SNMP not working on ASA

James H · ‎01-11-2023

I cannot seem to get SNMP working correctly on my Cisco ASA 5525. I'm trying to add this ASA to PRTG for monitoring. When I attempt to add any SNMP sensor in PRTG I get "No response (check: firewalls, routing, snmp settings of device, IPs, SNMP version, community, passwords etc) (SNMP error # -2003)". I have confirmed that the community string is correct and the IP address of the PRTG server is correct in the ASA SNMP configuration.

I also ran PRTG's SNMP Tester tool from the PRTG server and got the following:

----------------------- New Test -----------------------
Paessler SNMP Tester - 20.2.4 Computername: PRTG Interface: 192.168.*.*
1/11/2023 7:12:47 AM (3 ms) : Device: 192.168.*.*
1/11/2023 7:12:47 AM (5 ms) : SNMP v2c
1/11/2023 7:12:47 AM (6 ms) : Uptime
1/11/2023 7:12:49 AM (2016 ms) : SNMP Datatype: ASN_UNIVERSAL
1/11/2023 7:12:49 AM (2018 ms) : -------
1/11/2023 7:12:49 AM (2020 ms) : DISMAN-EVENT-MIB::sysUpTimeInstance = No response (check: firewalls, routing, snmp settings of device, IPs, SNMP version, community, passwords etc) (SNMP error # -2003) ( 0 seconds )
1/11/2023 7:12:51 AM (4032 ms) : SNMP Datatype: ASN_UNIVERSAL
1/11/2023 7:12:51 AM (4034 ms) : HOST-RESOURCES-MIB::hrSystemUptime.0 = No response (check: firewalls, routing, snmp settings of device, IPs, SNMP version, community, passwords etc) (SNMP error # -2003) ( 0 seconds )
1/11/2023 7:12:51 AM (4036 ms) : Done

Here is my snmp configuration on the ASA:

snmp-server host inside 192.168.*.* community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
snmp-server enable traps config

Any help would be greatly appreciated. I do not have a lot of experience with ASAs.

Thanks,

Georg Pauwen · ‎01-11-2023

Hello,

hard to say what you are missing, can you post the entire ASA config (sh run) ?

What version is your ASA running on ? The SNMP part seems to be missing the lines marked in bold:

snmp-server host inside 192.168.*.* community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
snmp-server enable traps config
--> snmp-server enable
--> snmp-server community *****

marce1000 · ‎01-11-2023

- Does a manual snmpget work for the MIB variables you intend to use in PRTG ? If that works it could be a PRTG-related problem.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

MHM Cisco World · ‎01-11-2023

community ***** <<- CHECK below guide for community

You should avoid the use of special characters (!, @, #, $, %, ^, &, *, \) in community strings. In general, using any special characters reserved for functions used by the operating system can cause unexpected results. For example, the backslash (\) is interpreted as an escape character and should not be used in the community string.