Re: ASA 5585 No route to host

kyle.ashcraft · ‎05-06-2019

Hello All,

Hoping I can get some assistance with an issue I'm having on my ASA. In a nutshell I'm having difficulty getting an ASA to poll on my SNMP server. For the sake of drawing a mental picture imagine I have my SNMP server (1.1.1.10) on interface Gig0 which is the gateway for said subnet (1.1.1.1/24). I am polling the ASA using another interface Gig1 (2.2.2.1). Rules are in place to allow this traffic bidirectionally however whenever I attempt to poll the ASA I receive an error saying it doesn't respond to SNMP credentials. Running a packet tracer on the ASA showing connectivity from the SNMP server to the ASA drops the packet stating "no route to host" which seems odd since both interfaces are directly connected and show up in the route table. I'm assuming polling isn't working because the ASA doesn't seem to know how he routes to himself but I'm not sure what else could be the problem. I've also attempted to poll the ASA using the Gig0 interface that's the gateway for the SNMP server but that didn't seem to work either. Any suggestions are appreciated. Thanks!

Richard Burts · ‎05-06-2019

If I am understanding the post correctly you have an SNMP server at 1.1.1.10 connected to interface G0 which has address 1.1.1.1. You have interface G1 which has address 2.2.2.1. Your SNMP server is attempting to poll 2.2.2.1 and it is not working. There are several things you have not told us and that impacts our ability to provide good advice.

- you have not told us the security level of G0 and G1. Is it possible that you have a request from a lower security level interface attempting to go to a higher level interface?

- You have not told us whether you have configured SNMP server host for your SNMP server.

I am not clear why you are polling an address that is different from the connected interface address. I am not clear whether it applies to SNMP but I know that for certain functions where you attempt to access the ASA it will not allow access if the request arrived on an interface different from the interface whose address is the destination. I would suggest that you try again polling the 1.1.1.1 address and try to troubleshoot that.

HTH

Rick

HTH

Rick

kyle.ashcraft · ‎05-06-2019

I appreciate the insight provided. To answer some of your questions the interfaces are configured with security levels both of which are set to 100. As for why we are polling an IP that's on a different subnet than the SNMP server is simply because when the network was built they set up all management to the ASA on the 2.2.2.1 interface. In order to log into the ASA you must use that IP and all other management related tasks go to that IP so I'm attempting to keep it consistent. My SNMP server is currently functioning and has other nodes polling correctly to include a different ASA so I know this should in theory work I just can't for the life of me figure out whats preventing this one from connecting. The only real error I can find is like I mentioned before in the packet tracer saying "no route to host". ASA seems to think he doesn't know where to send this traffic even though the interface is directly connected. Not sure if the issue is because the packet would be addressed to the ASA itself so maybe theres a control plane thing going on.

Richard Burts · ‎05-06-2019

Thanks for the information. I agree that consistency is a good thing and that you would like to be consistent about how SNMP is working. It is interesting that your SNMP is working successfully with another ASA. Can you verify that on this other ASA that the address being polled is different from the address of the interface on which the SNMP arrives?

If both interfaces have the same security level have you configured same security level inter interface?

I have seen the error message about no route to host before. In quite a few cases it turned out to be that the ASA did not have a route to that destination on the interface that the ASA thought that it needed to use. It might turn out to be a different issue but this is one of the reasons I suggested trying polling the connected interface.

Do you have logging enabled on this ASA? If so are there any messages generated when the SNMP server attempts to poll this ASA?

HTH

Rick

HTH

Rick

kyle.ashcraft · ‎05-07-2019

Appreciate the feedback, after many attempts I finally got the ASA to poll correctly on my SNMP server. I would like to first apologize for any confusion I may have started with my post. I haven't touched an ASA in a many years and I'm still learning the network they have me supporting. After additional research into the current working ASA I noticed the interface being polled was the gateway interface SNMP was being received on. It would appear the ASA does not allow SNMP traffic coming in on one interface to poll another local interface. Once I confirmed this I attempted to swap polling over to the interface SNMP is received on. At first discovery didn't work so I decided to start from scratch by removing SNMP from the ASA entirely. After re-building from the ground up the node has been discovered. I believe there was a few problems experienced throughout this process. The first one was my SNMP server attempting to autofill my credentials upon discovery. Not sure if that was an issue as it encrypts the password upon entry but I also forced the server to make me manually enter credentials which I also prefer. Hope this info helps someone in the future!

Richard Burts · ‎05-08-2019

Thanks for the update about how you solved the problem with SNMP polling the ASA. I am glad that my suggestion pointed you in the right direction. Hopefully your description will be helpful to other participants in the community.

HTH

Rick

HTH

Rick