Re: SNMP not working on ASA

James H · ‎01-11-2023

I cannot seem to get SNMP working correctly on my Cisco ASA 5525. I'm trying to add this ASA to PRTG for monitoring. When I attempt to add any SNMP sensor in PRTG I get "No response (check: firewalls, routing, snmp settings of device, IPs, SNMP version, community, passwords etc) (SNMP error # -2003)". I have confirmed that the community string is correct and the IP address of the PRTG server is correct in the ASA SNMP configuration.

I also ran PRTG's SNMP Tester tool from the PRTG server and got the following:

----------------------- New Test -----------------------
Paessler SNMP Tester - 20.2.4 Computername: PRTG Interface: 192.168.*.*
1/11/2023 7:12:47 AM (3 ms) : Device: 192.168.*.*
1/11/2023 7:12:47 AM (5 ms) : SNMP v2c
1/11/2023 7:12:47 AM (6 ms) : Uptime
1/11/2023 7:12:49 AM (2016 ms) : SNMP Datatype: ASN_UNIVERSAL
1/11/2023 7:12:49 AM (2018 ms) : -------
1/11/2023 7:12:49 AM (2020 ms) : DISMAN-EVENT-MIB::sysUpTimeInstance = No response (check: firewalls, routing, snmp settings of device, IPs, SNMP version, community, passwords etc) (SNMP error # -2003) ( 0 seconds )
1/11/2023 7:12:51 AM (4032 ms) : SNMP Datatype: ASN_UNIVERSAL
1/11/2023 7:12:51 AM (4034 ms) : HOST-RESOURCES-MIB::hrSystemUptime.0 = No response (check: firewalls, routing, snmp settings of device, IPs, SNMP version, community, passwords etc) (SNMP error # -2003) ( 0 seconds )
1/11/2023 7:12:51 AM (4036 ms) : Done

Here is my snmp configuration on the ASA:

snmp-server host inside 192.168.*.* community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
snmp-server enable traps config

Any help would be greatly appreciated. I do not have a lot of experience with ASAs.

Thanks,

Georg Pauwen · ‎01-11-2023

Hello,

hard to say what you are missing, can you post the entire ASA config (sh run) ?

What version is your ASA running on ? The SNMP part seems to be missing the lines marked in bold:

snmp-server host inside 192.168.*.* community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
snmp-server enable traps config
--> snmp-server enable
--> snmp-server community *****

MiamiITS · ‎07-13-2024

Hello Georg I am having this same problem now, no matter what I do the NMS cannot make a connection to my ASA 5525.

Have you found a resolution to your problem?

If so, would you mind sharing what you had to do to get it to work?

marce1000 · ‎01-11-2023

- Does a manual snmpget work for the MIB variables you intend to use in PRTG ? If that works it could be a PRTG-related problem.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎01-11-2023

community ***** <<- CHECK below guide for community

You should avoid the use of special characters (!, @, #, $, %, ^, &, *, \) in community strings. In general, using any special characters reserved for functions used by the operating system can cause unexpected results. For example, the backslash (\) is interpreted as an escape character and should not be used in the community string.

Aaron KD · ‎07-15-2024

This scenario was actually a result of sfr redirect blocking traffic to an snmp server designated. I actually work with James H now and we determined that adding an acl to deny traffic destined for the SNMP server within the ACL of our firepower class map allowed traffic to traverse the inside interface, through the sfr interface, and back out the inside interface toward the SNMP server.
In your implementation it may be more ideal to narrow down the any to snmp or specific ports, but in this scenario we were just validating the method.

access-list sfr_redirect extended deny ip host 192.168.*.* any
access-list sfr_redirect extended permit ip any any

!

class-map firepower-class
match access-list sfr_redirect
!

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect pptp
inspect dns dns-map
inspect snmp
class firepower-class
sfr fail-open
class class-default
user-statistics accounting