Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7067
Views
5
Helpful
18
Replies

CSCvt97205 - SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA 9.14.1

tnelis@inlichtingenbureau.nl
Level 1
Level 1

‎03-09-2021 04:21 AM

Hello,

 

This weekend I upgradet to version 9.14(2)8, coming from 9.13(1)10. After that the SNMP-requests faild. It seems to me the problem is not yet solved.

 

Greatings

Theo Nelis

7 people had this problem
Labels:
0 Helpful
18 Replies 18

tvotna
Spotlight
Spotlight

‎05-19-2022 05:51 AM

I guess they don't know how to fix. As of 9.14 snmpd runs under Linux as a separate NLP process (Non-Lina process) and connects to the outside world via internal nlp_int_tap interface. E.g. in 9.16.3:

ASA# show kernel ifconfig
tap_nlp Link encap:Ethernet HWaddr ba:1a:01:32:cc:cf
inet6 addr: fe80::b81a:1ff:fe32:cccf/64 Scope:Link
inet6 addr: fd00:0:0:1::2/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1434 errors:0 dropped:0 overruns:0 frame:0
TX packets:1464 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:101320 (98.9 KiB) TX bytes:109380 (106.8 KiB)

tap_nlp:1 Link encap:Ethernet HWaddr ba:1a:01:32:cc:cf
inet addr:169.254.1.2 Bcast:169.254.1.7 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

In order to reach the snmpd process running on 169.254.1.2 static NAT rule is created by the system between the interface used in the snmp-server command and the nlp_int_tap interface. E.g. when inside interface is used:

# snmp-server host inside 1.2.3.4 comm public version$
# show nat det
Manual NAT Policies Implicit (Section 0)
1 (nlp_int_tap) to (inside) source static nlp_server__snmp_1.2.3.4_intf2 interface destination static 0_1.2.3.4_18 0_1.2.3.4_18 service udp snmp snmp
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.2/32, Translated: 10.44.17.74/29
Destination - Origin: 1.2.3.4/32, Translated: 1.2.3.4/32
Service - Protocol: udp Real: snmp Mapped: snmp

As of 9.16 this rule is placed into the system section 0. It's unclear how to make use of this rule if traffic comes over VPN via outside interface. I guess it won't be hit even if "management-access inside" is configured (you can check untranslate_hits). Hence traffic doesn't reach snmpd. Also, another identity twice NAT rule is typically configured to exempt VPN traffic from NAT. If this rule is hit (on the outside), lookup isn't made for the 2nd one (system SNMP rule).

 

It's interesting what TAC is saying...

 

 

 

SgtMike70
Level 1
Level 1

‎07-20-2022 03:21 PM

Not that this is a feasible fix, I removed AES encryption (only Auth remains) and SNMP started working. possibly test in your environment to verify. Using ver9.14(2)13

0 Helpful

Proxy_0ps
Level 1
Level 1

‎09-19-2022 01:44 AM

Unbelievable that this problem is still not fixed.

0 Helpful

kaghy2
Level 1
Level 1

‎08-10-2023 02:57 AM

2023 still a problem for some versions running in our environment. Downgrading is no option neither is disabling management-access.

0 Helpful
Customers Also Viewed These Support Documents