing, snmp settings of device, IPs, SNMP version, community, passwords etc) (SNMP error # -2003)
10/20/2016 12:51:07 PM (2041 ms) : Done


lax-ctl01# show snmp hosts
 IP-Address            Version     Security Level  Community            
 --------------------  ----------  ----------      --------------------
 10.1.12.198          v2c         noauth          *****            
lax-ctl01# show snmp summary

Active Policy: default, Admin State: enabled

Local SNMP engineID: [Hex] 0x8000000980a5624f305223c45700000000

----------------------------------------
Community            Description         
----------------------------------------
******              RO SNMP String

------------------------------------------------------------
User                 Authentication       Privacy             
------------------------------------------------------------

------------------------------------------------------------
Client-Group         Mgmt-Epg                  Clients
------------------------------------------------------------
LAX-SNMP-ClientGrpProf default (Out-Of-Band)     10.1.12.198

------------------------------------------------------------
Host                 Port  Version  Level      SecName             
------------------------------------------------------------
10.1.12.198         162   v2c      noauth     *********        

lax-ctl01# moquery -c snmpPol
Total Objects shown: 1

# snmp.Pol
name         : default
adminSt      : enabled
childAction  :
contact      : Network Services
descr        : SNMP Policy for Fabric
dn           : uni/fabric/snmppol-default
lcOwn        : local
loc          : LV1
modTs        : 2016-10-20T11:45:17.742+00:00
monPolDn     : uni/fabric/monfab-default
ownerKey     :
ownerTag     :
rn           : snmppol-default
status       :
uid          : 0

13 REPLIES 13
Highlighted
Enthusiast

Following some of the

Following some of the troubleshooting information in the SNMP Tech Note I notice I'm missing some managed objects but its not clear to me where I went wrong!

lax-ctl01#
lax-ctl01# show snmp policy default
Name Admin State Location Contact Description
-------------------- ---------- -------------------- -------------------- --------------------
default enabled lax Network Services SNMP Policy for
lax Fabric
lax-ctl01# show snmp community
SNMP Policy Community Name Description
-------------------- -------------------- ------------------------------
default ****** RO SNMP String
lax-ctl01# show snmp hosts
IP-Address Version Security Level Community
-------------------- ---------- ---------- --------------------
10.1.12.198 v2c noauth ******
lax-ctl01# show snmp clientgroups
SNMP Policy Name Description Client Entries Associated Management EPG
-------------------- -------------------- -------------------- -------------------- --------------------
default lax-SNMP- 10.1.12.198 default (Out-Of-Band)
ClientGrpProf
default SNMP-Pollers- 10.2.6.16,10.2.3. default (Out-Of-Band)
ClientGrpPol 9,10.2.1.3
lax-ctl01#
lax-ctl01# moquery -c mgmtSubnet
No Mos found
lax-ctl01# moquery -c mgmtRsOoBCons
No Mos found
lax-ctl01# moquery -c vzOOBBrCP
Total Objects shown: 2

# vz.OOBBrCP
name : default
childAction :
configIssues :
descr :
dn : uni/tn-common/oobbrc-default
lcOwn : local
modTs : 2016-08-29T11:58:27.363+00:00
monPolDn : uni/tn-common/monepg-default
ownerKey :
ownerTag :
prio : unspecified
reevaluateAll : no
rn : oobbrc-default
scope : context
status :
targetDscp : unspecified
uid : 0

# vz.OOBBrCP
name : lax-OOB-Contract
childAction :
configIssues :
descr : OOB Contract - Global
dn : uni/tn-mgmt/oobbrc-lax-OOB-Contract
lcOwn : local
modTs : 2016-10-20T11:39:45.165+00:00
monPolDn : uni/tn-common/monepg-default
ownerKey :
ownerTag :
prio : unspecified
reevaluateAll : no
rn : oobbrc-lax-OOB-Contract
scope : global
status :
targetDscp : unspecified
uid : 15374

