Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jonta
New Contributor

Cannot poll SNMP

I am running a Fortgate HA pair in ESX. Verson 6.0.3 build 0200 (GA)

I have a few subnets, one which I called management with subnet range 10.10.1.0/24

The fortigates have two interfaces on this subnet. One is the floating IP that the active member will have, which is 10.10.1.1, and the other is a management interface reservation setup in the HA section so that I can reach both members

fortigate1 - 10.10.1.42

fortigate2 - 10.10.1.43

 

I am connecting over HTTPS to these IPs (mainly to the primary of course) and can reach them.

 

Now the next thing is to configure SNMP

 

First I enable SNMP on port5 which is the port that has 10.10.1.42 on fortigate1

Then I go to SNMP settings and enable a v2c community with community name 'public'

On the monitoring server which is on the same subnet as the firewalls self IP I try this

 

Here is the config

   edit "port5"         set ip 10.10.1.42 255.255.255.0         set allowaccess ping https ssh snmp http         set type physical         set device-identification enable         set role lan         set snmp-index 5     next config system snmp community     edit 1         set name "public"         config hosts             edit 1                 set ip 10.10.1.70 255.255.255.255             next         end     next end

 

First some ping from the monitoring server to the fortigate1

user@vserver-mon:~$ ping 10.10.1.42 PING 10.10.1.42 (10.10.1.42) 56(84) bytes of data. 64 bytes from 10.10.1.42: icmp_seq=1 ttl=255 time=0.110 ms 64 bytes from 10.10.1.42: icmp_seq=2 ttl=255 time=0.275 ms

 

Then SNMPwalk

user@vserver-mon:~$ ifconfig

ens192 Link encap:Ethernet HWaddr 00:0c:29:5a:ad:f0 inet addr:10.10.1.70 Bcast:10.10.1.255 Mask:255.255.255.0

 

user@vserver-mon:~$ snmpwalk -v2c -c public 10.10.1.42 Timeout: No Response from 10.10.1.42

 

Okay nothing. Let see what debug gives

 

login as: admin admin@10.10.1.42's password: vfirewall-fortinet-1 # diag debug application snmpd -1 Debug messages will be on for 30 minutes. vfirewall-fortinet-1 # diag debug reset vfirewall-fortinet-1 # diag debug flow filter addr 10.10.1.70 vfirewall-fortinet-1 # diag debug en vfirewall-fortinet-1 # diag debug flow trace start 100 vfirewall-fortinet-1 # id=20085 trace_id=101 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. " id=20085 trace_id=101 func=init_ip_session_common line=5544 msg="allocate a new session-001773d3" id=20085 trace_id=101 func=vf_ip_route_input_common line=2591 msg="find a route: flag=84000000 gw-10.10.1.42 via vsys_hamgmt" id=20085 trace_id=102 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. " id=20085 trace_id=102 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-001773d3, original direction" id=20085 trace_id=103 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. " id=20085 trace_id=103 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-001773d3, original direction" id=20085 trace_id=104 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. " id=20085 trace_id=104 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-001773d3, original direction" id=20085 trace_id=105 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. " id=20085 trace_id=105 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-001773d3, original direction" id=20085 trace_id=106 func=print_pkt_detail line=5384 msg="vd-vsys_hamgmt:0 received a packet(proto=17, 10.10.1.70:56777->10.10.1.42:161) from port5. " id=20085 trace_id=106 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-001773d3, original direction"

 

I wondered if there was an issue due to the fortigate having two interfaces  on the same subnet. But the HTTPS works fine.

 

What else to do..

I did a packet capture on both the VLAN1(10.10.1.1) interface and the port5(10.10.1.42) at the same time while doing an snmp walk.

The packet capture only saw packets on port 5, but only incoming packets, no return packets.

To make sure I didn't do a mistake in my snmpwalk command I also tried to add the device in observium with snmp-v2c and public as community.

 

Am I missing something obvious here?

 

2 REPLIES 2
Dave_Hall
Honored Contributor

 

Guessing you need to enable the SNMP agent:

 

config system snmp sysinfo set status enable set description "Host name" set contact-info "admin@host.com" set location "This loction" end

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
jonta

Dave Hall wrote:

 

Guessing you need to enable the SNMP agent:

 

config system snmp sysinfo set status enable set description "Host name" set contact-info "admin@host.com" set location "This loction" end

Forgot to include this part in my first post, but this is already enabled

 

vfirewall-fortinet-1 # config system snmp sysinfo

vfirewall-fortinet-1 (sysinfo) # show config system snmp sysinfo set status enable set description "Fortigate" set contact-info "Fortigate" set location "Fortigate" end

Labels
Top Kudoed Authors