Re: fpr2130 stoped to answer the snmp on some mibs

dijix1990 · ‎07-04-2023

I have fpr2130 which is working as ASA and some days ago it stoped to answer via snmp, but when I tried to check snmp on it I noticed that snmp was working, but it seemed as fpr2130 lost mibs

For example I checked active node and it was good, snmp works correctly

snmpwalk -v2c -c zabbix 192.168.100.1 sysdescr
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Adaptive Security Appliance Version 9.16(4)18
snmpwalk -v2c -c zabbix 192.168.100.1 ifname
IF-MIB::ifName.2 = STRING: Internal-Data0/1
IF-MIB::ifName.3 = STRING: management
IF-MIB::ifName.4 = STRING: Internal-Data1/1
IF-MIB::ifName.5 = STRING: Ethernet1/1
IF-MIB::ifName.6 = STRING: Ethernet1/2
IF-MIB::ifName.7 = STRING: Ethernet1/3
IF-MIB::ifName.8 = STRING: Ethernet1/4
IF-MIB::ifName.9 = STRING: Ethernet1/5
IF-MIB::ifName.10 = STRING: Ethernet1/6
IF-MIB::ifName.11 = STRING: Ethernet1/7
IF-MIB::ifName.12 = STRING: Ethernet1/8
IF-MIB::ifName.13 = STRING: Ethernet1/9
IF-MIB::ifName.14 = STRING: Ethernet1/10
IF-MIB::ifName.15 = STRING: Ethernet1/11
IF-MIB::ifName.16 = STRING: Port-channel10
IF-MIB::ifName.17 = STRING: Ethernet1/12
IF-MIB::ifName.18 = STRING: Ethernet1/13
IF-MIB::ifName.19 = STRING: Port-channel1
IF-MIB::ifName.20 = STRING: Ethernet1/14
IF-MIB::ifName.21 = STRING: Ethernet1/15
IF-MIB::ifName.22 = STRING: Ethernet1/16
IF-MIB::ifName.23 = STRING: Port-channel1.994
IF-MIB::ifName.24 = STRING: Port-channel1.997
IF-MIB::ifName.25 = STRING: Port-channel10.10
IF-MIB::ifName.26 = STRING: Port-channel10.11

Standby node answers the snmp, but say that doesn't have string sysdescr / ifname

snmpwalk -v2c -c zabbix 192.168.100.2 hrSystemUptime.0
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (207330442) 23 days, 23:55:04.42
snmpwalk -v2c -c zabbix 192.168.100.2 sysdescr
SNMPv2-MIB::sysDescr = No Such Object available on this agent at this OID
snmpwalk -v2c -c zabbix 192.168.100.2 ifname
IF-MIB::ifName = No Such Object available on this agent at this OID

strange.. it worked before

tvotna · ‎07-05-2023

This is something new. Is it for IF-MIB only or other MIBs are also affected? E.g. CISCO-UNIFIED-FIREWALL-MIB or CPU load?

SNMP is total disaster after migration to netsnmp in 9.14 / 6.6. So many bugs:

https://www.cisco.com/web/software/280775065/163160/ASA-9164-Interim-Release-Notes.html

dijix1990 · ‎07-05-2023

not only if-mib. these doesn't work too

CISCO-ENHANCED-MEMPOOL-MIB
CISCO-PROCESS-MIB
CISCO-FIREWALL-MIB
CISCO-UNIFIED-FIREWALL-MIB

dijix1990 · ‎07-05-2023

We prepare to upgrade to 9.18. It's recommended now

tvotna · ‎07-05-2023

Bug fixes are waterfalled to older releases. E.g. 9.16.4.27 is nearly the same as 9.18.3.46 in terms of bug fixes.

MHM Cisco World · ‎07-05-2023

As I know

There are two snmp'

Fxos and lina

You loss fxos snmp

Do

Show snmp <<- in fxos

Also do you mgmt interface

tvotna · ‎07-05-2023

snmpwalk -v2c -c zabbix 192.168.100.1 sysdescr
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Adaptive Security Appliance Version 9.16(4)18

This is FXOS in your opinion?

MHM Cisco World · ‎07-05-2023

as I mention there are two SNMP from FXOS or from LINA
each one have specific steps to troubleshooting below link help you

https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/213971-configure-snmp-on-firepower-ngfw-applian.html

tvotna · ‎07-05-2023

@MHM Cisco WorldThe question was about ASA. FYI, if ASA is running on Firepower 2100 in appliance mode, FXOS doesn't have SNMP agent accessible from the outside. If ASA is running on Firepower 2100 in platform mode, FXOS does have SNMP agent, but it uses completely different set of MIBs, e.g. CISCO-FIREPOWER-AP-ETHER-MIB for frontpanel ports and backplane interfaces connected to Octeon NPU. IF-MIB gives access only to interfaces connected to Intel CPU, few logical interfaces and management0.

MHM Cisco World · ‎07-05-2023

FPR with ASA image or with FTD still same SNMP of LINA of FPR with FTD image is same for with ASA image.
he can use guide I share to check troubleshooting.

dijix1990 · ‎07-05-2023

it's true for fpr4100/4200/9300 not for 2100 with asa in appliance mode(after converting i don't have FXOS management), for fpr4125 I use general snmp and LINA snmp

MHM Cisco World · ‎07-06-2023

check the troubleshooting I share above for LINA SNMP

dijix1990 · ‎07-06-2023

I start to think that you didn't read my description about situation, so once again, It worked since about half year. There weren't any configurations which could break snmp.

The Firepower 2100 runs an underlying operating system called the FXOS. You can run the Firepower 2100 for ASA in the following modes:

Appliance mode (the default)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the FXOS troubleshooting guide for more information. The chassis manager is not supported.

By the way it started to work after reboot, so I think it's another one bug

tvotna · ‎07-07-2023

@dijix1990, you are completely right. This is definitely a bug and mentioned document is not helpful at all to troubleshoot the issue you faced with. Also, this document is not good for FP2100/1000 ASA running in appliance mode. In fact, it is outdated and somebody need to provide feedback on www.cisco.com so that TAC engineers can update it. They also have a nice doc about the appliance mode.

You're also correct that you cannot connect to FXOS SNMP agent from the outside; you can only connect to ASA SNMP agent. By connecting to ASA SNMP agent you can get access to few FXOS MIBs, but not all, and to traditional ASA MIBs.

I've never seen the issue like yours, when ASA responds for certain MIBs, but returns "no such object" for others. There was a bug in older releases with similar symptoms, but it was fixed long ago. You could open a TAC case, but now it's too late if you rebooted. Or you can upgrade blindly, but the issue may re-appear upon some time, no matter if you upgrade to 9.18 or 9.16 latest interim, because they share bug fixes as I mentioned earlier.