lax-ctl01# moquery -c vzEntry | grep 161
dFromPort : 161
dToPort : 161
lax-ctl01# moquery -c vzEntry | grep 162
dFromPort : 162
dToPort : 162
lax-ctl01# moquery -c mgmtRsOoBStNode | egrep "tDn|addr"
tDn : topology/pod-1/node-101
addr : 10.5.1.31/24
tDn : topology/pod-1/node-102
addr : 10.5.1.32/24
tDn : topology/pod-1/node-103
addr : 10.5.1.33/24
tDn : topology/pod-1/node-104
addr : 10.5.1.34/24
tDn : topology/pod-1/node-201
addr : 10.5.1.41/24
tDn : topology/pod-1/node-202
addr : 10.5.1.42/24
tDn : topology/pod-1/node-203
addr : 10.5.1.43/24
tDn : topology/pod-1/node-204
addr : 10.5.1.44/24
tDn : topology/pod-1/node-205
addr : 10.5.1.45/24
tDn : topology/pod-1/node-206
addr : 10.5.1.46/24
tDn : topology/pod-1/node-207
addr : 10.5.1.47/24
tDn : topology/pod-1/node-208
addr : 10.5.1.48/24
tDn : topology/pod-1/node-209
addr : 10.5.1.49/24
tDn : topology/pod-1/node-210
addr : 10.5.1.50/24
tDn : topology/pod-1/node-3
addr : 10.5.1.13/24
lax-ctl01# moquery -c mgmtRsInBStNode | egrep "tDn|addr"
lax-ctl01# moquery -c snmpCtxP
No Mos found
lax-ctl01# moquery -c snmpSrc | egrep "snmp.Src|name|dn|incl|minSev|monPolDn"
# snmp.Src
name : lax-Access-MonPol-SNMP-Source
dn : uni/infra/moninfra-default/snmpsrc-lax-Access-MonPol-SNMP-Source
incl : events,faults
minSev : info
monPolDn : uni/infra/moninfra-default
# snmp.Src
name : lax-SNMP-Source
dn : uni/fabric/monfab-default/snmpsrc-lax-SNMP-Source
incl : events,faults
minSev : info
monPolDn : uni/fabric/monfab-default
# snmp.Src
name : lax-CommonPol-SNMP-Source
dn : uni/fabric/moncommon/snmpsrc-lax-CommonPol-SNMP-Source
incl : events,faults
minSev : info
monPolDn : uni/fabric/moncommon
lax-ctl01#

Highlighted
Cisco Employee

MIBs Supported by APIC

MIBs Supported by APIC

MIB RELEASE
CISCO-SYSTEM-MIB 1.2(1)
ENTITY-MIB 1.2(1)
CISCO-ENTITY-EXT-MIB 1.2(1)
CISCO-ENTITY-FRU-CONTROL-MIB 1.2(1)
CISCO-ENTITY-SENSOR-MIB 1.2(1)
CISCO-PROCESS-MIB 1.2(1)

Note: not all objects in mibs are available. The hardware is different so some objects may not be available.

Try the following to the APIC.

example where:

community = deadbeef
APIC IP = 192.168.242.11


$ snmpget -v2c -c deadbeef 192.168.242.11 SNMPv2-MIB::sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: APIC VERSION 2.1(1h); PID APIC-SERVER-L1; Serial FCH12345678

$ snmpget -v2c -c deadbeef 192.168.242.11 1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: APIC VERSION 2.1(1h); PID APIC-SERVER-L1; Serial FCH12345678

$ snmpwalk -v2c -c deadbeef 192.168.242.11 1.3.6.1.2.1.1.1
SNMPv2-MIB::sysDescr.0 = STRING: APIC VERSION 2.1(1h); PID APIC-SERVER-L1; Serial FCH12345678

.:|:.:|:. Tomas de Leon | Cisco Systems | Technical Leader - CX Enterprise Networking | tdeleon@cisco.com
Highlighted
Enthusiast

These two missing constructs

These two missing constructs were added but still no go.

These two were also missing.  I'm trying to see if I can track these mos down in the APIC docs.

lax-ctl01# moquery -c mgmtRsInBStNode | egrep "tDn|addr"
lax-ctl01# moquery -c snmpCtxP
No Mos found

lax-ctl01# moquery -c snmpCtxP
No Mos found
lax-ctl01# show snmp clientgroups
SNMP Policy Name Description Client Entries Associated Management EPG
-------------------- -------------------- -------------------- -------------------- --------------------
default LAX-SNMP-TEST- 10.5.12.198 default (Out-Of-Band)
ClientGrpProf
default LAX-SNMP-Pollers- 10.2.6.163,10.2.3. default (Out-Of-Band)
ClientGrpPol 129,10.2.1.34

Highlighted
Cisco Employee

I would suggest opening a

I would suggest opening a case with the Cisco TAC and the ACI team can get on a webex with you and troubleshoot issues.  Probably need to run some tcpdumps and check the iptables for snmp.

Thanks

T.

.:|:.:|:. Tomas de Leon | Cisco Systems | Technical Leader - CX Enterprise Networking | tdeleon@cisco.com
Highlighted

Claudia & Tomas

Claudia & Tomas

Did you get this solved? I am having the exact same issue.

I have configured OOB addresses for the spine and leaf nodes, can ping them successfully from the server used for SNMP. 

I have defined the SNMP contracts and it is applied.

I also get the -2003 result from PRTG when testing the same OID as you use above.

CallHome and Syslog are working fine though...

I am using the VM appliance, so understand that there are limitations, but as callhome and syslog work, I think it is is a configuration issue rather than a limitation...

Highlighted
Cisco Employee

* Unconfigure your snmp

* Unconfigure your snmp context and then perform an snmpwalk to see of you receive any snmp information back.

* Also, for test purposes configure a different community string without any special characters and shorter in length.  For example, cisco123.

thanks

T.

