cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10173
Views
21
Helpful
19
Replies

Cisco ASA- Configuring snmp over the IPSEC tunnel

Hello experts  @balaji.bandi  @Marvin Rhoads  @Rob Ingram       

 

I have ASA at site1 and  it is connected via  ipsec VPN with site 2. At site 2 I got snmp server (Solarwinds Orion) setup.

 

I cant add ASA on snmp-server for polling.

I can ping the ASA inside/management interface from Snmp-server  but I cant ping the snmp-server from ASA inside interface.

 

If I try to connect within inside network for snmp it works fine but not over VPN.

1 Accepted Solution
19 Replies 19

@LovejitSingh130013 

You'll need to have the command "management-access inside" configured, to access the inside interface over a VPN for mgmt purposes, such as snmp, ssh etc.

 

You cannot select a source interface for a ping on the ASA, it will always use the egress interface (probably your outside interface).

This command is already there and i can ping the ASA inside interface from snmp server (over the ipsec).   But snmp is failing on it.

 

These are snmp related commands I added. Do I am missing anything ?

 

ASA(config)# sh run | i snmp
snmp-server host inside 10.110.111.48 poll community ***** version 2c
no snmp-server location
no snmp-server contact
inspect snmp

@LovejitSingh130013 

Ok, refer to this post and see the reply about appending the "route-lookup" command to your NAT exemption rule.

https://community.cisco.com/t5/security-documents/asa-snmp-polling-via-vpn-site-to-site-tunnel/ta-p/3154865

 

It is already there.

Ok, run through this ASA SNMP troublshooting guide, run the different tests and provide the output of the packet-tracer and packet capture. Also provide the output of "show snmp-server statistics".

 

https://community.cisco.com/t5/security-documents/snmp-configuration-verification-and-troubleshooting-on-asa/ta-p/4300068

 

output for sh snmp-server statistics

 

Groff-ASA(config)# sh snmp-server statistics
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Get-bulk PDUs
0 Set-request PDUs (Not supported)
0 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs

 

 

 

I will post the Packet captures shortly

ASA(config)# sh capture
capture snmpv2 type raw-data interface inside [Capturing - 0 bytes]
match udp host 10.255.255.18 eq snmp host 10.110.111.48

 

I dont see any traffic so far.

 

I can poll 10.255.255.17 which is switch directly connected with ASA inside interface. 

@Rob Ingram  Worked with TAC and its bug in 9.14 firmware. It is fixed in 9.15. 

 

Thanks for your help. Config was correct. 

Any workaround available?  I'm on a ASA5555 and the latest software currently available is 9.14(3)15

Firmware needs to be upgraded.

Did TAC happen to share the Bug ID with you?

Marvin Rhoads
Hall of Fame
Hall of Fame

Besides the bugID mentioned by @Rob Ingram, this is a change of behavior introduced in ASA 9.14(2) and affects any ASA release at that version or higher. Basically you need to add the outside address of the remote ASA in the crypto map (at both ends) and then poll the remote ASA using the outside address (traffic is still protected in the IPsec VPN). Make sure you have allowed the remote NMS as an SNMP host via the outside interface.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/release/notes/asarn914.html#reference_xqs_mvp_xhb

james.mathieson
Level 1
Level 1

I've been having trouble getting this working as well and have just stumbled across this supposed new feature.

It seems a step backwards to me as when you set the management interface to inside, SNMP traffic did go through the VPN already, without having to add all this extra config, firewall rules and sometimes an extra route.

Maybe I've understood this all wrong but I'm sure it was done for a reason.

Review Cisco Networking for a $25 gift card