Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4241
Views
5
Helpful
3
Replies

ASA 5525-X SNMP not responding

Go to solution
tfabian-smith
Level 1
Level 1

‎04-25-2018 10:39 AM - edited ‎02-21-2020 07:40 AM

Hi All, 

 

I'm trying to set up SNMPv3 on one of my production ASA 5525-Xs. From what I'm seeing, the ASA is never responding to the SNMP GET requests being sent from my NMS. I've also tried configuring SNMPv2c and have gotten the same result. 

 

I am running ASA version 9.2(2)4 and ASDM version 7.3(1)101 on this device currently.

 

On this particular ASA, my network management subnet is associated with an interface called "P-Config". It is not using the "Management" port, but a regular gigabit Ethernet port. This interface is separate from my "Inside" interface. Additionally, the "Inside" interface is designated as the "Management Access Interface" in ASDM under "Management Access > Management Interface". As part of my testing, I have configured hosts in the "SNMP Host Access List" section of the SNMP config to use the "Inside" interface and the issue occurred on that interface as well. I am normally trying to set up the SNMP Host Access List entries using the P-Config interface. Both the "P-Config" and the "Inside" interface are security level 100.

 

On the P-Config interface, I have rules allowing UDP ports 161 and 162 from the network management subnet to my NMS and vice versa. I have also added a "permit ip any any" rule at the top of the ACL for the P-Config interface as part of testing. Unfortunately, none of these rules make a difference. Just in case it wasn't clear - the P-Config interface and my NMS are on the same subnet.

 

I have another ASA - a 5510 - that I use for testing purposes. It is running a similar code base, 9.1(5), and I was able to get SNMPv3 up and running for that device. It is communicating on my network management subnet and is using the same SNMPv3 credentials that I am entering into my production ASA. Same USM, same SNMP user, same SNMP user group. 

 

Doing a wireshark packet trace from the NMS to the ASA shows SNMP GET packets getting to the P-Config interface on the ASA, but I never receive a response. And yes, I have turned on SNMP on the ASA. Using the Packet Trace tool in ASDM and from the CLI, when I trace with the Source IP set as the IP of the P-Config interface to the IP of the NMS, I get an ACL-drop response due to the "Implicit Deny" rule... even when I have the "permit ip any any" rule enabled at the top of my P-Config ACL.

 

Here is a santizied version of my SNMP config (not including location, traps, etc): 

 

snmp-server group snmp-asa v3 priv
snmp-server user nms snmp-asa v3 encrypted auth md5 HASH priv des HASH
snmp-server user-list snmp-grp-asa username nms
snmp-server host P-Config 172.x.x.x version 3 nms

 

At this point, I'm stumped. I've been through all the documentation, forums, blog posts, etc, I can find. I have an open case with Cisco TAC as well and so far they've been unable to find the problem.

 

Any assistance is appreciated.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tfabian-smith
Level 1
Level 1
In response to Florin Barhala

‎05-03-2018 06:58 AM

Hey there - sorry for the delayed response. 

 

Turns out the answer was to reload the ASA. Ah, the first rule of IT troubleshooting: "Turn it off and back on."

 

Thanks for the reply!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Florin Barhala
Level 6
Level 6

‎04-26-2018 01:39 AM

Two quick ideas:
- I would search the release notes of the software version for any SNMP related bug/info
- please share the output of the "capture solve_snmp type asp-drop match ip snmp_server_IP"

Go to solution
tfabian-smith
Level 1
Level 1
In response to Florin Barhala

‎05-03-2018 06:58 AM

Hey there - sorry for the delayed response. 

 

Turns out the answer was to reload the ASA. Ah, the first rule of IT troubleshooting: "Turn it off and back on."

 

Thanks for the reply!

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to tfabian-smith

‎05-04-2018 01:48 AM

Ok - glad it worked !
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card