Showing results for 
Search instead for 
Did you mean: 

Sending SNMP from ASA5505 through Site-To-Site VPN?

Michael Couture

I have two remote sites connected to the main office via Site-to-Site VPNs. The tunnels are up and working fine. The only thing I can not figure out is how to send traffic generated by the ASA through the tunnel. For instance I am trying to get the ASA's at the remote sites to send syslog and SNMP to the servers at the main office, but I have had no luck. I assume it is a routing issue but I can't seem to find the answer. Sylog and snmp traffic generated by devices on the LAN pass through the tunnel to the main office but not traffic generated on the ASA. When I debug the ASA I can see that when it is attempting to send traffic (SYSlog,SNMP) generated by the ASA routing fails.

Routing failed to locate next hop for udp from NP Identity Ifc: to inside: is the inside interface of the ASA.

How to I get traffic that starts on the ASA to route through the VPN tunnel?


Jouni Forss


Another thread/post on the these same forums handle the situation you mention.

See if its of any help

I havent had to lab the setup yet myself.

- Jouni

Thanks, I saw that link earlier but never seen anyone state that it worked so I am hesitant to try. Unfortunately I do not have a lab with ASA's, just the production environment so I am a little cautious.

One think I don't understand is that all the Devices behind the firewall send syslog, and SNMP messages thought the tunnel and can ping through to the main office. The same actions when done on the ASA do not work, the ASA in the remote office can not ping the home office LAN, syslog and SNMP do not got through the tunnel to the Main office. Yet Netflow works fine. How would Netflow, originating on the ASA route through the tunnel but nothing else that is generated on the ASA  be able to?

This has got me confused.


I got to admit I know absolutely nothing about Netflow.

Though regarding the ICMP, syslog and SNMP problems my best guess would be that ASA is indeed using the WAN IP to send the traffic as the destination addresses are on its outside interface side because of the VPN. And as that WAN IP is not included in the encryption domain it will just try to send the traffic through the Internet.

I guess I could try this setup up with my home ASA and our central VPN device and see for example if I can get my ASA to send syslogs to our syslog server.

- Jouni


So i configured a totally new L2L VPN to our central/core device which connects our Syslog server and whan SNMP monitoring server to my ASA.

Both Syslog and SNMP work great from/to our servers.

I will post a more detailed description about this in abit. Now I need some coffee.

- Jouni


So here some base info with changed IP addresses instead of the public ones

Central Syslog/SNMP Site

  • VPN Device IP
  • Syslog Server IP
  • SNMP server IP

Customer Site

  • VPN Device IP
  • This IP address is also used Syslog/SNMP source

Customer Site VPN configuration

  • ASA running version 8.4(3)
  • Done quickly with the L2L VPN Wizard through ASDM (Below is from the ADSM CLI format preview)

    object-group network DM_INLINE_NETWORK_1

        network-object host

        network-object host

      access-list WAN_cryptomap line 1 extended permit ip host object-group DM_INLINE_NETWORK_1

      group-policy GroupPolicy_1.1.1.1 internal

      group-policy GroupPolicy_1.1.1.1attributes

        vpn-tunnel-protocol ikev1


      tunnel-group type ipsec-l2l

      tunnel-group general-attributes

        default-group-policy GroupPolicy_1.1.1.1

      tunnel-group ipsec-attributes

        ikev1 pre-shared-key PRESHAREDKEY

        isakmp keepalive threshold 10 retry 2

      crypto ikev1 enable  WAN

      crypto map WAN_map 1 match address WAN_cryptomap

      crypto map WAN_map 1 set  peer

      crypto map WAN_map 1 set  ikev1 transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

      crypto map WAN_map interface  WAN

- Logging and SNMP settings

logging enable

logging timestamp

logging buffer-size 8192

logging buffered informational

logging trap informational

logging asdm debugging

logging device-id hostname

logging host WAN

snmp-server host WAN community COMMUNITY

The Central site is a IOS device. I wont copy paste any configuration of it here since it follows the same lines as the above client side ASA test configuration.

Hope this helps. Please rate if it was helpfull

If you need any more information, please ask.

- Jouni

Thanks! I will come in early tomorrow morning and give it a shot. I will let you know how it goes.


Did you get to test this? Did it work for you?

- Jouni

No I haven't, other things came up that I had to deal with and was unable to get to it last week. Additionally I started a new job this week, and passed that issue onto someone else at my previous employer. I will keep in contact with them and hopefully get a resolution for you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: