Cisco ASA VE SNMP does not respond

ian-brown · ‎05-20-2024

Hello All,

We have a failover pair of Cisco ASA VE running 9.14 and have an issue polling for SNMP. The client device gets no answer, and tracing on the ASA shows the packet arriving and being un-nat from the inside interface to nlp_int_tap interface, and when it gets to the end of the flow it fails with a 'no valid V4 adjacency' .

I can see there is the auto nat rule

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_snmp_intf2 interface service udp snmp snmp
translate_hits = 0, untranslate_hits = 11003
Source - Origin: 169.254.1.2/32, Translated: <redacted internal address>/24
Service - Protocol: udp Real: snmp Mapped: snmp

but does there need to be something added manually to the arp table to make it return the traffic to the client on the other side of the inside interface ?

Thanks

Ian

ahollifield · ‎05-20-2024

Source is 169.254? Why? What is the use-case for having ISE SNMP poll the ASA?

ian-brown · ‎05-21-2024

well, that is the thing, it's actually my internal monitoring server, which sits on our LAN on the side of the 'inside' interface. It's got a 10.10.32/20 address and the inside interface has a 10.10.59/24 address. The 169.254.1.2 is the address the kernel interface running snmp has. I'm targetting the inside interface for snmp. This is the un-nat on the first entry on the packet trace

None of the docs I've read cover doing anything except adding the source hosts.

And it works this morning, for no obvious reason..!