Solved: SNMP V2 FWSM

Bruce Summers · ‎02-09-2009

J,

You monitoring today? Have another question for you...running snmp v2 on a cisco fwsm...i'm running into an issue when attempting to perform inventory, I'm getting credentials invalid error. Have adjusted the SNMP timeout to 30 secs (incrementally), I've reviewed the firewall to ensure SNMP is being allowed (acl - ip any any). Have verified the credential setup in works and on the FW (very simple community string). I've reviewed the IC_Server.log, with the following output provided (in part)...

[ Mon Feb 09 14:22:06 CST 2009 ],ERROR,[Thread-18],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,547, Unreachable device <MY IP ADDRESS OF FWSM> com.cisco.nm.xms.xdi.DeviceAccessException: SnmpRequestTimeout on <MY IP ADDRESS OF FWSM> while performing SnmpGet at index = -1

com.cisco.nm.xms.xdi.DeviceAccessException: SnmpRequestTimeout on <MY IP ADDRESS OF FWSM> while performing SnmpGet at index = -1

It appears to be an SNMP timeout issue, but???

Joe Clarke · ‎02-09-2009

This error indicates that either SNMP is not making it to the FWSM, the FWSM is denying it, or the community string is wrong.

For SNMP, you also need to allow polling. For the PIX/ASA, the command is:

snmp-server host INTERFACE HOST poll community COMMUNITY

Where INTERFACE is the interface name on which SNMP traffic will be arriving, HOST is the IP address of the polling host, and COMMUNITY is the community string to be used.

You can verify that SNMP is working by using the SNMP Walk tool from CiscoWorks' Device Center. Use sysObjectID as a starting OID.

View solution in original post

Joe Clarke · ‎02-09-2009

This error indicates that either SNMP is not making it to the FWSM, the FWSM is denying it, or the community string is wrong.

For SNMP, you also need to allow polling. For the PIX/ASA, the command is:

snmp-server host INTERFACE HOST poll community COMMUNITY

Where INTERFACE is the interface name on which SNMP traffic will be arriving, HOST is the IP address of the polling host, and COMMUNITY is the community string to be used.

You can verify that SNMP is working by using the SNMP Walk tool from CiscoWorks' Device Center. Use sysObjectID as a starting OID.

Bruce Summers · ‎02-10-2009

thanks J...I believe my co-worker discovered the snmp-server host information last night...thanks for you quick response as always.

Bruce Summers · ‎02-10-2009

Hey J,

another situation, same systems...got the snmp working (with your advise above), the device credential verification succeeds on telnet, snmp v2c and ssh (turned on telnet temporarily only). however, when i run the config archive, it fails with a credentials or snmp timeout error...I increased the snmp timeout to 10 secs, and same error...I checked the IC_server.log and see no errors during the timeframe I ran the config archive...I'm using SSH as the primary config archive protocol and telnet as a second...am i missing something here?

Joe Clarke · ‎02-10-2009

IC_Server.log has nothing to do with configuration archive. The log is dcmaservice.log. What is the exact error you get when performing a Sync Archive?

Bruce Summers · ‎02-10-2009

my bad...thanks for setting me straight on the logs...

heres the exact error:

CM00139 Could not archive config Cause: Action: Verify that device is managed and credentials are correct. Increase timeout value, if required.

thnks

bruce

Bruce Summers · ‎02-10-2009

another development...I ran the credential verification again using both the ssh protocol and the "SSH Enable Mode User Name and Password" check. it passes the protocol check, but fails with "Enable username credential missing." However, I do have the enable password set in device management/edit device credentials.

Joe Clarke · ‎02-10-2009

Go ahead and start a new thread for the configuration management issue. It does not appear to have anything to do with SNMP.

Bruce Summers · ‎02-10-2009

another development...I ran the credential verification again using both the ssh protocol and the "SSH Enable Mode User Name and Password" check. it passes the protocol check, but fails with "Enable username credential missing." However, I do have the enable password set in device management/edit device credentials.

Bruce Summers · ‎02-10-2009

Hey J,

another situation, same systems...got the snmp working (with your advise above), the device credential verification succeeds on telnet, snmp v2c and ssh (turned on telnet temporarily only). however, when i run the config archive, it fails with a credentials or snmp timeout error...I increased the snmp timeout to 10 secs, and same error...I checked the IC_server.log and see no errors during the timeframe I ran the config archive...I'm using SSH as the primary config archive protocol and telnet as a second...am i missing something here?