Hi, we have an ASA5525 9.2(2)4 active/active failover cluster in multcontext mode, with 4 active contexts (3 + admin).
Two of the three contexts seem to have no problems; the last context we configured shows several NMS reading problems.
The suffering context's configuration is very simple: two interfaces making inside surf the internet natting on outside's interface, no acl and everything else leaved at default setting. We noticed many graphs "holes" and false-positive alarms on failover status checks. Almost all the NMS reads are collected via snmp v2c, incoming from outside (I know, insicure) interface originating from public addresses.
Focusing on asa behaviour we discovered this situation: when holes occur, NMS faces timeout on snmp walk/read and asa logs the following message
- problem's out solid since hours so NMS reports SNMP reading timeout - from console:
hostname/act/context-name# show conn address NMS-PUB-IP 7009 in use, 10139 most used
hostname/act/context-name# sho xlate global NMS-PUB-IP 7128 in use, 9604 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net
so it looks like no conns nor xlates are on (I mean for NMS address).
I go have a quite random check on conns/xlates, as what I'm trying to do is management access, not production conns:
hostname/act/context-name# show xlate gport 161-162 6912 in use, 9604 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net
UDP PAT from inside:192.168.118.2/123 to outside:one_of.our_pub.ip_space.host/162 flags ri idle 0:01:46 timeout 0:00:30 UDP PAT from inside:192.168.122.6/123 to outside:one_of.our_pub.ip_space.host/161 flags ri idle 0:20:09 timeout 0:00:30 hostname/act/context-name#
so why I see that kind of xlate??? I would expect no outbound xlate using snmp port, specially natting ntp traffic. Anyway getting ahead I tried clearing something looking for what where blocking my snmp from outside, logging this:
Jun 17 2015 16:02:03 106023 NMS_HOST-PUB-ADDR 44321 192.168.122.6 123 Deny udp src outside:NMS_HOST-PUB-ADDR/44321 dst inside:192.168.122.6/123 by access-group "outside_access_in" [0x0, 0x0]