05-30-2018 05:13 AM - edited 02-21-2020 07:49 AM
Hi
I have been trying to setup SNMPv3 on our local ASA. The idea was to monitor traffic through the use of PRTG.
As far as I am aware I have created the user, group, created a network object and allowed SNMP and SNMP traps on the ASA through an extended ACL.
The group has been setup to use priv and the SHA, AES 256 bit is being used for the user.
The devices can ping one another.
I was wondering if the read/write access requires to be setup but I don't see the option in the ASA. Do groups by default have the relevant access to OID's?
Thanks
Gareth
Solved! Go to Solution.
05-31-2018 07:10 AM
Setting the "snmp-server" group/user/host should be enough for SNMPv3. But AES256 is quite uncommon and not everywhere supported although the ASA is capable of doing that. I would first change to AES-128 and try again. And you don't need any additional access-control on the ASA that you want to access.
05-31-2018 12:08 AM
05-31-2018 12:30 AM
Hi Florin
That is the notes I had followed. The software version is 9.8 :)
As further testing I setup SNMPV2 c and it worked immediately.
I am thinking it must be related to SNMPv3 setup. I'll review again.
I can see the group had read access after reviewing yesterday. The strange thing I did see when I created another user is that an engine wasn't related to the user but the other user did have an engine related to it.
If I have problems I'll post the config for sure.
Gareth
05-31-2018 07:10 AM
Setting the "snmp-server" group/user/host should be enough for SNMPv3. But AES256 is quite uncommon and not everywhere supported although the ASA is capable of doing that. I would first change to AES-128 and try again. And you don't need any additional access-control on the ASA that you want to access.
05-31-2018 08:15 AM
Thanks Karsten
I haven't yet tested again today. I got distracted with Net Flow :) which was smooth sailing when setting up.
My next step was to test the auth and priv setup with SNMPv3
I shall go with your recommendation and and try AES 128
I will of course let you know how I get on.
Regards,
Gareth
07-07-2018 01:39 AM
Thanks Karsten
This was indeed the answer. PRTG only works with 128 AES or below or DES.
Sorry for the late response and thanks again for the knowledge.
11-25-2018 10:04 PM
Hello guys!
I have the same problem: snmpv2c works, but snmpv3 doesn't. The "Solved" answer didn't helped.
There are no errors on ASA logs.
I'm using PRTG for monitoring purposes.
PRTG says: "Could not create SNMP Session (-1114)".
Thanks for your time!
11-26-2018 06:59 AM
Hi
Have you used the free PRTG SNMP tester? It helped me out a lot especially when implementing SNMPv3.
https://www.paessler.com/tools/snmptester
You can use it for the purposes of testing SNMPv2 and SNMPv3. It's what helped me out when trying to troubleshoot my issues.
Regards,
Gareth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide