Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4332
Views
0
Helpful
9
Replies

SNMP polling through IPSEC VPN

Go to solution
matthobart2
Level 1
Level 1

‎05-21-2013 05:54 AM - edited ‎02-21-2020 06:55 PM

Hello all,

I'm trying to add remote Cisco switches to our Solarwinds Network Performance Monitor and I'm having trouble seeing community strings from switches behind our ASA firewalls on the other side of L2L IPSEC vpn tunnels.

First off, I can ping and see all traffic behind the firewalls.   The configuration manager (NCM) works fine, it can upload and download configs from the remote switches.  It's just SNMP that doesn't seem to be talking.  Here are the config lines from the remote switches:

snmp-server community ******** RO

snmp-server community ******** RW

This configuration works great on other switches in our network that aren't accessed through a VPN tunnel.  Is there another line that I need to add that points that SNMP traffic to the SolarWinds server?

When I try to add the switch to Solarwinds, it sees the IP perfectly but after I add the RO and RW community strings it performs a test and fails everytime and won't let me continue adding the device. 

Any help would be GREATLY appreciated!!  Thanks!

Matt

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mvsheik123
Level 7
Level 7
In response to matthobart2

‎05-23-2013 08:02 AM

Turnoff Windows firewall and check the Antivirus on Solarwinds as well. This may be causing the issue (working one time or not working another time). One other possibility (may be), if you have any IPS inline and inspecting the traffic, this might as well cause the issue. Check to see if any program/device in the path is rate limiting #of SNMP/ICMP packets.

What is the version of NPM?

Thx

MS

View solution in original post

0 Helpful
9 Replies 9

Go to solution
mvsheik123
Level 7
Level 7

‎05-21-2013 08:10 AM

Do you have management-access on the remote end ASA?

PS:  Iam not quite sure if this paly any role for SNMP traffic from switches behind the ASA,  just a thought :).

Thx

MS

0 Helpful

Go to solution
matthobart2
Level 1
Level 1
In response to mvsheik123

‎05-21-2013 08:44 AM

Yes, I do have the "management-access inside" command on the remote ASA's.   I found that command was needed when I needed to access the firewall using the inside IP for security reasons.  I didn't think that this command had anything to do with SNMP though, because I'm unable to poll these inside ASA interfaces either using Solarwinds. 

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to matthobart2

‎05-21-2013 10:31 AM

Hi,

Interesting..Make sure UPD port 161/162 not blocked. Also, on switches try adding...

snmp-server host x.x.x.x version 2c

on ASA:

snmp-server host x.x.x.x community xyz version 2c

Thx

MS

0 Helpful

Go to solution
matthobart2
Level 1
Level 1
In response to mvsheik123

‎05-21-2013 11:41 AM

Hi MS,

I tried adding the: 

snmp-server host x.x.x.x version 2c

command to the remote switch,  and I already had that other line in both local and remote asa's.  Still no luck...

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to matthobart2

‎05-21-2013 01:00 PM

Hi,

On the switch try enabling 'debug snmp events' and and run test from Solarwinds server. You should see the snmp request/reply activity on the switch. If not, they are being dropped somewhere in the path. If you telnet to switch for debug, make sure you enable 'terminal monitoring'.

Iam not sure what command works for SNMP debug on ASA.

PS: Debug can hike CPU load, so run when there is not much of user activity.

Thx

MS

0 Helpful

Go to solution
matthobart2
Level 1
Level 1
In response to mvsheik123

‎05-23-2013 05:38 AM

Hi MS,

Sorry for the delayed response.   Yesterday morning it just started working perfectly at all our remote sites...  Now today it's not working again!!!  Nothing at all changed on our firewalls. 

So, I tried the "debug SNMP packets" on the remote switch and it was receiving packets from the SolarWinds server as well as sending them back. 

Is there some sort of debug I can run on the SolarWinds server itself to see if it's getting the SNMP packets back?


Thanks again for your help!

      

UPDATE:  I ran wireshark on the Solarwinds server and it looks like it's sending the snmp request on 161 when I hit "TEST"  in Solarwinds,  but it's not getting any responses back.  However, when I just sit there and watch and it sends it's periodic SNMP requests, it is getting responses..   I don't know... I'm starting to think its an error on the Solarwinds software.  I tried rebooting and turning off the windows firewall,  I think I'm going to try to repair it.

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to matthobart2

‎05-23-2013 08:02 AM

Turnoff Windows firewall and check the Antivirus on Solarwinds as well. This may be causing the issue (working one time or not working another time). One other possibility (may be), if you have any IPS inline and inspecting the traffic, this might as well cause the issue. Check to see if any program/device in the path is rate limiting #of SNMP/ICMP packets.

What is the version of NPM?

Thx

MS

0 Helpful

Go to solution
matthobart2
Level 1
Level 1
In response to mvsheik123

‎05-23-2013 10:41 AM

Well you are correct,  the Barracuda Web Filter was blocking certain SNMP requests from the SolarWinds server.  It was seeing the traffic as Skype traffic for some reason.  So I added an IP exception and voila!  Works like a charm!  Thank you for all you help and input!

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to matthobart2

‎05-23-2013 12:03 PM

Glad it works, Matthew. Thanks for rating the post.

Thx

MS

0 Helpful
Customers Also Viewed These Support Documents