[SOLVED] snmp not responding on multi-interface system - ESX 5.5

[ooboyle]

Hello,

I'm running on ESX5.5 using e1000 adapters for 3 interfaces on this system:

OPNsense 16.1.14-amd64   
FreeBSD 10.2-RELEASE-p17   
OpenSSL 1.0.2h 3 May 2016

em0: WAN
em1: LAN
em2: opt1

I've configured SNMP via the web ui but I'm not getting any response to my SNMP queries. I'm trying to query the em2 interface, but em1 doesn't respond either.

The hosts file resolves the hostname to em1 and I'm unable to add a second entry for the em2 interface that will persist after a reboot. My monitoring system is on the same subnet as em2. If I query em1 or em2, I don't appear to get any response at all but I do see the request being passed in the firewall log.

I suspect there are two problems here:

1) I can't query em2 because OPNsense doesn't want to resolve its own name to that interfaces IP and so breaks SNMP (I could be wrong about this, but either way, I can't seem to change that behavior so it doesn't matter).

2) I can't query em1 because OPNsense tries to process using the em2 interface and the operation breaks somewhere as a result.

Has anyone else run into this? Is there some way to resolve this other than possibly swapping the subnets associated with the em1 and em2 interfaces (I'd really prefer not to do this)?

Thanks for any assistance on the matter.

Oliver

[ooboyle]

Ok, I've tried a number of things and SNMP simply isn't working:

1) flipped em1 and em2 so that the first LAN interface was also on the same subnet as my monitoring system
2) remove em2 entirely
3) snmpwalk for v1 and v2c from monitoring system to OPNsense

Confirmed:

1) hosts file now shows the IP of em1 for the host
2) all DNS names resolving correctly from all directions
3) firewall rules appear to be passing the traffic
4) traps from OPNsense do make it out to the monitoring system

Where is the authoritative SNMP server config file located in the file system? I found one version but it's obviously not authoritative.

Any ideas?

Oliver

 

[ooboyle]

Doh. I figured it out. There was a very hard to see blank space at the end of my community string.

Nothing to see here. Move along...

[franco]

Hi Oliver,

I was thinking of how to avoid this, but I don't think we can do something in the GUI here.


Cheers,
Franco

[ooboyle]

I wouldn't worry about it too much. The problem was due to a combination of bad cut and paste + a string with an L at the end. It was just hard to see and my fault.

Oliver

[ooboyle]

That said, you could strip blank spaces from the end of the string. But that might break someone's string that uses a blank space in the last position!

[franco]

Stripping secrets is tricky, should never try to validate them or enforce arbitrary restrictions. I formerly mixed this up with a visible string or selective name.