Monitoring an Interface on ASA

wesweber1 · ‎04-28-2015

I have a 5550, we want to poll the inside interface using a snmp monitoring app. I added the "management-access intfname" to allow the polling, but the snmp polling server isn't able to get info from the interface. The poller is getting info from interfaces on equipment inside the ASA.

Any suggestions as to why this isn't working?

Marvin Rhoads · ‎04-28-2015

On an ASA you need to specifically allow the management servers to make SNMP queries. Only RO is supported on an ASA.

For SNMP v2c, the command would be:

snmp-server host <nameif> <server IP> community <snmp community string>

wesweber1 · ‎04-28-2015

The snmp config was put on the ASA first and the snmp servers couldn't query the ASA. The management-access command was added to facilitate the snmp servers ability to talk to the ASA.

Marvin Rhoads · ‎04-28-2015

You might try capturing the traffic from the management server at the ASA and see what's happening.

Also, do you see any log messages when snmp polling fails? (assuming you have logging enabled at a sufficient level)

wesweber1 · ‎05-29-2015

The solution is, there is a bug in v8.4 and above that prevents monitoring traffic (ping, ssh, snmptraffic, etc) from a VPN tunnel to pass through the ASA and connect to the interface with the management-access command applied on the ASA. This bug is documented in the release notes for 8.4.

The workaround is to add the keyword route-lookup to any nat statements that involve the subnet the "management" interface resides in.

I added the keyword to the nat statement and was able to ping and do snmp polls to the interface.