Hi All,
I have a C6 (latest patches) physical machine that I use for network and server monitoring, predominantly over SNMP. It is on VLAN80. My network management interfaces on the switches are on VLAN50 with routing between the VLANs. I recently changed the router to a CISCO ASA 5505 (reasonably recent IOS version, certainly post HeartBleed), with the management interface on a higher security level and added appropriate ACLs and firewall rules to access VLAN50. I promptly lost SNMP contact with roughly half the switches on VLAN50. ICMP, http/s, ssh etc are still working across the router. Its just SNMP and only to a subset of devices that is the problem.
FWITW the switches I've lost contact with are Netgear Layer 2 and 3 managed switches, not that brand should make a difference. Some other Netgear WAPs are fine and all CISCO devices are fine. With a machine on the same VLAN all is happy.
I've tried the obvious on the C6 box: iptables, routing tables, SELinux. No luck. Tried snmpwalk with DNS and IP address, no luck. The generic response is:
snmpwalk -v1 -c YYYY XXX.XXX.XXX.XXX Timeout: No Response from XXX.XXX.XXX.XXX
with an exit code of 1.
I've got a MacOSX box running Yosemite on the same VLAN80 with the same rules in the ASA, which works perfectly. They both share the same ASA rule set, which leads me to suspect that the ASA is not at fault - but can't be 100% certain. Also on the ASA logs I can see the incoming connections being accepted and opened through. I'm not running any SNMP packet inspection on the ASA.
I noticed that the snmp versions between C6 (5.5) and OSX 10.10 (5.7) were different, so have tried a C7 VM (5.7). Still no luck.
A second OSX box on a third VLAN, with a different ASA ruleset also works.
A third physical C6 box on a fourth VLAN also shows the same symptoms: can ping, ssh etc but no SNMP.
Given the above symptoms, I'm leaning to a CentOS/RHEL problem because the OSX boxes work fine. I can't definitively rule out the ASA being the cause of this though.
This one's got me stumped so any suggestions would be gratefully accepted.
Thanks in advance, -pete