Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
209
Views
2
Helpful
3
Replies

ASA can't SNMP over VPN (VTI, not crypto map)

Go to solution
eyetea6
Level 1
Level 1

‎06-24-2024 11:31 AM

I have seen other threads regarding issues with SNMP to an ASA through a VPN tunnel. I can't tell 100% if this is a bug or feature:

Cisco Bug: CSCvx69918 -- SNMP queries to ASA inside over VTI tunnel does not work  

Or...

New Features in ASA 9.14(2) - For secure SNMP polling over a site-to-site VPN, include the IP address of the outside interface in the crypto map access-list as part of the VPN configuration.  

This is an ASA 5506 version 9.16(4)42 using a VTI with an NMS in another network over the VPN which isn't a Cisco device. A lot of the fixes and workarounds don't seem to apply to a VTI since they are crypto map access list related. Does anybody else have this issue and how have you gotten around it? I have no "crypto map" related to this VPN connection so I can't change anything there. I have no access-list with respect to this VTI either.

Is this a feature with a solution/workaround or a bug with no way to fix other than downgrading firmware?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-24-2024 11:38 AM

@eyetea6 what about trying Query VTI IP instead by applying snmp-server host on VTI nameif, as per the workaround in the bug you provided?

Else use SNMPV3 to query the outside interface directly, also use the control-plane ACL to restrict IP address/networks to send SNMP to interface.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎06-24-2024 11:38 AM

@eyetea6 what about trying Query VTI IP instead by applying snmp-server host on VTI nameif, as per the workaround in the bug you provided?

Else use SNMPV3 to query the outside interface directly, also use the control-plane ACL to restrict IP address/networks to send SNMP to interface.

Go to solution
eyetea6
Level 1
Level 1
In response to Rob Ingram

‎06-24-2024 12:09 PM

I had tried adding VTI as snmp-server host in ASDM but that interface wasn't an option unlike the other inside and outside interfaces. Shoud I try to add the command manually in the CLI and it still be valid? Just not sure if it's valid since ASDM didn't want to offer it as an SNMP interface.

I can try looking into querying outside interface with SNMPv3 and an ACL as well.

0 Helpful

Go to solution
eyetea6
Level 1
Level 1
In response to Rob Ingram

‎06-24-2024 01:24 PM

I added the snmp-server command to poll on the virtual tunnel interface and then it started working. Thanks.

Customers Also Viewed These Support Documents