SNMP - Basic Config

Started by Bagoline, February 06, 2019, 06:03:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 06, 2019, 06:03:28 PM
Hi All

We just deployed our Data Center firewalls with two OPNSense VM firewalls.
The selection was between VyOS and PFSense.

Each one had its pros and cons.

One major issue that we face is that we cannot integrate the OPNSense firewall cluster to the SNMP monitoring service.

The firewall rules have been created and the flow is depicted as allowed in the firewall policies.

The NET-SNMP plugin has been configured with all needed information and the respective listening IP addresses, MGMT IP and loopback.

The service is reported as active in the service summary.

However, all SNMPWALK attempts fail with a time-out since no response is returned.
The same thing happens from within the OPNSense terminal.
"
snmpwalk -v 3 -u [SNMPv3USER] -a SHA -A [SNMPv3AUTHKEY] -x AES -X [SNMPv3PRIVKEY] 127.0.0.1
"

Are we missing something?

All feedback will be greatly appreciated.

Thank you
Best Regards
Konstantinos
February 06, 2019, 07:11:38 PM #1
Can you downgrade to v2 for testing?
February 08, 2019, 02:19:46 PM #2
Hi Mimugmail

I downgraded to SNMP v 2c and i can SNMPWALL the firewall through the loopback IP 127.0.0.1.

However, when trying the same with the interface IP, even though it is listed as a service IP within the net-snmp I get a time-out.

The logs are a bit strange since while doing the SNMPWALK locally on the device I get an IPSEC ACL permit match log.

Through the NMS i still get the log of permitting the traffic but with no response, hence the timeout again.
February 08, 2019, 05:09:34 PM #3
Please check with sockstat if port is listening to this IP and If you see blocked packets in Firewall log
February 11, 2019, 09:58:56 AM #4
I saw that the interface/IP is listening to UDP port 161 and the loopback.
Output below:
root     snmpd      33879 8  udp4   192.168.121.161:161   *:*
root     snmpd      33879 9  udp4   127.0.0.1:161         *:*

In addition, firewall rules permit all traffic to the firewall from the source IP to all interfaces.
I can see the respective log in the live view.

A SNMP version 2c to the firewall returns a "Timeout: No response from 192.168.121.161"
A SNMP version 3 to the firewall returns a "snmpwal: Timeout"

We had the same issue with pfSense that was the main reason we replaced them with opnsense.

Any other suggested steps?
February 11, 2019, 10:14:47 AM #5
anything in the logs to see?
February 14, 2019, 01:05:22 PM #6
Simple log stating a permit from the OpenNMS system to the firewall interface IP address.

Are there any other logs i can check?
February 20, 2019, 03:21:27 PM #7 Last Edit: February 20, 2019, 03:27:55 PM by hbc
Try adding -l authPriv, without I got an error:

Code Select
snmpwalk -v 3 -u [SNMPv3USER] -a SHA -A [SNMPv3AUTHKEY] -x AES -X [SNMPv3PRIVKEY] -l authPriv 127.0.0.1

Worked for me. I just had to replace 127.0.0.1, since I just bound to monitoring interface and not localhost.

QuoteWe had the same issue with pfSense that was the main reason we replaced them with opnsense.

Maybe you should check in a second shell whether packets are seen on right interface (lo0) and it is not a cabling/ip conflict issue.

Code Select
tcpdump -i lo0 port 161
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
March 04, 2019, 04:29:37 PM #8
The issue was rectified on the primary instance when LibreSSL was removed in favor or OpenSSL.

The standby still has the same issue for some reason.
Unfortunately, there is no available time to TS it.

Regarding the packets, they reach the firewall OK, the SNMP service for some reason does not respond.
Print
Go Up Pages1
User actions