04-25-2018 10:39 AM - edited 02-21-2020 07:40 AM
Hi All,
I'm trying to set up SNMPv3 on one of my production ASA 5525-Xs. From what I'm seeing, the ASA is never responding to the SNMP GET requests being sent from my NMS. I've also tried configuring SNMPv2c and have gotten the same result.
I am running ASA version 9.2(2)4 and ASDM version 7.3(1)101 on this device currently.
On this particular ASA, my network management subnet is associated with an interface called "P-Config". It is not using the "Management" port, but a regular gigabit Ethernet port. This interface is separate from my "Inside" interface. Additionally, the "Inside" interface is designated as the "Management Access Interface" in ASDM under "Management Access > Management Interface". As part of my testing, I have configured hosts in the "SNMP Host Access List" section of the SNMP config to use the "Inside" interface and the issue occurred on that interface as well. I am normally trying to set up the SNMP Host Access List entries using the P-Config interface. Both the "P-Config" and the "Inside" interface are security level 100.
On the P-Config interface, I have rules allowing UDP ports 161 and 162 from the network management subnet to my NMS and vice versa. I have also added a "permit ip any any" rule at the top of the ACL for the P-Config interface as part of testing. Unfortunately, none of these rules make a difference. Just in case it wasn't clear - the P-Config interface and my NMS are on the same subnet.
I have another ASA - a 5510 - that I use for testing purposes. It is running a similar code base, 9.1(5), and I was able to get SNMPv3 up and running for that device. It is communicating on my network management subnet and is using the same SNMPv3 credentials that I am entering into my production ASA. Same USM, same SNMP user, same SNMP user group.
Doing a wireshark packet trace from the NMS to the ASA shows SNMP GET packets getting to the P-Config interface on the ASA, but I never receive a response. And yes, I have turned on SNMP on the ASA. Using the Packet Trace tool in ASDM and from the CLI, when I trace with the Source IP set as the IP of the P-Config interface to the IP of the NMS, I get an ACL-drop response due to the "Implicit Deny" rule... even when I have the "permit ip any any" rule enabled at the top of my P-Config ACL.
Here is a santizied version of my SNMP config (not including location, traps, etc):
snmp-server group snmp-asa v3 priv
snmp-server user nms snmp-asa v3 encrypted auth md5 HASH priv des HASH
snmp-server user-list snmp-grp-asa username nms
snmp-server host P-Config 172.x.x.x version 3 nms
At this point, I'm stumped. I've been through all the documentation, forums, blog posts, etc, I can find. I have an open case with Cisco TAC as well and so far they've been unable to find the problem.
Any assistance is appreciated.
Solved! Go to Solution.
05-03-2018 06:58 AM
Hey there - sorry for the delayed response.
Turns out the answer was to reload the ASA. Ah, the first rule of IT troubleshooting: "Turn it off and back on."
Thanks for the reply!
04-26-2018 01:39 AM
05-03-2018 06:58 AM
Hey there - sorry for the delayed response.
Turns out the answer was to reload the ASA. Ah, the first rule of IT troubleshooting: "Turn it off and back on."
Thanks for the reply!
05-04-2018 01:48 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: