Cisco ASA5545x SNMPv3 help

Craddockc · ‎03-16-2017

Community.

I am trying to configure SNMPv3 on my 5545x and have Solarwinds monitor it via SNMPv3 as well. Im running into an issue where eventhough im entering the passwords and encryption/hash methods exactly the same on the NMS (Solarwinds) as I did on the ASA, when I hit the "test" button on the Solarwinds page, its says its fails. One thing im noticing is that eventhough im not specifying the "encryption" keyword in the CLI or in the ASDM, the ASA is automatically adding it. Please notice in the below config where eventhough I did not specify the "encrypted" keyword in my config, the ASA automatically used it. This is also true when I configure it in the ASDM, I specify "clear text" and it moves the radio button to "Encrypted" after im done.

phx-fwprod-1a(config)# snmp-server group Solarwinds v3 priv

phx-fwprod-1a(config)# snmp-server user Wildfire Solarwinds v3 auth sha wildfire priv aes 256 wildfire

phx-fwprod-1a(config)# exit

phx-fwprod-1a# show run | include snmp

snmp-server user Wildfire Solarwinds v3 encrypted auth sha e1:8a:0d:74:91:01:00:4c:04:de:c1:83:fa:11:67:a0:ce:2d:27:4a priv aes 256 e1:8a:0d:74:91:01:00:4c:04:de:c1:83:fa:11:67:a0:ce:2d:27:4a:97:b2:63:e5:87:c8:7f:f2:67:f3:fd:0a

I am not sure if this is contributing to Solarwinds not being able to contact or validate the ASA via SNMPv3. Ive tried copying and pasting this encrypted hex into the password fields in Solarwinds as well, and that didnt work either. Ive also tried using different hash methods (MD5 and SHA) as well as Encryption methods (3DES and AES) it still is not working. Im at a loss.

Thanks.

johnlloyd_13 · ‎03-17-2017

hi,

just a few questions:

can you ping the Solarwinds polling server/NMS IP from the 5545x?

did you allow telnet or SSH to Solarwinds NMS IP?

make sure you also configure the correct connection profile in Solarwids (Global Connection Profile)

telnet <NMS IP> 255.255.255.255 inside

ssh <NMS IP> 255.255.255.255 inside

you're also missing some commands such as below:

snmp-server group <GROUP-NAME> v3 priv

snmp-server host inside <NMS IP> version 3 Wildfire

Craddockc · ‎03-20-2017

John,

Thank you for the response. Here are the results of the ping from the ASA:

phx-fwprod-1a# ping 10.134.193.73
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.134.193.73, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/50 ms

I went ahead and added the commands you said I was missing as well as added the SSH and Telnet from the NPM.

snmp-server group Solarwinds v3 priv
snmp-server user Wildfire Solarwinds v3 encrypted auth sha e1:8a:0d:74:91:01:00:4c:04:de:c1:83:fa:11:67:a0:ce:2d:27:4a priv aes 256 e1:8a:0d:74:91:01:00:4c:04:de:c1:83:fa:11:67:a0:ce:2d:27:4a:97:b2:63:e5:87:c8:7f:f2:67:f3:fd:0a
snmp-server host corporate 10.134.193.73 version 3 Wildfire

telnet 10.134.193.73 255.255.255.255 corporate

ssh 10.134.193.73 255.255.255.255 corporate

Unfortunately it is still failing. Again, one thing ive noticed is the automatic adding of the "encrypted" keyword in my snmp config eventhough im specifically not entering it. Could this be having an impact? Thanks.

johnlloyd_13 · ‎03-20-2017

hi,

the 'encrypted' password is normal. i got that too on my SNMPv3 config.

try to add first using SNMPv2c, if still failed contact solarwinds support or check the KB in their website.

Craddockc · ‎03-21-2017

John,

I believe I figured out the issue. In the ASA there does not seem to be an option to specify a "view" for the MIBs, thus I cannot specify which Groups/Users can only read and which can read and write. When I add the credentials in the Solarwinds NPM "SNMPv3 Credentials" section and hits "test" it works, but when I try to enter the same credentials in the "SNMPv3 Read/Write Credentials" area, it fails. I have a feeling the ASA doesnt allow for SNMP to write to it, hence why its failing the test when I enter the credentials in that area of the NPM.