cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1387
Views
5
Helpful
3
Replies
Beginner

ASA 5525-X SNMP not responding

Hi All, 

 

I'm trying to set up SNMPv3 on one of my production ASA 5525-Xs. From what I'm seeing, the ASA is never responding to the SNMP GET requests being sent from my NMS. I've also tried configuring SNMPv2c and have gotten the same result. 

 

I am running ASA version 9.2(2)4 and ASDM version 7.3(1)101 on this device currently.

 

On this particular ASA, my network management subnet is associated with an interface called "P-Config". It is not using the "Management" port, but a regular gigabit Ethernet port. This interface is separate from my "Inside" interface. Additionally, the "Inside" interface is designated as the "Management Access Interface" in ASDM under "Management Access > Management Interface". As part of my testing, I have configured hosts in the "SNMP Host Access List" section of the SNMP config to use the "Inside" interface and the issue occurred on that interface as well. I am normally trying to set up the SNMP Host Access List entries using the P-Config interface. Both the "P-Config" and the "Inside" interface are security level 100.

 

On the P-Config interface, I have rules allowing UDP ports 161 and 162 from the network management subnet to my NMS and vice versa. I have also added a "permit ip any any" rule at the top of the ACL for the P-Config interface as part of testing. Unfortunately, none of these rules make a difference. Just in case it wasn't clear - the P-Config interface and my NMS are on the same subnet.

 

I have another ASA - a 5510 - that I use for testing purposes. It is running a similar code base, 9.1(5), and I was able to get SNMPv3 up and running for that device. It is communicating on my network management subnet and is using the same SNMPv3 credentials that I am entering into my production ASA. Same USM, same SNMP user, same SNMP user group. 

 

Doing a wireshark packet trace from the NMS to the ASA shows SNMP GET packets getting to the P-Config interface on the ASA, but I never receive a response. And yes, I have turned on SNMP on the ASA. Using the Packet Trace tool in ASDM and from the CLI, when I trace with the Source IP set as the IP of the P-Config interface to the IP of the NMS, I get an ACL-drop response due to the "Implicit Deny" rule... even when I have the "permit ip any any" rule enabled at the top of my P-Config ACL.

 

Here is a santizied version of my SNMP config (not including location, traps, etc): 

 

snmp-server group snmp-asa v3 priv
snmp-server user nms snmp-asa v3 encrypted auth md5 HASH priv des HASH
snmp-server user-list snmp-grp-asa username nms
snmp-server host P-Config 172.x.x.x version 3 nms

 

At this point, I'm stumped. I've been through all the documentation, forums, blog posts, etc, I can find. I have an open case with Cisco TAC as well and so far they've been unable to find the problem.

 

Any assistance is appreciated.

 

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: ASA 5525-X SNMP not responding

Hey there - sorry for the delayed response. 

 

Turns out the answer was to reload the ASA. Ah, the first rule of IT troubleshooting: "Turn it off and back on."

 

Thanks for the reply!

View solution in original post

3 REPLIES 3
Highlighted
Frequent Contributor

Re: ASA 5525-X SNMP not responding

Two quick ideas:
- I would search the release notes of the software version for any SNMP related bug/info
- please share the output of the "capture solve_snmp type asp-drop match ip snmp_server_IP"
Highlighted
Beginner

Re: ASA 5525-X SNMP not responding

Hey there - sorry for the delayed response. 

 

Turns out the answer was to reload the ASA. Ah, the first rule of IT troubleshooting: "Turn it off and back on."

 

Thanks for the reply!

View solution in original post

Highlighted
Frequent Contributor

Re: ASA 5525-X SNMP not responding

Ok - glad it worked !