01-29-2009 09:38 AM
J,
you out there...got another question for you.
Configured SNMP community string on at 6509 FWSM. appears I can only set a RO (which is not a problem). I'm able to SSH to the FWSM IP, but when i config CiscoWorks Common Services to add the device, using standard credentials and the SNMP v2 community string, it bombs with the following error:
"session to device failed. Cause: Authentication failed on device."
It appears to be auth, but I'm certain, both the standard credentials and the SNMP community string are correct.
I ran an SNMP walk with OID .1.3.6.1.2.1.1.2 and it also fails with:
Failed to snmpwalk the device. Please check your community string and starting OID, and try again.
I thought possibly the SNMP timeout was catching me again, but after setting to 10secs, continues to fail.
Checked the ICServer.log, and nothing that would indicate the problem.
Any help would be appreciated.
Bruce
01-29-2009 11:00 AM
some additional info from the IC_Server.log:
ERROR,[Thread-15],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,547, Unreachable device
01-29-2009 11:06 AM
Please post your SNMP config from your FWSM.
01-29-2009 11:09 AM
no snmp-server location
no snmp-server contact
snmp-server community
and i ran the snmp-server enable command
01-29-2009 11:10 AM
You need to add a line like:
snmp-server host inside HOST poll community STRING
Where HOST is the IP address of the LMS server.
This is what you would do for the PIX/ASA. I assume there is a similar (if not the same) command for the FWSM.
01-29-2009 11:22 AM
giving it a try right now...
i didnt think i needed that "host" statement...but, i was refering back to the V2 config on a 6513 switch.
01-29-2009 11:38 AM
Hmmm..
Well, that doesnt appear to be the issue either.
when i run the command for snmp-server host, it prompts that there is only a VLAN available (which is a vlan that we use for access)...when i use the vlan, and then the IP of LMS, results are the same...authentication failure.
example:
FWNAME/context(config)# snmp-server host ?
configure mode commands/options:
Current available interface(s):
01-29-2009 11:39 AM
Then there may be other rules preventing udp/161 traffic from making it to this module. Check to make sure this traffic is allowed.
01-29-2009 11:43 AM
hmmm...its a test FW, so i have IP any any setup...
01-29-2009 11:48 AM
The symptoms point to you either using the wrong community string, or SNMP traffic is being denied. You might want to enable some logging on the FWSM to see if the SNMP packets are arriving on the module.
01-29-2009 11:58 AM
roger..i've pounded that community string in there multiple times, so i'm confident, it isnt that...access through the FW allows IP any...so, i'm scratchin the ole head right now...i'll turn on some logging and gather some anay on it...thanks for the thoughts...
02-01-2009 12:32 PM
forgot to give ya some points for this one...here ya go
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide