Why is snmpget freebsd not getting data from a pingable cisco?

S

Sergey2014-07-04 15:03:35

FreeBSD

Sergey, 2014-07-04 15:03:35

Good afternoon!
Installed the server on FreeBSD 10 with the net-snmp module. I ping the router from the server, the ping is fine, they are on the same subnet with each other. snmpget does not receive data from ciscos that are available via ping, while the neighboring server receives data from these routers. To check the operation of the snmpget program itself, I took data from print servers, network printers - I got everything.

[email protected]:/home/dark # snmpget -v2c -c public 10.141.1.95 1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Xerox Phaser 3600; OS 1.70.01.24 04-04-2008, NIC V4.01.03(P3600) 03-19-2008, Engine 1.10.71, Duplex 1.00.03 , PCL5e 5.73 02-29-2008, PCL6 5.57  11-28-2007, PS3 1.76.76 02-20-2008, IBM/EPSON 5.18 11-07-2007


[email protected]:/home/dark # snmpget -v2c -c public 10.141.1.1 1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, s72033_rp Software (s72033_rp-IPBASE-M), Version 12.2(33)SXJ1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 22-Jun-11 18:03 by prod_rel_team


[email protected]:/home/dark # snmpget -v2c -c public 10.141.100.9 1.3.6.1.2.1.1.1.0
Timeout: No Response from 10.141.100.9.


[email protected]:/home/dark # ping -c 2 10.141.100.9
PING 10.141.100.9 (10.141.100.9): 56 data bytes
64 bytes from 10.141.100.9: icmp_seq=0 ttl=254 time=0.240 ms
64 bytes from 10.141.100.9: icmp_seq=1 ttl=254 time=0.315 ms

--- 10.141.100.9 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.240/0.277/0.315/0.038 ms
[email protected]:/home/dark #

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

Sergey, 2014-07-04
@sergey_privacy

Check if snmp settings are different on 10.141.1.1 and 10.141.100.9. In particular, access control.
2 servers on freebsd are on the same subnet as the routers. From one all the data is obtained, from the other - no. The restriction is on other networks, there are no restrictions on this subnet, especially for one specific host. A command from one console is copied to another, i.e. there can be no mistakes.
UPD: Problem solved. I did not notice one evil line in the access-lists, which cut everything off for a certain range of addresses that this server fell into.

S

Sergey Petrikov, 2014-07-04
@RicoX

On the cisco, snmp can only be opened for certain IPs, and this is correct in order to prevent amplification attacks using the cisco. See firewall and ACL. Also attach the output:
show running-config | i snmp

T

throughtheether, 2014-07-04
@throughtheether

Check if snmp settings are different on 10.141.1.1 and 10.141.100.9. In particular, access control. Check if there are access lists on the interfaces along the path from the host to 10.141.100.9, if they affect SNMP packets.
UPD :

2 servers on freebsd are on the same subnet as the routers.

That is, both addresses 10.141.1.1 and 10.141.100.9 (did I understand correctly, these are router addresses?) Are included in one prefix (/17 or shorter) used on the L2 domain (link)?

From one all the data is obtained, from the other - no. The restriction is on other networks, there are no restrictions on this subnet, especially for one specific host.

In fact, it's generally accepted (configuration logic helps) to allow SNMP access on a per-host basis rather than "restrict networks". List the configuration of each of the routers in the SNMP part.

A command from one console is copied to another, i.e. there can be no mistakes.

there can be no mistakes.

How many times have I heard it.
UPD2 :

Where did the completely delusional mask /17 come from, I did not quite understand. Did I mention such a mask?

You wrote:

2 servers on freebsd are on the same subnet as the routers.

on the same subnet as routers

on the same subnet

, with router addresses listed as 10.141.1.1 and 10.141.100.9. I assumed that "one subnet" includes both of these addresses. Both of these addresses can be included in one prefix if its length is /17 (10.141.0.0/17) or shorter. You could immediately specify that each server has one interface on the same subnet with each router, which would eliminate double readings. Be more correct, please.

From one all the data is obtained, from the other - no.

Could you clarify, you, acting from each of the servers, cannot receive data from one specific router (10.141.100.9), did I understand you correctly?
Further, I propose to investigate the problem in parts. Such an error, I suppose, can occur for the following reasons:
1) the snmp request does not reach the device
2) the snmp server on the device does not work correctly / does not work at all
3) the snmp server on the device works correctly, the request is incorrect
4) the snmp response the request does not reach the server.
You can check several points at once with the show snmp Cisco CLI command . Look at exactly which counters (under X SNMP packets input , where X- number) increase the value when a request is made from the server.
If all counters keep their value - the request does not reach the device (p. 1).
If the number of Unknown community name grows , then either the request contains an incorrect community string value (example: publi c instead of publi c , item 3), or snmp is configured with ACL.
If the response is %SNMP agent not enabled , then the SNMP server on the device is inactive (step 2).
There are a number of other possibilities, including the unlikely and the exotic, which I'll put aside for your next replies, using your excellent advice.

No need to invent unnecessary complications.