Re: WLC 2500 - SNMP

lambrosx · ‎09-01-2017

Hi everybody,

I'm a newbie.

I have a poller (centreon) in the subnet/VLAN 172.18.96.1/255.255.224.0, i want to supervise my WLC which is the subnet/VLAN 172.18.160.1/255.255.224.0. The WLC subnet contains other switches too. I pass from the first subnet to the second through my ASA 5510.

I can succeed snmpget command to WLC from 172.18.160.1/255.255.224.0 subnet but not from 172.18.96.1/255.255.224.0. So my configuration seems to be ok.

My first think was the firewall but the rules are permissives, ping, http and https to WLC are ok and snmpget to the switches from 172.18.96.1/255.255.224.0 succeeds. There is no issue with ASA packet tracer.

When I try to follow datagram with Wireshark, I can see the get-request and answers packets for the switches but for WLC, I only see the "get-request" packets and no answer. Snmpget give me "timeout".

I'm using the same snmpv3 configuration for my switches and my wlc.

snmpget -v 3 -u userrfi -l authPriv -A pass -a MD5 -x DES -X pass 172.18.160.100 1.3.6.1.2.1.1.3.0

Any idea/help would be appreciated.

Merci beaucoup.

Flavio Miranda · ‎09-01-2017

debug  snmp agent enable

snmpwalk from the vlan that does not work and show the output.

lambrosx · ‎09-04-2017

To delete

lambrosx · ‎09-04-2017

Hi,

On the same VLAN (IP client : 172.18.160.98) :

*SNMPTask: Sep 04 15:55:13.407: SNMPD: Packet from: 172.18.160.98:52901, in_packet_len = 64
*SNMPTask: Sep 04 15:55:13.407: SNMPD: calling srDoSnmp.
*SNMPTask: Sep 04 15:55:13.407: Unknown engine Ids
*SNMPTask: Sep 04 15:55:13.407: SNMPD: Sending SNMP packet to 172.18.160.98:52901, out_packet_len = 107
*SNMPTask: Sep 04 15:55:13.410: SNMPD: Packet from: 172.18.160.98:52901, in_packet_len = 134
*SNMPTask: Sep 04 15:55:13.410: SNMPD: calling srDoSnmp.
*SNMPTask: Sep 04 15:55:13.410: SNMPD: received get pdu
*SNMPTask: Sep 04 15:55:13.410: SNMPD:calling do_response
*SNMPTask: Sep 04 15:55:13.410: Searching for requested instance of sysUpTime
*SNMPTask: Sep 04 15:55:13.411: SNMPD: Sending SNMP packet to 172.18.160.98:52901, out_packet_len = 141

On the other (IP client : 172.18.102.5) :

*SNMPTask: Sep 04 15:56:06.697: SNMPD: Packet from: 172.18.102.5:50927, in_packet_len = 64
*SNMPTask: Sep 04 15:56:06.697: SNMPD: calling srDoSnmp.
*SNMPTask: Sep 04 15:56:06.697: Unknown engine Ids
*SNMPTask: Sep 04 15:56:06.697: SNMPD: Sending SNMP packet to 172.18.102.5:50927, out_packet_len = 107
*SNMPTask: Sep 04 15:56:07.698: SNMPD: Packet from: 172.18.102.5:50927, in_packet_len = 64
*SNMPTask: Sep 04 15:56:07.698: SNMPD: calling srDoSnmp.
*SNMPTask: Sep 04 15:56:07.698: Unknown engine Ids
*SNMPTask: Sep 04 15:56:07.698: SNMPD: Sending SNMP packet to 172.18.102.5:50927, out_packet_len = 107
*SNMPTask: Sep 04 15:56:08.700: SNMPD: Packet from: 172.18.102.5:50927, in_packet_len = 64
*SNMPTask: Sep 04 15:56:08.700: SNMPD: calling srDoSnmp.
*SNMPTask: Sep 04 15:56:08.700: Unknown engine Ids
*SNMPTask: Sep 04 15:56:08.700: SNMPD: Sending SNMP packet to 172.18.102.5:50927, out_packet_len = 107
*SNMPTask: Sep 04 15:56:09.701: SNMPD: Packet from: 172.18.102.5:50927, in_packet_len = 64
*SNMPTask: Sep 04 15:56:09.701: SNMPD: calling srDoSnmp.
*SNMPTask: Sep 04 15:56:09.701: Unknown engine Ids
*SNMPTask: Sep 04 15:56:09.702: SNMPD: Sending SNMP packet to 172.18.102.5:50927, out_packet_len = 107
*SNMPTask: Sep 04 15:56:10.703: SNMPD: Packet from: 172.18.102.5:50927, in_packet_len = 64
*SNMPTask: Sep 04 15:56:10.704: SNMPD: calling srDoSnmp.
*SNMPTask: Sep 04 15:56:10.704: Unknown engine Ids
*SNMPTask: Sep 04 15:56:10.704: SNMPD: Sending SNMP packet to 172.18.102.5:50927, out_packet_len = 107
*SNMPTask: Sep 04 15:56:11.705: SNMPD: Packet from: 172.18.102.5:50927, in_packet_len = 64
*SNMPTask: Sep 04 15:56:11.705: SNMPD: calling srDoSnmp.
*SNMPTask: Sep 04 15:56:11.705: Unknown engine Ids

Thank you for the help.

Flavio Miranda · ‎09-04-2017

SNMPD: Sending SNMP packet to 172.18.102.5:50927

SNMPD: Packet from: 172.18.102.5:50927, in_packet_len = 64

According to logs, looks like WLC is receiving the packet and replying it.

SNMP is UDP and works in two ports: 161/162. Make sure you have both allowed and make sure packet inspection is ok on ASA.

I´d say that your problem is Firewall not WLC.

lambrosx · ‎09-05-2017

Hi Flavio,

Thank you for your answer.

Many weird things :

- In the firewall, for both VLAN, Access Rules is Any Any Ip Permit

- Packet tracer VLAN 1 -> VLAN 2 and VLAN 2 -> VLAN 1 for 161/162 is ok

- From WLC, ping to the other VLAN, through Firewall, is ok

- Snmpget to switches in WLC VLAN succeeds (why is ok for switches and not wlc, same rules, same config)

However, just one observation, when we install WLC few years ago, we had issues accessing admin pages from other VLAN, very similar issue. We had to configure TCP Bypass.

But here, SNMP uses UDP...

We never have this issues with our Small Business switches.

Flavio Miranda · ‎09-05-2017

Take a look in packet inspection. Firewall don't like udp cause they have no connection establishment.

lambrosx · ‎09-06-2017

Hi Flavio,

Everything looks ok on the firewall except we don't see anwser packet back.

I found that :

Restrictions for Configuring Dynamic Interfaces
The following restrictions apply for configuring the dynamic interfaces on the controller:
Wired clients cannot access management interface of the Cisco WLC 2500 series using the IP address of the AP Manager interface .
For SNMP requests that come from a subnet that is configured as a dynamic interface, the controller responds but the response does not reach the device that initiated the conversation.

I've got one dynamic Interface per VLAN and one SSID (or more) per VLAN. Is it the explanation?

I notice that snmpget succeeds on the IP of the dynamic interface on the good VLAN.

Thank you for taking time.