cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6397
Views
27
Helpful
17
Replies

CSCvt97205 - SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA 9.14.1

Jose Anda
Level 1
Level 1

Hello,

 

Can anyone please confirm if this bug is resolved in 9.15.1? I am running an ASA5516x -  9.15.1 and we are still not able to poll snmp from the ASA over the s2s vpn tunnel

17 Replies 17

I am still having the same problem with 9.15.1 and 9.14(2)8. The bug has not been resolved.

quocanhylvn
Level 1
Level 1

I still meet this bug in version 9.14(12)15 interim and 9.16.1

We are running 9.16.1, and have the same issue with PRTG where using SNMP to poll data over IPSec IKE1 and IKE2 VPN, which doesnt work. Anyting inside is working perfect.


Any news here?! **bleep** **bleep**.

Cisco is calling it a New Feature.  I got it working and can now SNMP poll my ASA.  You have to follow the bug workaround and poll your ASA on the far side to it's "outside" IP.   Been working fine now. 

jont717
Level 1
Level 1

Anyone get this working yet?  Broke for us as well after upgrade. 9.14.3.9

 

Looks like Cisco is calling it a New Feature. 

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/release/notes/asarn914.html

 

Gaston Sanchez
Level 1
Level 1

Hello Community , i just installed version 9.16(2)14  hoping for a solution to this, and is not yet working, in my case is not possible to do monitorization using the external ip of the destination box , any other workaround or way to solve the issue ?

The workaround isn't really a workaround.  Can confirm the issue on 9.16(2)14. 
When using monitoring, the "workaround" denies other traffic to inside interface, from the monitoring host.  Also creating route-injection issues.  It might work on very simple setups, but with dynamic-routing, this won't do the trick.

 

I guess they don't know how to fix. As of 9.14 snmpd runs under Linux as a separate NLP process (Non-Lina process) and connects to the outside world via internal nlp_int_tap interface. E.g. in 9.16.3:

ASA# show kernel ifconfig
tap_nlp Link encap:Ethernet HWaddr ba:1a:01:32:cc:cf
inet6 addr: fe80::b81a:1ff:fe32:cccf/64 Scope:Link
inet6 addr: fd00:0:0:1::2/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1434 errors:0 dropped:0 overruns:0 frame:0
TX packets:1464 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:101320 (98.9 KiB) TX bytes:109380 (106.8 KiB)

tap_nlp:1 Link encap:Ethernet HWaddr ba:1a:01:32:cc:cf
inet addr:xxx.254.1.2 Bcast:xxx.254.1.7 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

In order to reach the snmpd process running on xxx.254.1.2 static NAT rule is created by the system between the interface used in the snmp-server command and the nlp_int_tap interface. E.g. when inside interface is used:

ASA# snmp-server host inside x.2.3.4 comm public version$
ASA# show nat det
Manual NAT Policies Implicit (Section 0)
1 (nlp_int_tap) to (inside) source static nlp_server__snmp_x.2.3.4_intf2 interface destination static 0_x.2.3.4_18 0_x.2.3.4_18 service udp snmp snmp
translate_hits = 0, untranslate_hits = 0
Source - Origin: xxx.254.1.2/32, Translated: 10.44.17.74/29
Destination - Origin: x.2.3.4/32, Translated: x.2.3.4/32
Service - Protocol: udp Real: snmp Mapped: snmp

As of 9.16 this rule is placed into the system section 0. It's unclear how to make use of this rule if traffic comes over VPN via outside interface. I guess it won't be hit even if "management-access inside" is configured (you can check untranslate_hits). Hence traffic doesn't reach snmpd. Also, another identity twice NAT rule is typically configured to exempt VPN traffic from NAT. If this rule is hit (on the outside), lookup isn't made for the 2nd one (system SNMP rule).


It's interesting what TAC is saying...

 

 

Well, I've found on "solution."

Since Cisco doesn't think this is important, I bought a couple of Juniper SRX's, these, remarkably, work just fine.  Looks like a migration is on the way... 

 

Great solution , a little expensive but it works !

MCapelle
Level 1
Level 1

This bug ("feature") still exists in 9.16(3)19.  Amazing how this can be ignored and broken for so long.

Proxy_0ps
Level 1
Level 1

Same here 9.16(3)19. The workaround is just a joke to be honest. Looks like Cisco really wants to make sure, that their customers are migrating to other vendors for firewall solutions.

alexhunter
Level 1
Level 1

I logged a TAC for this, as the workaround is not really an option.  Apparently it is fixed in version 9.18(2)5 which I currently can't find within the downloads section of Cisco's website for any of the firewall models only version 9.18.2, although they have said this was released on 06-10-2022.  The bug does not state this although it has recently been updated yesterday https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt97205

9.18(3) still an issue, unless you're coming in over only vpn and have no other routes.... We can't poll most FW's