04-28-2015 01:19 PM - edited 03-11-2019 10:51 PM
I have a 5550, we want to poll the inside interface using a snmp monitoring app. I added the "management-access intfname" to allow the polling, but the snmp polling server isn't able to get info from the interface. The poller is getting info from interfaces on equipment inside the ASA.
Any suggestions as to why this isn't working?
04-28-2015 01:24 PM
On an ASA you need to specifically allow the management servers to make SNMP queries. Only RO is supported on an ASA.
For SNMP v2c, the command would be:
snmp-server host <nameif> <server IP> community <snmp community string>
04-28-2015 03:15 PM
The snmp config was put on the ASA first and the snmp servers couldn't query the ASA. The management-access command was added to facilitate the snmp servers ability to talk to the ASA.
04-28-2015 07:15 PM
You might try capturing the traffic from the management server at the ASA and see what's happening.
Also, do you see any log messages when snmp polling fails? (assuming you have logging enabled at a sufficient level)
05-29-2015 03:12 PM
The solution is, there is a bug in v8.4 and above that prevents monitoring traffic (ping, ssh, snmptraffic, etc) from a VPN tunnel to pass through the ASA and connect to the interface with the management-access command applied on the ASA. This bug is documented in the release notes for 8.4.
The workaround is to add the keyword route-lookup to any nat statements that involve the subnet the "management" interface resides in.
I added the keyword to the nat statement and was able to ping and do snmp polls to the interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide