[CentOS] snmpwalk Mixed Fail

Thu Mar 26 23:19:25 UTC 2015
Peter Brady <subscriptions at simonplace.net>

On 27/03/2015 8:27 am, Peter Brady wrote:
> Hi All,
> 
> I have a C6 (latest patches) physical machine that I use for network and
> server monitoring, predominantly over SNMP.  It is on VLAN80.  My
> network management interfaces on the switches are on VLAN50 with routing
> between the VLANs.  I recently changed the router to a CISCO ASA 5505
> (reasonably recent IOS version, certainly post HeartBleed), with the
> management interface on a higher security level and added appropriate
> ACLs and firewall rules to access VLAN50.  I promptly lost SNMP contact
> with roughly half the switches on VLAN50.  ICMP, http/s, ssh etc are
> still working across the router.  Its just SNMP and only to a subset of
> devices that is the problem.
> 
> FWITW the switches I've lost contact with are Netgear Layer 2 and 3
> managed switches, not that brand should make a difference.  Some other
> Netgear WAPs are fine and all CISCO devices are fine.  With a machine on
> the same VLAN all is happy.
> 
> I've tried the obvious on the C6 box: iptables, routing tables,
> SELinux.  No luck.  Tried snmpwalk with DNS and IP address, no luck. 
> The generic response is:
> 
> snmpwalk -v1 -c YYYY XXX.XXX.XXX.XXX
> Timeout: No Response from XXX.XXX.XXX.XXX
> 
> with an exit code of 1.
> 
> I've got a MacOSX box running Yosemite on the same VLAN80 with the same
> rules in the ASA, which works perfectly.  They both share the same ASA
> rule set, which leads me to suspect that the ASA is not at fault - but
> can't be 100% certain.  Also on the ASA logs I can see the incoming
> connections being accepted and opened through.  I'm not running any SNMP
> packet inspection on the ASA.
> 
> I noticed that the snmp versions between C6 (5.5) and OSX 10.10 (5.7)
> were different, so have tried a C7 VM (5.7).  Still no luck.
> 
> A second OSX box on a third VLAN, with a different ASA ruleset also works.
> 
> A third physical C6 box on a fourth VLAN also shows the same symptoms:
> can ping, ssh etc but no SNMP.
> 
> Given the above symptoms, I'm leaning to a CentOS/RHEL problem because
> the OSX boxes work fine.  I can't definitively rule out the ASA being
> the cause of this though.
> 
> This one's got me stumped so any suggestions would be gratefully accepted.
> 
> Thanks in advance,
> -pete

Never mind.  I'd been staring at this for too long.  Routing table issue
on the switches that I'd missed.

Cheers
-pete



-- 
Peter Brady
Email: pdbrady at ans.com.au
Skype: pbrady77

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20150327/711a27e5/attachment-0005.sig>