Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
0
Helpful
3
Replies

SNMPv3 hit count = 0

h.dam
Level 1
Level 1

‎04-03-2018 06:04 AM - edited ‎02-21-2020 07:35 AM

Hi everyone,

I've configured snmpv3 client on my ASA with policies snmp and snmptrap.

I found there are only snmptrap traffic from a switch (also configured snmpv3) on ASDM but snmp hit count stays 0.

Then I run packet captures on this ASA ingress/engress traffic between NMS server and this switch.

I saw traffic with ports 161, 162 talking between them => So ASA does its job well.

 

My issue is: why I don't have traffic on snmp policy line while I saw it in wireshark capture.

The policy is very simple. source = NMS server --> destination = client port 161

 

ASA version is 9.8(1), ASDM is 7.8(1)

Thanks.

 

Regards.

Labels:
0 Helpful
3 Replies 3

h.dam
Level 1
Level 1

‎04-03-2018 10:43 AM

Hi,

I'm thinking about the difference between snmptrap (which matches the policy line) and snmp (which didn' match).

snmptrap is v2, clear txt and unidirectional

snmp is v3, encrypted and bidirectional

 

Here's the snmp config on ASA:

snmp-server group <groupname> v3 priv
snmp-server user <username> <groupname> v3 encrypted auth sha <auth-passwd> priv aes 128 <my-passwd>

snmp-server host <interface> 10.x.x.x version 3 <username>

snmp-server contact 1.0
snmp-server community *****
snmp-server enable traps config

Should I delete contact and/or community?

 

Regards.

0 Helpful

h.dam
Level 1
Level 1
In response to h.dam

‎04-04-2018 05:21 AM

I have just deleted snmp location, contact and community since snmp v3 doesn't use them.

The issue is still there. I can only see snmptrap but snmp hit=0.

In logging, I found %ASA-6-110002 error

"Failed to local egress interface for protocol from src" --> udp/161

 

I conclude that it is a routing issue between zones. 

I have configured them with security-level 100 and globally "same-security-traffic permit inter-interface".

 

Anyone can help?

 

Regards.

0 Helpful

h.dam
Level 1
Level 1
In response to h.dam

‎04-10-2018 12:45 PM

Hello,

By using packet tracer and wireshark, I found the snmp traffic going in and out the FW (but no hit-count changes)

On the NMS server side, if I run polling to devices, the snmp hit-count increases this time.

The server is configured to poll every second. But if I do nothing the hit-count stays stable. I don't know if it is the FW security feature.

Anyway, snmp works well.

 

Regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card