cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
917
Views
0
Helpful
5
Replies

Unable to receive SNMP response from ASA connected via L2L VPN

Igor Rodriguez
Level 1
Level 1

Hello all,

First of all, I'd like to say that I've searched and read all the posts that are available related to this topic.

However, I've been unable to solve our issue.

We have a Site2Site VPN with one of our remote offices. This Site2Site is build using a dynamic IP address on the remote site and through an operators router. Site2Site is correctly stablished between both ASAs.

The weird thing that happens to us is that everytime I reload remote site's ASA, SNMP begins to work and we receive responses from there. However, after 5 to 10 minutes, it stops responding. I don't even see any traffic from our NMS.

Another weird thing is that when it works after a reload, if I make a Packet Tracer test, it works. And when SNMP stops responding, it just fails. It fails at VPN phase (last one) giving no error of the failure. The only weird thing is that it takes the source or destination address as 0.0.0.0 instead of the stated on the command.

Does anybody know how could I get deeper into this? Any ideas I can test?

Thanks a lot in advance.

Best regards,

Igor

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Igor

If it works briefly and then stops after 5 to 10 minutes it suggests that perhaps there is some table entry that times out. Perhaps something like an ARP entry?

Do other things continue to work ok after 5 to 10 minutes after reload? Is the problem just about SNMP or is other types of traffic also impacted?

Perhaps you could share a sanitized copy of the ASA configuration?

HTH

Rick

HTH

Rick

Hello Rick,

First of all, thanks for your answer.

I don't think there's an ARP table timeout or anything. I don't know why, every time we reload remote ASA it begins to work. Site2Site tunnel is established and everything is fine, however, after 5 or 10 minutes, it stops responding.

Actually SNMP is not the only traffic that is not working. We'd like to manage that ASA via SSH and HTTPS, but it doesn't work either, nor ICMP packets from our administration computers.

The only thing we allow into the VPN is the traffic from our administration IP addresses and from ASAs LAN subnets. That way we'd like to monitor and manage remote ASA, but it's not working. We always try to ping or connect to inside's IP address.

I attach a sanitized configuration of our ASA.

Also, I tried to reload VPN connections but still does not work. It drives me crazy that after reloading it works for a little bit and then stops working.

Thanks for all the help.

Best regards,

Igor

Igor

I have looked at the config and do not find any  obvious issues. I wonder if it could be something like a translation  table entry that times out? When it happens are there any messages in  the ASA log that might relate to what is going on?

HTH

Rick

HTH

Rick

Hello Rick,

If I go on ASDM to logging and open the new window with Debugging level, I do not see anything related to traffic comming from our NMS.

How can I check if there's any log or indicator of what could be going on?

Best regards,

Igor

Igor

When you go on ASDM and open a new window for logging it will show current activity. But the issue may be something that has happened already. So a different approach may be needed than ASDM logging. Is logging to the buffer enabled at debug level? If you do show log from the command line how far back do the messages in the logging buffer go? If the logging buffer can show you at least 30 minutes of activity and if the problem will happen within 10 minutes of reload then you may be able to find the issue by doing from the command line show log | include

If the logging buffer is not large enough to display at least 30 minutes of activity then a different approach may be needed. Perhaps you could make sure that logging monitor is enabled at debug level. Then after reload, quickly establish a command line access from some PC. Use the terminal monitor command to display the log messages on the PC. When the problem has happened then use terminal no monitor to stop display of new messages and look through the display for any messages that mention the address of NMS. This assumes that your terminal emulation program has a sufficiently large buffer to hold log messages over a period of at least 20 to 30 minutes.

When the problem has happened, is the ASA able to ping to the address of NMS? If the ASA does ping the address of NMS does that enable NMS to access the ASA?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: