05-18-2020 07:41 AM
Hello Team,
I have a Cisco FPR-1010 running ASA software on it I am having trouble configuring SNMP to work with my SNMP collector neverthless I have all my Cisco ASA appliance working with same SNMP settings please let me know if there is something additionnal to be done
05-18-2020 11:54 AM
Please share the configuration you are trying to use.
05-18-2020 10:57 PM - edited 05-19-2020 02:14 AM
Hello Marvin,
Please find below the config I am using for snmp:
snmp-server group testingsnmp v3 priv
snmp-server user testingsnmp testingsnmp v3 engineID 80000009fe7374de21188b00a6d1b1d167105cb0606b9239c8 encrypted auth md5 ad:46:d6:60:90:fe:e5:3a:2b:45:56:8b:1f:90:88:82 priv des a2:5b:03:93:78:2d:65:1f:ce:52:52:1f:88:de:22:36
snmp-server host inside 172.17.1.21 version 3 testingsnmp
no snmp-server location
no snmp-server contact
no snmp-server enable oid mempool
I even tried
06-14-2021 08:16 AM
Hello Marvin,
It seems there is an SNMP bug on Cisco ASA especially 9.14 versions once downgrading to 9.12 version the SNMP worked again
06-14-2021 10:24 AM
Good to know - I was not aware of that. Thanks for the update.
06-14-2021 02:58 AM
Did you resolve this. I have the same problem, configurer SNMP as usual on ASA. No luck with version 2c either, unit is not responding. Running latest firmware.
06-14-2021 08:15 AM
It seems 9.14 version on ASA has some sort of bug after consulting TAC and downgrading to 9.12 version SNMP worked again
11-10-2021 01:08 PM
I touched probably same issue on 9.14. I found solution which might help others...
My ASA used default class-map/policy-map for handling snmp:
class-map class_snmp match port udp eq 4161 policy-map global_policy
... class class_snmp inspect snmp
When I removed inspect snmp from policy-map, it started to work.
TAC explained that 9.14 has new/redesigned SNMP handling and it looks that inspect required in past versions is not required any more...
04-05-2022 02:55 AM - edited 04-05-2022 02:56 AM
Hello everyone,
Still no luck for me regarding snmp on 1010 with ASA. I have working SNMP on other series with ASA and FTD's.
Now running: Cisco Adaptive Security Appliance Software Version 9.16(2)14 with simple SNMP v2c configuration. You can see the traffic reaching the ASA, but times out from the unit running the SNMP request.
The Inspect configuration is:
class-map inspection_default match default-inspection-traffic class-map class_snmp match port udp eq 4161 ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp class class_snmp inspect snmp
Anyone have any ideas ?
Thank you
04-05-2022 03:19 AM
Hi,
I touched bug CSCwa73648. Based on it TAC answered:
1) Before 9.10, SNMP polling is not restricted ( With snmp v1 host configured, a v2c walk from that host succeeds)
2) 9.10 and above ( excluding 9.14 -) 9.16 behaving similarly to 9.10 : SNMP polling is restricted to the configured version: Inspect SNMP is not related to the restriction
3) 9.14 only ("inspect snmp" restrict v1 and v2c SNMP box polling to work for the configured version only.)
So in versions 9.10, 9.12 and 9.16 the SNMP is working for the configured version disregarding SNMP inspection.
On 9.14 only, SNMP inspection is playing a significant factor in restricting the polling version : With the "SNMP inspect" set, the SNMP polling is restricted to the version configured With "SNMP inspect" unset, the SNMP polling is working on v1 and v2, disregarding the version configured
What is important: you must use in config:
snmp-server host <IFACE> <ADDRESS> version <version_type> community *****
where version match version used for queries. You can enter same command without version keyword, but it do not work.
Best regards,
Jirka
04-05-2022 03:46 AM - edited 04-05-2022 03:47 AM
Im reading what you are saying @jirka.novak , but I am stuck on this problem. Is SNMP restricted to management port only ?
snmp-server host inside 10.0.0.51 community ***** version 2c udp-port 161
Traffic inncoming
10.0.0.51 53307 10.199.40.1 161 Built inbound UDP connection 248921 for outside:10.0.0.51/53307 (10.0.0.51/53307) to identity:10.199.40.1/161 (10.199.40.1/161)
Setting on client pulling SNMP v2c is correct.
11-18-2022 09:47 AM - edited 11-18-2022 09:59 AM
I was having a very similar issue and worked with TAC to isolate and come up with a solution. Hopefully it helps others.
Our environment recently upgraded ASA 5506 to FPR-1010 (running ASA code) and ASA-5515X to FPR-2110 (running ASA code). The SNMP server resides behind the FPR-2110 with VPN tunnels to remote sites using the FPR-1010's. After the upgrade to FPR-1010's at the remote sites we were unable to poll SNMP. SNMP to the FPR-2110 (local) worked fine.
Our solution included updating VPN configuration to encypt and allow for the public IP of the remote FPR-1010's to communicate, encrypted, over the VPN tunnel. Privatized configuration example below:
FPR-2110 side (crypto ACL addition for VPN Tunnel):
access-list <acl-name> permit ip host <remote public IP peer> host <private snmp server IP>
FPR-1010 side (crypto ACL addition for VPN Tunnel):
access-list <acl-name> permit ip host <snmp server IP> host <fpr-1010 public ip>
Object and NAT additions <FPR-1010 side only>:
object network host_<snmp server ip>
host <snmp server ip>
!
object network host_<fpr-1010 public ip>
host <fpr-1010 public ip>
nat (<inside nameif, outside nameif) 1 source static host_<snmp server ip> host_<snmp server ip> destination static host_<fpr-1010 public ip> host_<fpr-1010 public ip>
SNMP-Server confguration <FPR-1010 side only>:
snmp-server host inside <snmp server ip> community <hidden> version 2c
snmp-server location <descriptive location name>
snmp-server contact <contact name>
SNMP Server configuration:
Update polling address to public IP of remote FPR-1010's using UDP 161 for connectivity.
11-18-2022 11:30 AM
For better or worse, we have over 90 firewalls (almost all ASA's or FTD's) across our organization, and we've dealt with this bug for a long time with 9.14 and 9.16 - even on fixed versions. It was insanity for us to change the encryption domain for all of these just to get SNMP working again, but I will see what disabling SNMP inspection might do. All firewalls that are running ASA code are still running a version of 9.12. We've had multiple TAC cases open for both 9.14 and 9.16, and we've never been able to get the issue resolved.
11-19-2022 02:34 AM
SNMP polling over VPN and "inspect snmp" bug are completely different issues. Please refer to another post which has some background on the VPN issue:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide