SRX Services Gateway
Highlighted
SRX Services Gateway

Need help to get snmp up and running on SRX420 (now trying on a srx210, not working either..)

[ Edited ]
‎04-29-2014 12:18 AM

I am trying to enable snmp (queries, not traps) on our SRX420 firewall. I have been trying for several days now but was not able to get it working.

 

This is my snmp configuration:

 

> show configuration | match "snmp" | display set
set snmp description "Inside Firewall"
set snmp location MER
set snmp contact "Ronald"
set snmp community notpublic authorization read-only
set snmp community notpublic clients 172.16.1.3/32
set security policies from-zone MGT-inside to-zone management-lo0 policy permit-snmp match source-address 172.16.1.3
set security policies from-zone MGT-inside to-zone management-lo0 policy permit-snmp match destination-address 10.255.254.2
set security policies from-zone MGT-inside to-zone management-lo0 policy permit-snmp match application snmp
set security policies from-zone MGT-inside to-zone management-lo0 policy permit-snmp then permit
set security policies from-zone MGT-inside to-zone management-lo0 policy permit-snmp then log session-init
set security policies from-zone MGT-inside to-zone management-lo0 policy permit-snmp then log session-close
set security policies from-zone MGT-inside to-zone management-lo0 policy permit-snmp then count
set security zones security-zone management-lo0 host-inbound-traffic system-services snmp
set applications application printersnmp protocol udp
set applications application printersnmp destination-port 161
set applications application-set printer application snmp

 

And also:

> show configuration | match "system-services" | display set

set security zones security-zone management-lo0 host-inbound-traffic system-services snmp

{primary:node0}

 

When querying from 172.16.1.3 (linux machine), there is no response:

root@cacti:~# snmpwalk -v2c -c notpublic 10.255.254.2 .
Timeout: No Response from 10.255.254.2

 

 

From policy-log2:

 

Apr 28 16:55:45 dh-tm-ifw01 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 172.16.1.3/37261->10.255.254.2/161 None 172.16.1.3/37261->10.255.254.2/161 None None 17 permit-snmp MGT-inside management-lo0 10097 6(408) 0(0) 64 UNKNOWN UNKNOWN N/A(N/A) reth3.0 No

 

This proves that snmp queries from 172.16.1.3 are reaching the firewall, however there is no response.

 

I have tried many things but was not able to get it working, any help would be appriciated!

 

Ronald.

14 REPLIES 14
Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

‎04-29-2014 12:57 AM

Hello

 

While sending query from client PC, you are using community as deeppublic but configured community is notpublic

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

[ Edited ]
‎04-29-2014 01:04 AM

Thanks for helping me. And sorry for the confusion, this was a mistake in my initial post, using the correct community string I get the same result (no repsonse). I' ve edited my initial post to correct it.

Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

‎04-29-2014 01:09 AM

Hell

 

Can you try below query?

 

snmpwalk -v2c -c notpublic 10.255.254.2 1.3.6.1.4.1.2636.3

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

[ Edited ]
‎04-29-2014 02:15 AM

Same thing unfortunatly...

 

root@cacti:~# snmpwalk -v2c -c notpublic 10.255.254.2 1.3.6.1.4.1.2636.3
Timeout: No Response from 10.255.254.2
root@cacti:~#

 

By the way, ssh for instance does work from the same machine to the firewall on the same ip address. So it is not a routing issue, also policy rules are similar for snmp and ssh.

 

local snmp queries on the firewall do work!

Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

‎04-29-2014 02:16 AM

Are you able to see packets coming in and going out when you run below command:

 

monitor traffic interface <if-name>

 

Would it be possible for yout o share complete configuration?

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

[ Edited ]
‎04-29-2014 02:21 AM

The result is:

 

11:31:26.924850 In IP 172.16.1.3.56625 > 10.255.254.2.snmp: C=notpublic GetNextRequest(23) E:[|snmp]
11:31:26.933399 Out IP truncated-ip - 31 bytes missing! 10.255.254.2.snmp > 172.16.1.3.56625: C=notpublic GetResponse(13)[|snmp]

 

11:31:27.931261 In IP 172.16.1.3.56625 > 10.255.254.2.snmp: C=notpublic GetNextRequest(23) E:[|snmp]
11:31:27.941314 Out IP truncated-ip - 31 bytes missing! 10.255.254.2.snmp > 172.16.1.3.56625: C=notpublic GetResponse(13)[|snmp]

 

I suppose the truncated ip and 31 bytes missing are not what is supposed to happen 😉

 

Unfortunatly I am not allowed to share full config.

Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

[ Edited ]
‎04-29-2014 02:46 AM

I also did an monitor traffic interface reth3.0 extensive:

 

11:56:01.409823 Out
Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 33536
Logical Interface Index Extension TLV #4, length 4, value: 86
-----original packet-----
00:10:db:ff:10:03 > ac:f2:c5:1c:b3:eb, ethertype IPv4 (0x0800), length 105: (tos 0x0, ttl 64, id 50589, offset 0, flags [none], proto: UDP (17), length: 91) 10.255.254.2.snmp > 172.16.1.3.36897: [udp sum ok] |30|3d|02|01SNMPv2c |04|0aC=deeppublic |a2|2cGetResponse(44)|02|04|02|01|02|01|30|1e |30|1c|06|0bE:2636.3.1.1.0=|06|0dE:2636.1.1.1.1.39.0
11:56:01.442665 Out
Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 33536
Logical Interface Index Extension TLV #4, length 4, value: 86
-----original packet-----
00:10:db:ff:10:03 > ac:f2:c5:1c:b3:eb, ethertype IPv4 (0x0800), length 271: (tos 0x0, ttl 64, id 50590, offset 0, flags [none], proto: UDP (17), length: 257) 10.255.254.2.syslog > 172.16.1.2.syslog: [udp sum ok] SYSLOG, length: 229
Facility user (1), Severity info (6)
Msg: Apr 29 11:56:01 dh-tm-ifw01 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 172.16.1.3/36897->10.255.254.2/161 None 172.16.1.3/36897->10.255.254.2/161 None None 17 permit-snmp MGT-inside management-lo0 23231 N/A(N/A) reth3.0
0x0000: 3c31 343e 4170 7220 3239 2031 313a 3536
0x000f: 3a30 3120 6468 2d74 6d2d 6966 7730 3120
0x001f: 5254 5f46 4c4f 573a 2052 545f 464c 4f57
0x002f: 5f53 4553 5349 4f4e 5f43 5245 4154 453a
0x003f: 2073 6573 7369 6f6e 2063 7265 6174 6564
0x004f: 2031 3732 2e31 362e 312e 332f 3336 3839
0x005f: 372d 3e31 302e 3235 352e 3235 342e 322f
0x006f: 3136 3120 4e6f 6e65 2031 3732 2e31 362e
0x007f: 312e 332f 3336 3839 372d 3e31 302e 3235
0x008f: 352e 3235 342e 322f 3136 3120 4e6f 6e65
0x009f: 204e 6f6e 6520 3137 2070 6572 6d69 742d
0x00af: 736e 6d70 204d 4754 2d69 6e73 6964 6520
0x00bf: 6d61 6e61 6765 6d65 6e74 2d6c 6f30 2032
0x00cf: 3332 3331 204e 2f41 284e 2f41 2920 7265
0x00df: 7468 332e 30

Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

‎04-29-2014 02:46 AM

Tuncated-ip should not be an issue here, you get this message because of default buffer size.

It can be mitigated by increasing the size, refer below:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB13662

 

Coming to actual problem:

 

From output pasted, I reckon SRX is able to process SNMP request and able to generate a response.

Instead of walk, if you do simple getNext, does it work?

 

Have you tried with an snmp browser(say iReasoning etc..) in windows?

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

‎04-29-2014 02:49 AM

 

Snmpget also results in a timeout.

 

root@cacti:~# snmpget -v2c -c notpublic 10.255.254.2 1.3.6.1.4.1.2636.3
Timeout: No Response from 10.255.254.2.
root@cacti:~#

 

snmpget and snmpwalk do work to non juniper snmps host...

Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

‎04-29-2014 06:22 AM

Hi

 

If sharing complete configuration is not feasible, I think you need to open up a case with JTAC to proceed further.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

‎04-30-2014 11:57 PM

I have a  srx210 on my desk now that I can use to test and troubleshoot.

 

I still did not manage to get snmp queries working, the good news is, that from this device I can post the full config 🙂

 

The fact that I do not get snmp working on this device either probably means I am doing something wrong. which i good because that means it can be fixed 😉

 

I did attach the full config.

 

Thanks a lot for the effort of trying to help me get snmp working 🙂

 

Best regards,

 

Ronald

Attachments

Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

‎05-01-2014 04:57 AM

Hi tingtong,

 

From below configuration, snmp is not configured under interface vlan.1.

 

  security-zone Internal {
            host-inbound-traffic {
                system-services {
                    snmp;
                    http;
                    https;
                    ssh;
                }
            }
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            http;
                            https;
                            ssh;
                            telnet;
                        }
                    }
                }

 

 

Interface configuration takes precedence over zone level configuraiton.

If you allow snmp at interface level, hopefully, everything should work!

 

Below command should resolve

set security zones security-zone Internal interfaces vlan.1 host-inbound-traffic system-services snmp

 

Regards,

Raveen

 

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

‎05-01-2014 06:38 AM

Thanks, its working now on the SRX210 🙂

 

However I still don' t know why it' s not working on the srx420 Smiley Frustrated

Highlighted
SRX Services Gateway

Re: Need help to get snmp up and running on SRX420

‎05-01-2014 09:10 PM

Without configuration, it is not possible to get to root cause.

If you are apprehensive about uploading configuration to forum, please open up a JTAC case.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Feedback