On 27/03/2015 8:27 am, Peter Brady wrote: > Hi All, > > I have a C6 (latest patches) physical machine that I use for network and > server monitoring, predominantly over SNMP. It is on VLAN80. My > network management interfaces on the switches are on VLAN50 with routing > between the VLANs. I recently changed the router to a CISCO ASA 5505 > (reasonably recent IOS version, certainly post HeartBleed), with the > management interface on a higher security level and added appropriate > ACLs and firewall rules to access VLAN50. I promptly lost SNMP contact > with roughly half the switches on VLAN50. ICMP, http/s, ssh etc are > still working across the router. Its just SNMP and only to a subset of > devices that is the problem. > > FWITW the switches I've lost contact with are Netgear Layer 2 and 3 > managed switches, not that brand should make a difference. Some other > Netgear WAPs are fine and all CISCO devices are fine. With a machine on > the same VLAN all is happy. > > I've tried the obvious on the C6 box: iptables, routing tables, > SELinux. No luck. Tried snmpwalk with DNS and IP address, no luck. > The generic response is: > > snmpwalk -v1 -c YYYY XXX.XXX.XXX.XXX > Timeout: No Response from XXX.XXX.XXX.XXX > > with an exit code of 1. > > I've got a MacOSX box running Yosemite on the same VLAN80 with the same > rules in the ASA, which works perfectly. They both share the same ASA > rule set, which leads me to suspect that the ASA is not at fault - but > can't be 100% certain. Also on the ASA logs I can see the incoming > connections being accepted and opened through. I'm not running any SNMP > packet inspection on the ASA. > > I noticed that the snmp versions between C6 (5.5) and OSX 10.10 (5.7) > were different, so have tried a C7 VM (5.7). Still no luck. > > A second OSX box on a third VLAN, with a different ASA ruleset also works. > > A third physical C6 box on a fourth VLAN also shows the same symptoms: > can ping, ssh etc but no SNMP. > > Given the above symptoms, I'm leaning to a CentOS/RHEL problem because > the OSX boxes work fine. I can't definitively rule out the ASA being > the cause of this though. > > This one's got me stumped so any suggestions would be gratefully accepted. > > Thanks in advance, > -pete Never mind. I'd been staring at this for too long. Routing table issue on the switches that I'd missed. Cheers -pete -- Peter Brady Email: pdbrady@xxxxxxxxxx Skype: pbrady77
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
