Cannot poll SNMP

Author
jonta
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/27 07:37:58
  • Status: offline
2018/12/27 07:58:40 (permalink)
0

Cannot poll SNMP

I am running a Fortgate HA pair in ESX. Verson 6.0.3 build 0200 (GA)
I have a few subnets, one which I called management with subnet range 10.10.1.0/24
The fortigates have two interfaces on this subnet. One is the floating IP that the active member will have, which is 10.10.1.1, and the other is a management interface reservation setup in the HA section so that I can reach both members
fortigate1 - 10.10.1.42
fortigate2 - 10.10.1.43
 
I am connecting over HTTPS to these IPs (mainly to the primary of course) and can reach them.
 
Now the next thing is to configure SNMP
 
First I enable SNMP on port5 which is the port that has 10.10.1.42 on fortigate1
Then I go to SNMP settings and enable a v2c community with community name 'public'
On the monitoring server which is on the same subnet as the firewalls self IP I try this
 
Here is the config
   edit "port5"
        set ip 10.10.1.42 255.255.255.0
        set allowaccess ping https ssh snmp http
        set type physical
        set device-identification enable
        set role lan
        set snmp-index 5
    next


config system snmp community
    edit 1
        set name "public"
        config hosts
            edit 1
                set ip 10.10.1.70 255.255.255.255
            next
        end
    next
end

 
First some ping from the monitoring server to the fortigate1
user@vserver-mon:~$ ping 10.10.1.42
PING 10.10.1.42 (10.10.1.42) 56(84) bytes of data.
64 bytes from 10.10.1.42: icmp_seq=1 ttl=255 time=0.110 ms
64 bytes from 10.10.1.42: icmp_seq=2 ttl=255 time=0.275 ms

 
Then SNMPwalk

user@vserver-mon:~$ ifconfig
ens192 Link encap:Ethernet HWaddr 00:0c:29:5a:ad:f0
inet addr:10.10.1.70 Bcast:10.10.1.255 Mask:255.255.255.0
 
user@vserver-mon:~$ snmpwalk -v2c -c public 10.10.1.42
Timeout: No Response from 10.10.1.42

 
Okay nothing. Let see what debug gives
 
login as: admin
admin@10.10.1.42's password:
vfirewall-fortinet-1 # diag debug application snmpd -1
Debug messages will be on for 30 minutes.

vfirewall-fortinet-1 # diag debug reset

vfirewall-fortinet-1 # diag debug flow filter addr 10.10.1.70

vfirewall-fortinet-1 # diag debug en

vfirewall-fortinet-1 # diag debug flow trace start 100

vfirewall-fortinet-1 # id=20085 trace_id=101 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. "
id=20085 trace_id=101 func=init_ip_session_common line=5544 msg="allocate a new session-001773d3"
id=20085 trace_id=101 func=vf_ip_route_input_common line=2591 msg="find a route: flag=84000000 gw-10.10.1.42 via vsys_hamgmt"
id=20085 trace_id=102 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. "
id=20085 trace_id=102 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-001773d3, original direction"
id=20085 trace_id=103 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. "
id=20085 trace_id=103 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-001773d3, original direction"
id=20085 trace_id=104 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. "
id=20085 trace_id=104 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-001773d3, original direction"
id=20085 trace_id=105 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. "
id=20085 trace_id=105 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-001773d3, original direction"
id=20085 trace_id=106 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. "
id=20085 trace_id=106 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-001773d3, original direction"

 
I wondered if there was an issue due to the fortigate having two interfaces  on the same subnet. But the HTTPS works fine.
 
What else to do..
I did a packet capture on both the VLAN1(10.10.1.1) interface and the port5(10.10.1.42) at the same time while doing an snmp walk.
The packet capture only saw packets on port 5, but only incoming packets, no return packets.
To make sure I didn't do a mistake in my snmpwalk command I also tried to add the device in observium with snmp-v2c and public as community.
 
Am I missing something obvious here?
 
#1

2 Replies Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1310
    • Scores: 134
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Cannot poll SNMP 2018/12/31 08:46:28 (permalink)
    0
     
    Guessing you need to enable the SNMP agent:
     
    config system snmp sysinfo
    set status enable
    set description "Host name"
    set contact-info "admin@host.com"
    set location "This loction"
    end


     

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C
    #2
    jonta
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/12/27 07:37:58
    • Status: offline
    Re: Cannot poll SNMP 2019/01/01 03:13:12 (permalink)
    0
    Dave Hall
     
    Guessing you need to enable the SNMP agent:
     
    config system snmp sysinfo
    set status enable
    set description "Host name"
    set contact-info "admin@host.com"
    set location "This loction"
    end



    Forgot to include this part in my first post, but this is already enabled
     
    vfirewall-fortinet-1 # config system snmp sysinfo
    vfirewall-fortinet-1 (sysinfo) # show
    config system snmp sysinfo
    set status enable
    set description "Fortigate"
    set contact-info "Fortigate"
    set location "Fortigate"
    end
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5