cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3653
Views
10
Helpful
7
Replies

ASA - SNMPv3 (PRTG)

Gareth_Tait
Level 1
Level 1

Hi

 

I have been trying to setup SNMPv3 on our local ASA. The idea was to monitor traffic through the use of PRTG.

 

As far as I am aware I have created the user, group, created a network object and allowed SNMP and SNMP traps on the ASA through an extended ACL.

 

The group has been setup to use priv and the SHA, AES 256 bit is being used for the user.

 

The devices can ping one another.

 

I was wondering if the read/write access requires to be setup but I don't see the option in the ASA. Do groups by default have the relevant access to OID's?

 

Thanks

Gareth

1 Accepted Solution

Accepted Solutions

Setting the "snmp-server" group/user/host should be enough for SNMPv3. But AES256 is quite uncommon and not everywhere supported although the ASA is capable of doing that. I would first change to AES-128 and try again. And you don't need any additional access-control on the ASA that you want to access.

View solution in original post

7 Replies 7

Florin Barhala
Level 6
Level 6
Here's what I did: on Google I typed "cisco asa configure snmpv3" and I landed here
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_snmp.html#wp1286613

Now you probably have a newer version than 8.4 but SNMP config should be similar.
From the document:

The ASA supports SNMP read-only access through issuance of a GET request. SNMP write access is not allowed, so you cannot make changes with SNMP. In addition, the SNMP SET request is not supported.
If you go through the document and still can't make it please post your config.

Hi Florin


That is the notes I had followed. The software version is 9.8 :)

 

As further testing I setup SNMPV2 c and it worked immediately. 

 

I am thinking it must be related to SNMPv3 setup. I'll review again.

 

I can see the group had read access after reviewing yesterday. The strange thing I did see when I created another user is that an engine wasn't related to the user but the other user did have an engine related to it.

 

If I have problems I'll post the config for sure.

 

Gareth

Setting the "snmp-server" group/user/host should be enough for SNMPv3. But AES256 is quite uncommon and not everywhere supported although the ASA is capable of doing that. I would first change to AES-128 and try again. And you don't need any additional access-control on the ASA that you want to access.

Thanks Karsten

I haven't yet tested again today. I got distracted with Net Flow :) which was smooth sailing when setting up.

 

My next step was to test the auth and priv setup with SNMPv3

 

I shall go with your recommendation and and try AES 128

 

I will of course let you know how I get on.

 

Regards,

Gareth

 

Thanks Karsten

 

This was indeed the answer. PRTG only works with 128 AES or below or DES.

 

Sorry for the late response and thanks again for the knowledge.

salimibrogimov
Level 1
Level 1

Hello guys!

I have the same problem: snmpv2c works, but snmpv3 doesn't. The "Solved" answer didn't helped.

There are no errors on ASA logs.

I'm using PRTG for monitoring purposes.

PRTG says: "Could not create SNMP Session (-1114)".

Thanks for your time!

Hi

 

Have you used the free PRTG SNMP tester? It helped me out a lot especially when implementing SNMPv3.

 

https://www.paessler.com/tools/snmptester

 

You can use it for the purposes of testing SNMPv2 and SNMPv3. It's what helped me out when trying to troubleshoot my issues.

 

Regards,

Gareth

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: