Re: ASA 5506 loses SNMP connectivity after upgrading to latest firmwar

sistematico_17 · ‎10-23-2023

Hello,

After upgrading my ASA 5506 to the latest interim available firmware asa9-16-4-42-lfbff-k8.SPA, or to any of the most recent firmwares such as asa9-16-4-lfbff-k8.SPA, the monitoring over SNMP stops working. We use N-central to monitor uptime on all our network devices, and the probe is on a network across a site-to-site VPN. So, the monitoring probe is in network A, the ASA is on network B, and network A connects to network B over a site-to-site VPN.

When the ASA uses older firmware version such as asa9-12-4-26-lfbff-k8.SPA, the SNMP monitoring over VPN works perfectly.

Could you please help? Thank you

Marvin Rhoads · ‎10-23-2023

SNMP behavior over site-site IPsec VPN changed with ASA 9.14(2). You will need to add the outside address to the crypto map and monitor using that address.

Please see the following:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/release/notes/asarn914.html#reference_xqs_mvp_xhb

sistematico_17 · ‎10-23-2023

Thanks Marvin. I can see how doing that would solve the problem; however, it would unleash a lot of potential security issues, don't you think? or am I over-reacting?

if you agree with the security concerns, what are other options to monitoring this remote ASA with something other than SNMP perhaps?

Marvin Rhoads · ‎10-23-2023

An ASA (or FTD for that matter) will only respond to hosts as defined in the snmp-server configuration. Plus, having those hosts' traffic within the IPsec tunnel protects it from public inspection by any potential man-in-the-middle. It can be further secured by using SNMPv3 with the priv (privacy) option and choosing AES to further encrypt the SNMP traffic in transit end to end.

sistematico_17 · ‎10-25-2023

So, to accomplish this change all i should do is point snmp-server to the public IP, and add an entry on the ACL to allow that public IP over the IPSEC tunnel? of course besides using SNMPv3 with priv and AES

Marvin Rhoads · ‎10-26-2023

The snmp-server configuration also needs to specify the source manager source IP is allowed to make queries via the outside interface.

dranik555 · ‎03-08-2024

Is there a write up on this? Any changes to crypto maps or nat, what if I have 2 internet lines? I've had 2 cases open for this in a past 3 years or so with no luck or resolution from TAC after countless hours with support. Still have a few 5506 left that I keep on 9.12 because of that, can't wait to get rid of them... Very disappointed with Cisco in the past few years...

tvotna · ‎03-09-2024

This is not a trivial fix and hence unlikely to be fixed in 9.14-9.16. Documentation recommends running SNMP on a loopback interface, which became available in 9.18.2: "This feature is not supported for SNMP in 9.14(1) and later. For SNMP over VPN, we recommend enabling SNMP on a loopback interface in 9.18(2) and later. You don't need the management-access feature enabled to use SNMP on the loopback interface".

Unfortunately, 9.18 is not an option for 5500-X.

tvotna · ‎03-09-2024

Also, there is "CSCwh53143 ASA:Management access via IPSec tunnel is NOT working" bug, which was fixed in 9.18.4.5. So, SNMP to inside over L2L with "management-access inside" configured needs to be tested in this version or above.

ASA 5506 loses SNMP connectivity after upgrading to latest firmware