Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1572
Views
0
Helpful
2
Replies

ASA 5520 does not respond to SNMP

richard.schultz1
Level 1
Level 1

‎07-25-2016 06:13 AM - edited ‎03-12-2019 01:03 AM

I recently replaced a pair of 5510s with 5520s going from 8.2 to 9.1. Aside from ACLs being cleaned WAY up, that's the only thing that's really changed here. The 5510s worked fine in NMS (Orion), but the 5520s will not.

SNMP in this case goes over a site to site tunnel (remote location) on an interface labeled management:

snmp-server host management 10.71.127.73 community ***** 
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded

GigabitEthernet0/2.100   management             10.0.100.254    255.255.255.0   CONFIG

access-list CardAccessVPN extended permit ip 10.0.100.0 255.255.255.0 10.71.127.0 255.255.255.0 (tunnel ACL)

NMS is on 10.71.127.73

I have the switch stack at this location (10.0.100.11) polling just fine.

I can see this at least:

UDP outside 10.71.127.73:56514 management 10.0.100.254:161, idle 0:00:00, bytes 45, flags -
UDP outside 10.71.127.73:56768 management 10.0.100.254:161, idle 0:00:01, bytes 192, flags -
UDP outside 10.71.127.73:58258 management 10.0.100.254:161, idle 0:00:05, bytes 147, flags -

UDP outside 10.71.127.73:57766 management 10.0.100.11:161, idle 0:00:13, bytes 6724, flags -
UDP outside 10.71.127.73:61260 management 10.0.100.11:161, idle 0:00:21, bytes 86, flags -

Community and version match what I'm polling with on NMS - like I said, the "base" configs are the same. I cannot snmp walk the device either outside of Orion.

I've tried removing and re-adding the node in Orion, but no luck.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

johnlloyd_13
Level 9
Level 9

‎07-25-2016 06:59 PM

hi,

the 'management' interface usually responds to traffic where the ASA itself is the destination (i.e. ping, SSH, etc), but can't pass any transit traffic through the ASA to or from another interface. do you have this line under 'management' interface?

no management-only

0 Helpful

richard.schultz1
Level 1
Level 1
In response to johnlloyd_13

‎07-25-2016 07:35 PM

John,

"management" in this case is really just a moniker for our management vlan(s), not the actual management interface itself.

On this network it's the firewall itself as the gateway, a 3850 switch stack, a KVM, and a Cyclades.

The switch stack 10.0.100.11 responds to SNMP from 10.71.127.73 just fine, but the ASA 10.0.100.254 is no longer responding to them where as it used to prior to replacing hardware.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card