FWSM and SNMP v2

Unanswered Question
Jan 29th, 2009
User Badges:


you out there...got another question for you.

Configured SNMP community string on at 6509 FWSM. appears I can only set a RO (which is not a problem). I'm able to SSH to the FWSM IP, but when i config CiscoWorks Common Services to add the device, using standard credentials and the SNMP v2 community string, it bombs with the following error:

"session to device failed. Cause: Authentication failed on device."

It appears to be auth, but I'm certain, both the standard credentials and the SNMP community string are correct.

I ran an SNMP walk with OID . and it also fails with:

Failed to snmpwalk the device. Please check your community string and starting OID, and try again.

I thought possibly the SNMP timeout was catching me again, but after setting to 10secs, continues to fail.

Checked the ICServer.log, and nothing that would indicate the problem.

Any help would be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Bruce Summers Thu, 01/29/2009 - 11:00
User Badges:

some additional info from the IC_Server.log:

ERROR,[Thread-15],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,547, Unreachable device com.cisco.nm.xms.xdi.DeviceAccessException: SnmpRequestTimeout on while performing SnmpGet at index = -1

Joe Clarke Thu, 01/29/2009 - 11:06
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Please post your SNMP config from your FWSM.

Bruce Summers Thu, 01/29/2009 - 11:09
User Badges:

no snmp-server location

no snmp-server contact

snmp-server community

and i ran the snmp-server enable command

Joe Clarke Thu, 01/29/2009 - 11:10
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You need to add a line like:

snmp-server host inside HOST poll community STRING

Where HOST is the IP address of the LMS server.

This is what you would do for the PIX/ASA. I assume there is a similar (if not the same) command for the FWSM.

Bruce Summers Thu, 01/29/2009 - 11:22
User Badges:

giving it a try right now...

i didnt think i needed that "host" statement...but, i was refering back to the V2 config on a 6513 switch.

Bruce Summers Thu, 01/29/2009 - 11:38
User Badges:


Well, that doesnt appear to be the issue either.

when i run the command for snmp-server host, it prompts that there is only a VLAN available (which is a vlan that we use for access)...when i use the vlan, and then the IP of LMS, results are the same...authentication failure.


FWNAME/context(config)# snmp-server host ?

configure mode commands/options:

Current available interface(s):

Joe Clarke Thu, 01/29/2009 - 11:39
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Then there may be other rules preventing udp/161 traffic from making it to this module. Check to make sure this traffic is allowed.

Joe Clarke Thu, 01/29/2009 - 11:48
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The symptoms point to you either using the wrong community string, or SNMP traffic is being denied. You might want to enable some logging on the FWSM to see if the SNMP packets are arriving on the module.

Bruce Summers Thu, 01/29/2009 - 11:58
User Badges:

roger..i've pounded that community string in there multiple times, so i'm confident, it isnt that...access through the FW allows IP any...so, i'm scratchin the ole head right now...i'll turn on some logging and gather some anay on it...thanks for the thoughts...


This Discussion