I am setting up a Nagios system and it is in our Web DMZ currently and while I can use snmpget to retrieve info from OIDs on a 6400 just fine, the same command fails on the 6850E. If I run the command on the same vlan as both switches it works fine but only the 6400 works through the firewall and the 6850 responds with "Timeout: No Response from x.x.x.x".
I've used nmap (sudo nmap -sU x.x.x.x) from the nagios server in the DMZ to scan both switches and the 6850E reports "161/udp open|filtered snmp" the 6400 reports "161/udp open snmp". I setup both switches with the same user and community string and no smtp auth so I am at a loss on what to do to get this to work and why the 6850 E is "filtered". I have no filtering policies in place.
Both the switch and nagios server can ping each other so I know routing is working and for testing I set the firewall rule on a "Server -> switch all services" kind of rule as well as restricting it down to just the services I'm checking but it hasn't made a difference. Quite frankly I'm at my wits end.
6850E vs 6400 SNMP v2c not working identically through firewall
-
devnull
Re: 6850E vs 6400 SNMP v2c not working identically through firewall
It does not work through firewall)?!
Does It work on the same VLAN?
Yes Firewall is configured wrong.
No (not working on same vlan) -> SNMP is configured wrong.
please compare
"show configuration snapshot snmp"
"show configuration snapshot aaa"
"show user"
you need for snmpv2 (if i recall correctly):
user your_username password your_password read-write all no auth
aaa authentication snmp "local"
snmp security no security
snmp community map "your_community" user "your_username" on
community to check is the value you set at "your_community"
Also check that snmp service is enabled
ip service snmp (or something similar)
If Firewall is the issue:
You need to allow Nagios Server -> Switch IP UDP/161
Does It work on the same VLAN?
Yes Firewall is configured wrong.
No (not working on same vlan) -> SNMP is configured wrong.
please compare
"show configuration snapshot snmp"
"show configuration snapshot aaa"
"show user"
you need for snmpv2 (if i recall correctly):
user your_username password your_password read-write all no auth
aaa authentication snmp "local"
snmp security no security
snmp community map "your_community" user "your_username" on
community to check is the value you set at "your_community"
Also check that snmp service is enabled
ip service snmp (or something similar)
If Firewall is the issue:
You need to allow Nagios Server -> Switch IP UDP/161
-
Creator1326
Re: 6850E vs 6400 SNMP v2c not working identically through firewall
SNMP works for the 6400 through firewall but not 6850E
SNMP also works for BOTH 6400 AND 6850E when on the same VLAN as the switches and the same snmpget query returns a result on both switches
6850E config:
6400 config:
SNMP also works for BOTH 6400 AND 6850E when on the same VLAN as the switches and the same snmpget query returns a result on both switches
6850E config:
Code: Select all
snmp security no security
snmp authentication trap enable
snmp community map "public" user "monitor" on
aaa authentication console "local"
aaa authentication http "local"
aaa authentication snmp "local"
aaa authentication ssh "local"
User name = monitor,
Password expiration = None,
Password allow to be modified date = None,
Account lockout = None,
Password bad attempts = 0,
Read Only for domains = All ,
Read/Write for domains = None,
Snmp allowed = YES,
Snmp authentication = NONE,
Snmp encryption = NONE,
Console-Only = DisabledCode: Select all
snmp security no security
snmp community map "public" user "monitor" on
aaa authentication console "local"
aaa authentication http "local"
aaa authentication snmp "local"
aaa authentication ssh "local"
User name = monitor,
Password expiration = None,
Password allow to be modified date = None,
Account lockout = None,
Password bad attempts = 0,
Read Only for domains = Physical Network Layer2 Policy ,
Read/Write for domains = None,
Snmp allowed = YES,
Snmp authentication = NONE,
Snmp encryption = NONE,
Console-Only = Disabled-
devnull
Re: 6850E vs 6400 SNMP v2c not working identically through firewall
If it works in the same vlan you have either a firewall problem or a missing route (default gateway) on the 6850 - in this case the reply packets can't find a way to the nagios server.
Can you ping the switch from the nagios server?
Are you doing port forwarding/nat/whatever on the firewall?
Can you ping the switch from the nagios server?
Are you doing port forwarding/nat/whatever on the firewall?
-
devnull
Re: 6850E vs 6400 SNMP v2c not working identically through firewall
If it works in the same vlan you have either a firewall problem or a missing route (default gateway) on the 6850 - in this case the reply packets can't find a way to the nagios server.
Can you ping the switch from the nagios server?
Are you doing port forwarding/nat/whatever on the firewall?
Can you ping the switch from the nagios server?
Are you doing port forwarding/nat/whatever on the firewall?
-
Creator1326
Re: 6850E vs 6400 SNMP v2c not working identically through firewall
As I stated above yes both the 6400 and 6850E can ping the nagios server and the server can ping both of the switches. It's not a firewall problem, it's not a routing problem. No there's no nat-ing or port forwarding.
-
devnull
Re: 6850E vs 6400 SNMP v2c not working identically through firewall
Strange.
Reboot, Software upgrade, mirror the port to/from firewall to check for snmp packets.
Otherwise im clueless ;-(
Reboot, Software upgrade, mirror the port to/from firewall to check for snmp packets.
Otherwise im clueless ;-(
