Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SNMP traps over VPN (easy) - not getting through

I have an issue where I am trying to have branch sites send SNMP traps over tunnel through Head-end to a Monitoring tool.  What I have noticed is that it try's to source the trap  from outside interface but I want it to be able to send from Vlan (inside) interface.  The branch site ISP solution are all ADSL (dynamic).  I had the same issue with trying to get traps from Head-end and ended up setting up the ACL on my side and Head-end side for Outside interface.  I have also tried to use the SNMP-Server source-interface "inside interface" but the command does not work.  I knwo it isn't working because when I do a telnet from remote branch to port 162 sourcing the inside interface it will OPEN "telnet x.x.x.x 162 /source-interface vlan1, but command is not working.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SNMP traps over VPN (easy) - not getting through

poll with outside interface and make that as interesting tarffic

the asa will look at the routing table and decide from which interface to send traffic to the snmp server, which would be the outside (default route)

this link will help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml

please mark this post answered if it answers your query

4 REPLIES

Re: SNMP traps over VPN (easy) - not getting through

Hi,

I think that's exactly the problem as you mentioned (the SNMP traps are being sent using the IP of the outside interface as the source).

Two ways to fix it:

1. As you mentioned use the internal IP as the SNMP source for the traps (since the internal IP is included in the interesting traffic).

2. Include the outside IP in the interesting traffic so even though the traps are sourced from the outside, they'll still go through the tunnel.

Federico.

Cisco Employee

Re: SNMP traps over VPN (easy) - not getting through

poll with outside interface and make that as interesting tarffic

the asa will look at the routing table and decide from which interface to send traffic to the snmp server, which would be the outside (default route)

this link will help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml

please mark this post answered if it answers your query

New Member

Re: SNMP traps over VPN (easy) - not getting through

Hey guys, thanks for the replies.  My problem is, is that the branch sites have dynamic IP assignment via ADSL from ISP.  IP's are constantly changing.  Here is the set up.  We have about 130 Branch sites using Cisco 881 VPN routers, their connecting to a 3845 Headend router via EasyVPN.  My management network is connected to Head-end via VPN Lan-to-Lan tunnel.   So I am not connecting directly to the Branches, I am communicating with Branches through Headend.  I was previously having same issues with SNMP traps getting to my management network from Head-end, but then updated my ACL to include outside IP and now it is fine.  There is a command to source another interface for SNMP traffic "snmp-server trap source (inside)" but this command does not work,  I realize that If I go with DMVPN that this issue would probably be resolved but am not in the position to do this just yet. Do you have another option.  I thought this would be ok.  Another thing, I do have a syslog server setup and logging reaches me with no problems but than again I am using Logging source-interface Vlan1.. (I have configured "snmp-server trap source Vlan 1" but doesn't work).  Your help is very much appreciated..

New Member

Re: SNMP traps over VPN (easy) - not getting through

My problem is, is that the branch sites have dynamic IP assignment via ADSL from ISP.  IP's are constantly changing.  Here is the set up.  We have about 130 Branch sites using Cisco 881 VPN routers, their connecting to a 3845 Headend router via EasyVPN.  My management network is connected to Head-end via VPN Lan-to-Lan tunnel.   So I am not connecting directly to the Branches, I am communicating with Branches through Headend.  I was previously having same issues with SNMP traps getting to my management network from Head-end, but then updated my ACL to include outside IP and now it is fine.  There is a command to source another interface for SNMP traffic "snmp-server trap source (inside)" but this command does not work,  I realize that If I go with DMVPN that this issue would probably be resolved but am not in the position to do this just yet. Do you have another option.  I thought this would be ok.  Another thing, I do have a syslog server setup and logging reaches me with no problems but than again I am using Logging source-interface Vlan1.. (I have configured "snmp-server trap source Vlan 1" but doesn't work).  Your help is very much appreciated..

1372
Views
0
Helpful
4
Replies
CreatePlease login to create content