Re: Cisco FPR 1010 running ASA software SNMP config

tanios191 · ‎05-18-2020

Hello Team,

I have a Cisco FPR-1010 running ASA software on it I am having trouble configuring SNMP to work with my SNMP collector neverthless I have all my Cisco ASA appliance working with same SNMP settings please let me know if there is something additionnal to be done

Marvin Rhoads · ‎05-18-2020

Please share the configuration you are trying to use.

tanios191 · ‎05-18-2020

Hello Marvin,

Please find below the config I am using for snmp:

snmp-server group testingsnmp v3 priv
snmp-server user testingsnmp testingsnmp v3 engineID 80000009fe7374de21188b00a6d1b1d167105cb0606b9239c8 encrypted auth md5 ad:46:d6:60:90:fe:e5:3a:2b:45:56:8b:1f:90:88:82 priv des a2:5b:03:93:78:2d:65:1f:ce:52:52:1f:88:de:22:36
snmp-server host inside 172.17.1.21 version 3 testingsnmp
no snmp-server location
no snmp-server contact
no snmp-server enable oid mempool

I even tried

tanios191 · ‎06-14-2021

Hello Marvin,

It seems there is an SNMP bug on Cisco ASA especially 9.14 versions once downgrading to 9.12 version the SNMP worked again

Marvin Rhoads · ‎06-14-2021

Good to know - I was not aware of that. Thanks for the update.

Jon Are Endrerud · ‎06-14-2021

Did you resolve this. I have the same problem, configurer SNMP as usual on ASA. No luck with version 2c either, unit is not responding. Running latest firmware.

Please rate as helpful, if that would be the case. Thanx

tanios191 · ‎06-14-2021

It seems 9.14 version on ASA has some sort of bug after consulting TAC and downgrading to 9.12 version SNMP worked again

jirka.novak · ‎11-10-2021

I touched probably same issue on 9.14. I found solution which might help others...

My ASA used default class-map/policy-map for handling snmp:

class-map class_snmp
 match port udp eq 4161

policy-map global_policy
 ...
 class class_snmp
  inspect snmp

When I removed inspect snmp from policy-map, it started to work.

TAC explained that 9.14 has new/redesigned SNMP handling and it looks that inspect required in past versions is not required any more...

Jon Are Endrerud · ‎04-05-2022

Hello everyone,

Still no luck for me regarding snmp on 1010 with ASA. I have working SNMP on other series with ASA and FTD's.

Now running: Cisco Adaptive Security Appliance Software Version 9.16(2)14 with simple SNMP v2c configuration. You can see the traffic reaching the ASA, but times out from the unit running the SNMP request.

The Inspect configuration is:

class-map inspection_default
 match default-inspection-traffic
class-map class_snmp
 match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
 class class_snmp
  inspect snmp

Anyone have any ideas ?

Thank you

Please rate as helpful, if that would be the case. Thanx

jirka.novak · ‎04-05-2022

Hi,

I touched bug CSCwa73648. Based on it TAC answered:

1) Before 9.10, SNMP polling is not restricted ( With snmp v1 host configured, a v2c walk from that host succeeds)

2) 9.10 and above ( excluding 9.14 -) 9.16 behaving similarly to 9.10 : SNMP polling is restricted to the configured version: Inspect SNMP is not related to the restriction

3) 9.14 only ("inspect snmp" restrict v1 and v2c SNMP box polling to work for the configured version only.)

So in versions 9.10, 9.12 and 9.16 the SNMP is working for the configured version disregarding SNMP inspection.

On 9.14 only, SNMP inspection is playing a significant factor in restricting the polling version : With the "SNMP inspect" set, the SNMP polling is restricted to the version configured With "SNMP inspect" unset, the SNMP polling is working on v1 and v2, disregarding the version configured

What is important: you must use in config:

snmp-server host <IFACE> <ADDRESS> version <version_type> community *****

where version match version used for queries. You can enter same command without version keyword, but it do not work.

Best regards,

Jirka

Jon Are Endrerud · ‎04-05-2022

Im reading what you are saying @jirka.novak , but I am stuck on this problem. Is SNMP restricted to management port only ?

snmp-server host inside 10.0.0.51 community ***** version 2c udp-port 161

Traffic inncoming

10.0.0.51	53307	10.199.40.1	161	Built inbound UDP connection 248921 for outside:10.0.0.51/53307 (10.0.0.51/53307) to identity:10.199.40.1/161 (10.199.40.1/161)

Setting on client pulling SNMP v2c is correct.

Please rate as helpful, if that would be the case. Thanx

Chris Butler · ‎11-18-2022

I was having a very similar issue and worked with TAC to isolate and come up with a solution. Hopefully it helps others.

Our environment recently upgraded ASA 5506 to FPR-1010 (running ASA code) and ASA-5515X to FPR-2110 (running ASA code). The SNMP server resides behind the FPR-2110 with VPN tunnels to remote sites using the FPR-1010's. After the upgrade to FPR-1010's at the remote sites we were unable to poll SNMP. SNMP to the FPR-2110 (local) worked fine.

Our solution included updating VPN configuration to encypt and allow for the public IP of the remote FPR-1010's to communicate, encrypted, over the VPN tunnel. Privatized configuration example below:

FPR-2110 side (crypto ACL addition for VPN Tunnel):

access-list <acl-name> permit ip host <remote public IP peer> host <private snmp server IP>

FPR-1010 side (crypto ACL addition for VPN Tunnel):

access-list <acl-name> permit ip host <snmp server IP> host <fpr-1010 public ip>

Object and NAT additions <FPR-1010 side only>:

object network host_<snmp server ip>
host <snmp server ip>
!

object network host_<fpr-1010 public ip>
host <fpr-1010 public ip>

nat (<inside nameif, outside nameif) 1 source static host_<snmp server ip> host_<snmp server ip> destination static host_<fpr-1010 public ip> host_<fpr-1010 public ip>

SNMP-Server confguration <FPR-1010 side only>:

snmp-server host inside <snmp server ip> community <hidden> version 2c
snmp-server location <descriptive location name>
snmp-server contact <contact name>

SNMP Server configuration:

Update polling address to public IP of remote FPR-1010's using UDP 161 for connectivity.

ABaker94985 · ‎11-18-2022

For better or worse, we have over 90 firewalls (almost all ASA's or FTD's) across our organization, and we've dealt with this bug for a long time with 9.14 and 9.16 - even on fixed versions. It was insanity for us to change the encryption domain for all of these just to get SNMP working again, but I will see what disabling SNMP inspection might do. All firewalls that are running ASA code are still running a version of 9.12. We've had multiple TAC cases open for both 9.14 and 9.16, and we've never been able to get the issue resolved.

tvotna · ‎11-19-2022

SNMP polling over VPN and "inspect snmp" bug are completely different issues. Please refer to another post which has some background on the VPN issue:

https://community.cisco.com/t5/cisco-bug-discussions/cscvt97205-snmppoll-snmptrap-to-remote-end-site-to-site-vpn-asa/td-p/4304139