cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Adding ASA5506 firewall to NPM for snmp V3 is failing. Any help?

I'm trying to add ASA5506 firewall to NPM and it keeps failing. The snmp configuration looks good on the firewall because the same config is working great for a different firewall, which is a different model from the one failing the snmp test. Anyone had this issue before and assist?

0 Kudos
5 Replies
Level 7

I got this resolved. The issue was related to RPF (reverse path forwarding) - the return traffic was going a different way so getting dropped. So once this was fixed, I was able to join the firewall to the solarwinds server.

Thanks to Craig for his assistance. It is much appreciated.

0 Kudos

Have you checked the firewall logs to see if the traffic is blocked?    Have you checked connectivity to the ASA from the SW server via ping or SNMP?   Sometimes you can get it working easier in a tool like "SNMPWalk.exe" (which can be found in the SW directory) first and then once its working there, configure it in Orion directly after.

When you configured the firewall did you put the passwords in plaintext, or encrypted?   If encrypted try putting them back in via plaintext...

0 Kudos

I checked the firewall and nothing about SNMP denial. I can ping the firewall from the SW server but the firewall cannot ping the server. Although the communication between ASA5506 and SW server is going thru a tunnel. I ran snmpwalk.exe from the SW server and no OID's can be found to be scanned then the process stops. Yes indeed I configured the snmp passwords in plaintext not encrypted. Thanks for your help.

0 Kudos

So, I did a little testing and figured out a bit more about snmpwalk.   If you have an incorrect SNMP v3 username, it complains.  But, if you have the encryption type wrong or something, it will say "Found 0 OIDs (timed out)".    Is this what you're getting?    Or is it not timing out and just returning 0 OIDs?

I don't have any more ASA's, but on IOS you can do a "show snmp user <SNMP Username>" or just "show snmp user",  and it will give you some details about the user.    Wanting to make sure the "Auth" and "Priv" you have set on the device agrees with the "auth" and "priv" in SNMPWalk or Solarwinds itself?

You might see something like this

sh snmp user

______________________________________________________________

                  SNMP USERS

______________________________________________________________

User                Auth  Priv(enforce) Groups              acl_filter         

____                ____  _____________ ______              __________         

user1               md5   des(no)       network-admin      

user2                 md5   des(no)       network-admin      

In this example the "md5" and the "des" would be what we're looking for.   And then check to make sure it agrees with the "Authentication Algorithm" and "Privacy Algorithm" in SNMPWalk...

0 Kudos

Hi Craig -

Yes it is timing out returning 0 OID's. My snmp username is correct and the output of "show snmp users" confirmed it. I am using SHA for auth and AES 128 for encryption. The password is correct for both auth and encryption. I do have both algorithms auth and priv in SNMPWalk. I'm just wondering if this could be the version of the ASA. It is ASA5506 with firepower services. Or could this be the SW application itself. I will keep checking - thanks for assisting me.

Best regards,

0 Kudos