6500 SNMP access via GRE/IPSEC tunnel

Unanswered Question
Apr 22nd, 2008

Hi,

Not sure if anyone else has experienced this but we are running 6500`s with IPsec hardware cards ( WS-SVC-IPSEC-1 ) using VRF cryto mode. A few of these devices sit at remote sites connected via GRE/IPsec tunnels.

( IOS 122-18.SXE6b )

We are not able to access SNMP infomation, the packets seem to blackhole.

6500`s on the LAN local to the SNMP station are able to get SNMP fine.

No firewalls are blocking access and all the basics are configured correctly.

Is there a way to specifiy source interface for SNMP reads ?

Traps, logging and TACACS all work fine.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Tue, 04/22/2008 - 10:22

If SNMP station can get SNMP from local devices but not remote one, it probably has wrong default gw or routing configured.

In general, traps and logging are both UDP traffic from remote devices to your management station. If they are working fine, it just means the direction from remote to SNMP station is good.

So, I think the issue is in the direction from SNMP station to remote devices. Checked the routing setting on the path first.

achrich Tue, 04/22/2008 - 10:34

The SNMP traps go back to the same server, this error is specfic to SNMP-reads not a routing issue. More then likely a bug a in VRF / GRE.

Yudong Wu Tue, 04/22/2008 - 10:47

Yes, SNMP trap is sent by the remote device to SNMP server. It's just one direction traffic. But for SNMP-read, server will need to send the request to the remote device first. Then the remote device sent the response back to server. So my point is that you can not say for sure routing is good just becasue SNMP trap works fine to the same server.

Can you enable debug snmp on the remote device to see if it recieves SNMP request?

achrich Tue, 04/22/2008 - 11:26

Hi,

When I try to get SNMP back the GRE tunnel ( using VRF ) it does not get back, i`ve tripled checked the relevant VRF routing table for the correct routes and the loopback we`re using for management is in the correct VRF from where traffic is being sourced.

It will get back fine using a physical interface but that is then not encrypted - i was just wondering if this was a known issue with this code and VRFS. We have lots of other devices using GRE/IPsec but not VRFS and they work fine.

Regards

Yudong Wu Tue, 04/22/2008 - 12:11

Please let me know the IOS version, I can look up for you to see if there is a related bug.

Since SNMP query packet is just a regular UDP packet, if this is issue here, it should impact most UDP traffic.

Could you please also do the following test if possible?

tracerout from SNMP station to remote devices.(make sure the traffic will go throught GRE tunnel)

Actions

This Discussion