11-25-2009 05:37 AM
Im running a SA4500 Cluster with software 6.1R6 (build 13733) and Im having an issue with SNMP.
SNMP has been configured, but I am unable to reach the device using snmp.
The device is fully ip reachable, with ping working fine, but when ever we try to discover the vpn boxes using snmp or even do a snmp walk the requests times out. The traffic is being seen through the firewall which is the next hop to the device, so I can only assume that the traffic is reaching the device.
Any ideas on why this occuring or is there a way I can troubleshoot the traffic hitting the SA?
11-30-2009 11:31 AM
Under Troubleshooting, there is a capability to do a packet trace from any interface of the SA. That would certainly allow you to see if the SNMP Get packet is being received by the SA.
12-01-2009 02:12 AM
Thanks the response.
I have run a trace on the device and can indeed see the SNMP GET request hitting the external interface, followed by the community string arriving, but there is never any response from the SA back to the NMS server.
x.x.x.x.3322 > x.x.x.x.161: GetRequest(83) .126.96.36.199.188.8.131.52.0 .184.108.40.206.220.127.116.11.0 .18.104.22.168.22.214.171.124.0 .126.96.36.199.188.8.131.52.0 .184.108.40.206.220.127.116.11.0
x.x.x.x.3322 > x.x.x.x.161: C=<commstring> GetRequest(83) .18.104.22.168.22.214.171.124.0 .126.96.36.199.188.8.131.52.0 .184.108.40.206.220.127.116.11.0 .18.104.22.168.22.214.171.124.0 .126.96.36.199.188.8.131.52.0
Any ideas why the SA is failing to respond?
I thought it might be something to do with monitoring the external interface but we have that working fine elsewhere.
12-01-2009 06:16 AM
You will not be able to query SNMP from the external interface.
You should come via internal interface (or management interface on SA6000/SA65000 if its enabled).
Assuming that you already enabled "SNMP Queries" and filled the System Name, Location and most important Community under Log/Monitoring > SNMP
12-01-2009 06:22 AM
Thanks for the response.
Yup all of the above has been configured.
So that confirms my theory then.
Is this a recent change in behaviour, as we are definitely managing these devices for another client to the external interface, but using an earlier version of code?
12-01-2009 06:52 AM
How much earlier version of the code ?
I tested on a 5.5R1, 6.0R12 and a 6.4R4, only get response to SNMP query on the internal IF, nothing on the external IF.
Are you not querying the internal interface (via a Mapped IP maybe) ?
02-07-2012 03:24 AM
02-08-2012 10:16 PM
SNMP can't be enabled through external interface, this is not supported. SNMP traffic can be routeed only through
internal port or Management port of the SA.
Hope this clarifies your query.
02-09-2012 07:55 AM
Stuart - you said managing - you can enable management of the device from the external interface. That will allow you to perform web based management. Is that what you were thinking of? I have been working with these guys for four years and to the best of my recollection you could never do SNMP externally.
02-09-2012 08:09 AM
There was an issue in 5.5R1 where the routes were configured incorrectly and this was allowed to happen; it was an error and fixed quickly. There is nothing allowed to initate/report from the external interface; it is used only for incoming user connections. All user traffic and management traffic uses the internal port (unless you have the managment port, in which case that will be used; never the external).
03-15-2012 09:01 PM