Junos
Highlighted
Junos

QFX not responding to snmp polls

[ Edited ]
‎06-13-2020 01:09 AM

Hi, I am new to Junos and was trying to poll the QFX box using snmp from shell servers. However, seeing a SNMPD_AUTH_RESTRICTED_ADDRESS message in the trace file. As a result, unable to get snmp responses from the device. Any idea how to resolve this issue? Logs below:

Note: Running snmp on default routing instance

 

Jun 13 00:37:13.044259 snmpd[62bc1139] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Jun 13 00:37:13.044291 snmpd[62bc1139] >>> Get-Next-Request

Jun 13 00:37:13.044322 snmpd[62bc1139] >>>  Source:      10.220.192.173

Jun 13 00:37:13.044331 snmpd[62bc1139] >>>  Destination: 10.216.97.26

Jun 13 00:37:13.044338 snmpd[62bc1139] >>>  Version:     SNMPv1

Jun 13 00:37:13.044345 snmpd[62bc1139] >>>  Request_id:  0x62bc1139

Jun 13 00:37:13.044359 snmpd[62bc1139] >>>  Community:   public

Jun 13 00:37:13.044368 snmpd[62bc1139] >>>  Error:       status=0 / vb_index=0

Jun 13 00:37:13.044385 snmpd[62bc1139] >>>   OID  : sysDescr

Jun 13 00:37:13.044393 snmpd[62bc1139] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Jun 13 00:37:13.044410 SNMPD_AUTH_RESTRICTED_ADDRESS: nsa_initial_callback: request from address 10.220.192.173 not allowed

Jun 13 00:37:13.044467 ns_trap_internal

Jun 13 00:37:13.044484 ns_trap_internal

Jun 13 00:37:30.990101 snmpd[28ce0183] >>> Get-Next-Request

Jun 13 00:37:30.990110 snmpd[28ce0183] >>>  Source:      10.220.192.173

Jun 13 00:37:30.990117 snmpd[28ce0183] >>>  Destination: 10.216.97.26

Jun 13 00:37:30.990124 snmpd[28ce0183] >>>  Version:     SNMPv2

Jun 13 00:37:30.990130 snmpd[28ce0183] >>>  Request_id:  0x28ce0183

Jun 13 00:37:30.990138 snmpd[28ce0183] >>>  Community:   public

Jun 13 00:37:30.990145 snmpd[28ce0183] >>>  Error:       status=0 / vb_index=0

Jun 13 00:37:30.990159 snmpd[28ce0183] >>>   OID  : sysDescr

Jun 13 00:37:30.990167 snmpd[28ce0183] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Jun 13 00:37:30.990182 SNMPD_AUTH_RESTRICTED_ADDRESS: nsa_initial_callback: request from address 10.220.192.173 not allowed

 

Device configs:

{master:0}[edit]

regress@elit3-sys# show routing-instances

 

{master:0}[edit]

regress@elit3-sys# show snmp

name ELIT3-SYS;

description "ELIT3-SYS QFX box";

view all {

    oid .1;

}

community public {

    authorization read-only;

    clients {

        10.85.209.8/32;

    }

}

traceoptions {

    file snmp-traces;

    flag all;

}

4 REPLIES 4
Highlighted
Junos

Re: QFX not responding to snmp polls

‎06-13-2020 02:38 AM

Hi vinaypillutla,

 

Do you have loopback filter configured on this box and allowing the servers ip in the SNMP source address ?

 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too

 

Kudos are appreciated too 

 

Regards,

Nadeem

Highlighted
Junos

Re: QFX not responding to snmp polls

‎06-13-2020 05:14 AM

Hi Nadeemm,

There was an IP mismatch on the device config under clients section. Thanks. 

Had a doubt- Is applying loopback filter mandatory? I think by default, the snmp packets are allowed.

 

Thanks,

Vinay

Highlighted
Junos

Re: QFX not responding to snmp polls

‎06-13-2020 09:18 AM

You are correct the issue above is that the snmp request is from an ip address not on your client list.

 

And also correct that the loopback protect filter is not required (but recomended to secure the device) and that the default behavior is to allow snmp.

 

Details on the security hardening for Junos can be found in this free Day One book if you are interested in pursuing that option.

https://www.juniper.net/documentation/en_US/day-one-books/TW_HardeningJunosDevices_2ndEd.zip

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Junos

Re: QFX not responding to snmp polls

‎06-13-2020 06:24 PM

Hi vinaypillutla,

 

Glad to know that issue was resolved on correcting the IP address in the config.

It is not mandatory  to config loopback filter but loopback interface is a gateway for all the control traffic that enters the Routing Engine of the router. If you want to monitor this control traffic, you must configure a firewall filter on the loopback interface (lo0). Loopback firewall filters are applied only to packets that are sent to the Routing Engine CPU for further processing.

Below is the link for more understanding.

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-loopback-interface-...

 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too

 

Kudos are appreciated too 

 

Regards,

Nadeem

Feedback