Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
936
Views
0
Helpful
2
Replies

Cisco ASA SNMP management interface error

BVC
Level 1
Level 1

‎06-07-2022 08:32 AM

Currently I have two Firepower 4112s that are both running ASA software, these two ASAs are setup for HA and both are in single context mode. I've managed to successfully enable SNMP polls and traps on the primary ASA using the dedicated management interface (IP 172.16.1.3), the ASA is getting polled by LibreNMS on 172.16.1.50. Ever since enabling SNMP I've been getting the same syslog error 418001 (see the syslog message at bottom), if I'm understanding the log correctly it shouldn't be a problem that the NMS is sending ICMP messages to the 172.16.1.3 from 172.16.1.50 as both IPs are on the same subnet and VLAN and it's not trying to contact the ASA on 172.16.1.3 via another physical interface on the firewall. This syslog message is occurring very frequently as LibreNMS polls the firewall with ICMP. Any help will be appreciated on this. 

 

Through-the-device packet to/from management-only network is denied: icmp src management:172.16.1.50 dst nlp_int_tap:172.16.1.3 (type 3, code 13)

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎06-07-2022 09:17 AM

Look at the syslog :418001

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs4.html

 

Through-the-device packet to/from management-only network is denied: icmp src management:172.16.1.50 dst nlp_int_tap:172.16.1.3 (type 3, code 13)

Can you post route information, are you able to reach those IP each other ..no drops ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

BVC
Level 1
Level 1
In response to balaji.bandi

‎06-08-2022 04:07 AM

Both devices can contact each other via ping and SNMP, no drops. Looking at both routing tables (normal and management) it goes via OSPF on the normal routing table to get to 172.16.1.50 (since there is not interface on that network besides the dedicated management interface). While the management table shows the 172.16.1.0 network is directly connected. I'm wondering what interface/route the ASA is using to get to 172.16.1.50, since the SNMP config has been told to use the dedicated management interface. 

 

**normal routing table**

O 172.16.1.0 255.255.255.192
[110/11] via 172.16.3.225, 2w0d,

 

**mgmt-only table**

C 172.16.1.0 255.255.255.192 is directly connected, management

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card