I'm trying to add ASA5506 firewall to NPM and it keeps failing. The snmp configuration looks good on the firewall because the same config is working great for a different firewall, which is a different model from the one failing the snmp test. Anyone had this issue before and assist?
I got this resolved. The issue was related to RPF (reverse path forwarding) - the return traffic was going a different way so getting dropped. So once this was fixed, I was able to join the firewall to the solarwinds server.
Thanks to Craig for his assistance. It is much appreciated.
Have you checked the firewall logs to see if the traffic is blocked? Have you checked connectivity to the ASA from the SW server via ping or SNMP? Sometimes you can get it working easier in a tool like "SNMPWalk.exe" (which can be found in the SW directory) first and then once its working there, configure it in Orion directly after.
When you configured the firewall did you put the passwords in plaintext, or encrypted? If encrypted try putting them back in via plaintext...
I checked the firewall and nothing about SNMP denial. I can ping the firewall from the SW server but the firewall cannot ping the server. Although the communication between ASA5506 and SW server is going thru a tunnel. I ran snmpwalk.exe from the SW server and no OID's can be found to be scanned then the process stops. Yes indeed I configured the snmp passwords in plaintext not encrypted. Thanks for your help.
So, I did a little testing and figured out a bit more about snmpwalk. If you have an incorrect SNMP v3 username, it complains. But, if you have the encryption type wrong or something, it will say "Found 0 OIDs (timed out)". Is this what you're getting? Or is it not timing out and just returning 0 OIDs?
I don't have any more ASA's, but on IOS you can do a "show snmp user <SNMP Username>" or just "show snmp user", and it will give you some details about the user. Wanting to make sure the "Auth" and "Priv" you have set on the device agrees with the "auth" and "priv" in SNMPWalk or Solarwinds itself?
You might see something like this
sh snmp user
User Auth Priv(enforce) Groups acl_filter
____ ____ _____________ ______ __________
user1 md5 des(no) network-admin
user2 md5 des(no) network-admin
In this example the "md5" and the "des" would be what we're looking for. And then check to make sure it agrees with the "Authentication Algorithm" and "Privacy Algorithm" in SNMPWalk...
Hi Craig -
Yes it is timing out returning 0 OID's. My snmp username is correct and the output of "show snmp users" confirmed it. I am using SHA for auth and AES 128 for encryption. The password is correct for both auth and encryption. I do have both algorithms auth and priv in SNMPWalk. I'm just wondering if this could be the version of the ASA. It is ASA5506 with firepower services. Or could this be the SW application itself. I will keep checking - thanks for assisting me.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.