.:|:.:|:. Tomas de Leon | Cisco Systems | Technical Leader - CX Enterprise Networking | tdeleon@cisco.com
Highlighted

I never through to change the

I never through to change the community string!

I am getting some data returned now. 

Many thanks for your help Tomas!

Highlighted
Cisco Employee

In addition, I noticed some

In addition, I noticed some things..

Where is the "static node management" address' for Node-1 & Node-2?

moquery -c mgmtRsOoBStNode | egrep "tDn|addr"

Only shows APIC3.

Another issue seen:

lax-ctl01# moquery -c mgmtSubnet
No Mos found

lax-ctl01# moquery -c mgmtRsOoBCons
No Mos found

These commands lookup configuration for the  "External Management Network Instance Profile" this is necessary to get your snmp walks and snmp gets to work correctly.  You need to add your OOB Contract to the "External Management Network Instance Profile" along with the "Subnets" that you want to allow.  

Also, you need to add your SNMP client's IP to the SNMP Client Group  in the Fabric Policies for SNMP...

Cheers!

T.

.:|:.:|:. Tomas de Leon | Cisco Systems | Technical Leader - CX Enterprise Networking | tdeleon@cisco.com
Highlighted
Enthusiast

Thanks for catching that

Thanks for catching that Tomas.  I was initially testing with just Node-3 which is why you only see it in this output but then I though...Is that the issue?  Do they all need to be addressed for any of them to respond (Yes..I was reaching) and so I finished up adding them in and there was no difference.

I've defined the two missing constructs.  

What does the Subnet field actually represent?  What external subnets can query?  So I just basically said "all" with the 0.0.0.0/0 entry?


lv1-ctl01# moquery -c mgmtSubnet
Total Objects shown: 1

# mgmt.Subnet
ip : 0.0.0.0/0
childAction :
descr :
dn : uni/tn-mgmt/extmgmt-default/instp-LV1-ExtMgmtNetworkInstanceProfile/subnet-[0.0.0.0/0]
lcOwn : local
modTs : 2016-10-21T06:08:08.192+00:00
monPolDn : uni/tn-common/monepg-default
name :
rn : subnet-[0.0.0.0/0]
status :
uid : 15374

lv1-ctl01# moquery -c mgmtRsOoBCons
Total Objects shown: 1

# mgmt.RsOoBCons
tnVzOOBBrCPName : LV1-OOB-Contract
childAction :
deplInfo :
dn : uni/tn-mgmt/extmgmt-default/instp-LV1-ExtMgmtNetworkInstanceProfile/rsooBCons-LV1-OOB-Contract
forceResolve : yes
lcOwn : local
modTs : 2016-10-21T06:08:08.325+00:00
monPolDn : uni/tn-common/monepg-default
prio : unspecified
rType : mo
rn : rsooBCons-LV1-OOB-Contract
state : formed
stateQual : none
status :
tCl : vzOOBBrCP
tContextDn :
tDn : uni/tn-mgmt/oobbrc-LV1-OOB-Contract
tRn : oobbrc-LV1-OOB-Contract
tType : name
triggerSt : triggerable
uid : 15374

lv1-ctl01#

Highlighted
Cisco Employee

the subnets definition (.ie 0

the subnets definition (.ie 0.0.0.0/0) represents which subnets that can access your OOB management network.

And yes, any node that you want to push a management or data collection policy to needs to have a management address defined.  They all do not have to have them (but recommended).  Only the nodes that you want the policy to work and gather data from.

From the APIC, please provide the output of "show snmp clientgroups"

Thanks

T.

.:|:.:|:. Tomas de Leon | Cisco Systems | Technical Leader - CX Enterprise Networking | tdeleon@cisco.com
Highlighted
Beginner

I can connect to the leafs

I can connect to the leafs and spines from solarwinds but cannot connect to the APIC itself.
I also did not need to create contracts for the leaf/spines.

Have attempted to add a contract but the APICs are still not seen from Solarwinds. I suspect I've mis-configured along the way. Is there a step-by-step guide on adding APICS to receive SNMP reads?

Many thanks
Ian Gallimore

Highlighted
Cisco Employee

Ian,

Ian,

Check out here:

https://supportforums.cisco.com/blog/13100731/ask-aci-experts-snmp-aci-fabric

There is my Technote and SNMP Guide for ACI there.  Also, make sure the the APIC IP Addresses are added to the Solarwinds Servers as an snmp Agent.

Also, make sure the Solarwinds Servers are added to the SNMP Client Groups.  If you are using OOB for management, Contracts are required for SNMP and applied to the OOB external management instance. One last thing that people miss, You need to add "Static node management addresses" for the APICs in addition to Leaf & Spines for the policy to be successfully deployed.

I hope this helps!

T.

.:|:.:|:. Tomas de Leon | Cisco Systems | Technical Leader - CX Enterprise Networking | tdeleon@cisco.com
Highlighted
Beginner

Great, thanks Tomas!

Great, thanks Tomas!

I was missing - "Static node management addresses" for the APICs

Best Regards

Ian