Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

6500 SNMP access via GRE/IPSEC tunnel

Hi,

Not sure if anyone else has experienced this but we are running 6500`s with IPsec hardware cards ( WS-SVC-IPSEC-1 ) using VRF cryto mode. A few of these devices sit at remote sites connected via GRE/IPsec tunnels.

( IOS 122-18.SXE6b )

We are not able to access SNMP infomation, the packets seem to blackhole.

6500`s on the LAN local to the SNMP station are able to get SNMP fine.

No firewalls are blocking access and all the basics are configured correctly.

Is there a way to specifiy source interface for SNMP reads ?

Traps, logging and TACACS all work fine.

5 REPLIES

Re: 6500 SNMP access via GRE/IPSEC tunnel

If SNMP station can get SNMP from local devices but not remote one, it probably has wrong default gw or routing configured.

In general, traps and logging are both UDP traffic from remote devices to your management station. If they are working fine, it just means the direction from remote to SNMP station is good.

So, I think the issue is in the direction from SNMP station to remote devices. Checked the routing setting on the path first.

New Member

Re: 6500 SNMP access via GRE/IPSEC tunnel

The SNMP traps go back to the same server, this error is specfic to SNMP-reads not a routing issue. More then likely a bug a in VRF / GRE.

Re: 6500 SNMP access via GRE/IPSEC tunnel

Yes, SNMP trap is sent by the remote device to SNMP server. It's just one direction traffic. But for SNMP-read, server will need to send the request to the remote device first. Then the remote device sent the response back to server. So my point is that you can not say for sure routing is good just becasue SNMP trap works fine to the same server.

Can you enable debug snmp on the remote device to see if it recieves SNMP request?

New Member

Re: 6500 SNMP access via GRE/IPSEC tunnel

Hi,

When I try to get SNMP back the GRE tunnel ( using VRF ) it does not get back, i`ve tripled checked the relevant VRF routing table for the correct routes and the loopback we`re using for management is in the correct VRF from where traffic is being sourced.

It will get back fine using a physical interface but that is then not encrypted - i was just wondering if this was a known issue with this code and VRFS. We have lots of other devices using GRE/IPsec but not VRFS and they work fine.

Regards

Re: 6500 SNMP access via GRE/IPSEC tunnel

Please let me know the IOS version, I can look up for you to see if there is a related bug.

Since SNMP query packet is just a regular UDP packet, if this is issue here, it should impact most UDP traffic.

Could you please also do the following test if possible?

tracerout from SNMP station to remote devices.(make sure the traffic will go throught GRE tunnel)

267
Views
0
Helpful
5
Replies