Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10321
Views
21
Helpful
19
Replies

Cisco ASA- Configuring snmp over the IPSEC tunnel

Go to solution
LovejitSingh130013
Level 1
Level 1

‎06-17-2021 11:19 AM

Hello experts  @balaji.bandi  @Marvin Rhoads  @Rob Ingram       

 

I have ASA at site1 and  it is connected via  ipsec VPN with site 2. At site 2 I got snmp server (Solarwinds Orion) setup.

 

I cant add ASA on snmp-server for polling.

I can ping the ASA inside/management interface from Snmp-server  but I cant ping the snmp-server from ASA inside interface.

 

If I try to connect within inside network for snmp it works fine but not over VPN.

2 people had this problem
1 Accepted Solution

Accepted Solutions
19 Replies 19

Go to solution
Rob Ingram
VIP
VIP

‎06-17-2021 11:24 AM - edited ‎06-17-2021 11:41 AM

@LovejitSingh130013 

You'll need to have the command "management-access inside" configured, to access the inside interface over a VPN for mgmt purposes, such as snmp, ssh etc.

 

You cannot select a source interface for a ping on the ASA, it will always use the egress interface (probably your outside interface).

Go to solution
LovejitSingh130013
Level 1
Level 1
In response to Rob Ingram

‎06-17-2021 12:39 PM

This command is already there and i can ping the ASA inside interface from snmp server (over the ipsec).   But snmp is failing on it.

 

These are snmp related commands I added. Do I am missing anything ?

 

ASA(config)# sh run | i snmp
snmp-server host inside 10.110.111.48 poll community ***** version 2c
no snmp-server location
no snmp-server contact
inspect snmp

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to LovejitSingh130013

‎06-17-2021 12:47 PM

@LovejitSingh130013 

Ok, refer to this post and see the reply about appending the "route-lookup" command to your NAT exemption rule.

https://community.cisco.com/t5/security-documents/asa-snmp-polling-via-vpn-site-to-site-tunnel/ta-p/3154865

 

0 Helpful

Go to solution
LovejitSingh130013
Level 1
Level 1
In response to Rob Ingram

‎06-17-2021 12:56 PM

It is already there.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to LovejitSingh130013

‎06-17-2021 01:02 PM

Ok, run through this ASA SNMP troublshooting guide, run the different tests and provide the output of the packet-tracer and packet capture. Also provide the output of "show snmp-server statistics".

 

https://community.cisco.com/t5/security-documents/snmp-configuration-verification-and-troubleshooting-on-asa/ta-p/4300068

 

0 Helpful

Go to solution
LovejitSingh130013
Level 1
Level 1
In response to Rob Ingram

‎06-17-2021 01:08 PM

output for sh snmp-server statistics

 

Groff-ASA(config)# sh snmp-server statistics
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Get-bulk PDUs
0 Set-request PDUs (Not supported)
0 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs

 

 

 

I will post the Packet captures shortly

0 Helpful

Go to solution
LovejitSingh130013
Level 1
Level 1
In response to LovejitSingh130013

‎06-17-2021 01:27 PM

ASA(config)# sh capture
capture snmpv2 type raw-data interface inside [Capturing - 0 bytes]
match udp host 10.255.255.18 eq snmp host 10.110.111.48

 

I dont see any traffic so far.

 

I can poll 10.255.255.17 which is switch directly connected with ASA inside interface. 

0 Helpful

Go to solution
LovejitSingh130013
Level 1
Level 1
In response to LovejitSingh130013

‎06-29-2021 08:41 AM

@Rob Ingram  Worked with TAC and its bug in 9.14 firmware. It is fixed in 9.15. 

 

Thanks for your help. Config was correct. 

Go to solution
johnsmunoz
Level 1
Level 1
In response to LovejitSingh130013

‎12-10-2021 05:50 PM

Any workaround available?  I'm on a ASA5555 and the latest software currently available is 9.14(3)15

0 Helpful

Go to solution
LovejitSingh130013
Level 1
Level 1
In response to johnsmunoz

‎03-17-2022 09:43 AM

Firmware needs to be upgraded.

0 Helpful

Go to solution
johnsmunoz
Level 1
Level 1
In response to LovejitSingh130013

‎07-20-2022 10:19 AM

Did TAC happen to share the Bug ID with you?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-07-2022 08:43 AM - edited ‎12-07-2022 08:43 AM

Besides the bugID mentioned by @Rob Ingram, this is a change of behavior introduced in ASA 9.14(2) and affects any ASA release at that version or higher. Basically you need to add the outside address of the remote ASA in the crypto map (at both ends) and then poll the remote ASA using the outside address (traffic is still protected in the IPsec VPN). Make sure you have allowed the remote NMS as an SNMP host via the outside interface.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/release/notes/asarn914.html#reference_xqs_mvp_xhb

Go to solution
james.mathieson
Level 1
Level 1

‎06-04-2023 02:40 AM

I've been having trouble getting this working as well and have just stumbled across this supposed new feature.

It seems a step backwards to me as when you set the management interface to inside, SNMP traffic did go through the VPN already, without having to add all this extra config, firewall rules and sometimes an extra route.

Maybe I've understood this all wrong but I'm sure it was done for a reason.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card