06-17-2021 11:19 AM
Hello experts @balaji.bandi @Marvin Rhoads @Rob Ingram
I have ASA at site1 and it is connected via ipsec VPN with site 2. At site 2 I got snmp server (Solarwinds Orion) setup.
I cant add ASA on snmp-server for polling.
I can ping the ASA inside/management interface from Snmp-server but I cant ping the snmp-server from ASA inside interface.
If I try to connect within inside network for snmp it works fine but not over VPN.
Solved! Go to Solution.
06-05-2023 07:35 AM
It is believed that this is a side effect of ASA 9.14, where snmpd was implemented as an external process running outside of ASA/Lina, which is accessible via internal nlp_int_tap interface through internal NAT. This caused incompatibility. Only TAC can tell if this is going to be fixed (has been fixed?).
06-07-2023 11:30 AM
Thanks for the info.
After more digging it seems it's been fixed, or more of a proper workaround in 9.18.
In 9.18 you can have loopbacks and they're compatible with SNMP etc, so that's what I'm going to do.
Cisco do make some bad decisions these days. Don't get me started on Firepower.
06-28-2023 04:39 PM
9.18 doesn't seem to be available anymore... Cisco really did go backwards on this one. Monitoring via internal IP through a tunnel is secure and is industry standard.
08-15-2023 02:37 AM
I completely agree that this is a step backwards, and after reading the bug report it seems a BIG step backwards. Seeing all the affected releases too.
Despite that, it really makes it harder to poll our devices correctly now, having to implement eg. 10 rules, instead of just 1 or 2.
Besides the issue of out --> in not being possible for another interface --> interface, not being able to SNMP is a downfall.
08-15-2023 07:23 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide