FWSM and SNMP v2

Bruce Summers · ‎01-29-2009

J,

you out there...got another question for you.

Configured SNMP community string on at 6509 FWSM. appears I can only set a RO (which is not a problem). I'm able to SSH to the FWSM IP, but when i config CiscoWorks Common Services to add the device, using standard credentials and the SNMP v2 community string, it bombs with the following error:

"session to device failed. Cause: Authentication failed on device."

It appears to be auth, but I'm certain, both the standard credentials and the SNMP community string are correct.

I ran an SNMP walk with OID .1.3.6.1.2.1.1.2 and it also fails with:

Failed to snmpwalk the device. Please check your community string and starting OID, and try again.

I thought possibly the SNMP timeout was catching me again, but after setting to 10secs, continues to fail.

Checked the ICServer.log, and nothing that would indicate the problem.

Any help would be appreciated.

Bruce

Bruce Summers · ‎01-29-2009

some additional info from the IC_Server.log:

ERROR,[Thread-15],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,547, Unreachable device com.cisco.nm.xms.xdi.DeviceAccessException: SnmpRequestTimeout on while performing SnmpGet at index = -1

Joe Clarke · ‎01-29-2009

Please post your SNMP config from your FWSM.

Bruce Summers · ‎01-29-2009

no snmp-server location

no snmp-server contact

snmp-server community

and i ran the snmp-server enable command

Joe Clarke · ‎01-29-2009

You need to add a line like:

snmp-server host inside HOST poll community STRING

Where HOST is the IP address of the LMS server.

This is what you would do for the PIX/ASA. I assume there is a similar (if not the same) command for the FWSM.

Bruce Summers · ‎01-29-2009

giving it a try right now...

i didnt think i needed that "host" statement...but, i was refering back to the V2 config on a 6513 switch.

Bruce Summers · ‎01-29-2009

Hmmm..

Well, that doesnt appear to be the issue either.

when i run the command for snmp-server host, it prompts that there is only a VLAN available (which is a vlan that we use for access)...when i use the vlan, and then the IP of LMS, results are the same...authentication failure.

example:

FWNAME/context(config)# snmp-server host ?

configure mode commands/options:

Current available interface(s):

Joe Clarke · ‎01-29-2009

Then there may be other rules preventing udp/161 traffic from making it to this module. Check to make sure this traffic is allowed.

Bruce Summers · ‎01-29-2009

hmmm...its a test FW, so i have IP any any setup...

Joe Clarke · ‎01-29-2009

The symptoms point to you either using the wrong community string, or SNMP traffic is being denied. You might want to enable some logging on the FWSM to see if the SNMP packets are arriving on the module.

Bruce Summers · ‎01-29-2009

roger..i've pounded that community string in there multiple times, so i'm confident, it isnt that...access through the FW allows IP any...so, i'm scratchin the ole head right now...i'll turn on some logging and gather some anay on it...thanks for the thoughts...

Bruce Summers · ‎02-01-2009

forgot to give ya some points for this one...here ya go