Solved: Re: Cisco ASA- Configuring snmp over the IPSEC tunnel - Page 2

LovejitSingh130013 · ‎06-17-2021

Hello experts @balaji.bandi @Marvin Rhoads @Rob Ingram

I have ASA at site1 and it is connected via ipsec VPN with site 2. At site 2 I got snmp server (Solarwinds Orion) setup.

I cant add ASA on snmp-server for polling.

I can ping the ASA inside/management interface from Snmp-server but I cant ping the snmp-server from ASA inside interface.

If I try to connect within inside network for snmp it works fine but not over VPN.

tvotna · ‎06-05-2023

It is believed that this is a side effect of ASA 9.14, where snmpd was implemented as an external process running outside of ASA/Lina, which is accessible via internal nlp_int_tap interface through internal NAT. This caused incompatibility. Only TAC can tell if this is going to be fixed (has been fixed?).

james.mathieson · ‎06-07-2023

Thanks for the info.

After more digging it seems it's been fixed, or more of a proper workaround in 9.18.

In 9.18 you can have loopbacks and they're compatible with SNMP etc, so that's what I'm going to do.

Cisco do make some bad decisions these days. Don't get me started on Firepower.

Christopher Heaton · ‎06-28-2023

9.18 doesn't seem to be available anymore... Cisco really did go backwards on this one. Monitoring via internal IP through a tunnel is secure and is industry standard.

kaghy2 · ‎08-15-2023

I completely agree that this is a step backwards, and after reading the bug report it seems a BIG step backwards. Seeing all the affected releases too.

Despite that, it really makes it harder to poll our devices correctly now, having to implement eg. 10 rules, instead of just 1 or 2.

Besides the issue of out --> in not being possible for another interface --> interface, not being able to SNMP is a downfall.

Christopher Heaton · ‎08-15-2023

Definitely! I think someone thought "Oh, this will be better..." It is not better and is going to lose product loyalty, especially in the smaller firewall arena.