Hi All, I have a C6 (latest patches) physical machine that I use for network and server monitoring, predominantly over SNMP. It is on VLAN80. My network management interfaces on the switches are on VLAN50 with routing between the VLANs. I recently changed the router to a CISCO ASA 5505 (reasonably recent IOS version, certainly post HeartBleed), with the management interface on a higher security level and added appropriate ACLs and firewall rules to access VLAN50. I promptly lost SNMP contact with roughly half the switches on VLAN50. ICMP, http/s, ssh etc are still working across the router. Its just SNMP and only to a subset of devices that is the problem. FWITW the switches I've lost contact with are Netgear Layer 2 and 3 managed switches, not that brand should make a difference. Some other Netgear WAPs are fine and all CISCO devices are fine. With a machine on the same VLAN all is happy. I've tried the obvious on the C6 box: iptables, routing tables, SELinux. No luck. Tried snmpwalk with DNS and IP address, no luck. The generic response is: snmpwalk -v1 -c YYYY XXX.XXX.XXX.XXX Timeout: No Response from XXX.XXX.XXX.XXX with an exit code of 1. I've got a MacOSX box running Yosemite on the same VLAN80 with the same rules in the ASA, which works perfectly. They both share the same ASA rule set, which leads me to suspect that the ASA is not at fault - but can't be 100% certain. Also on the ASA logs I can see the incoming connections being accepted and opened through. I'm not running any SNMP packet inspection on the ASA. I noticed that the snmp versions between C6 (5.5) and OSX 10.10 (5.7) were different, so have tried a C7 VM (5.7). Still no luck. A second OSX box on a third VLAN, with a different ASA ruleset also works. A third physical C6 box on a fourth VLAN also shows the same symptoms: can ping, ssh etc but no SNMP. Given the above symptoms, I'm leaning to a CentOS/RHEL problem because the OSX boxes work fine. I can't definitively rule out the ASA being the cause of this though. This one's got me stumped so any suggestions would be gratefully accepted. Thanks in advance, -pete -- Peter Brady Email: pdbrady at ans.com.au Skype: pbrady77 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 881 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150327/18f497f8/attachment-0001.sig>
On 27/03/2015 8:27 am, Peter Brady wrote:> Hi All, > > I have a C6 (latest patches) physical machine that I use for network and > server monitoring, predominantly over SNMP. It is on VLAN80. My > network management interfaces on the switches are on VLAN50 with routing > between the VLANs. I recently changed the router to a CISCO ASA 5505 > (reasonably recent IOS version, certainly post HeartBleed), with the > management interface on a higher security level and added appropriate > ACLs and firewall rules to access VLAN50. I promptly lost SNMP contact > with roughly half the switches on VLAN50. ICMP, http/s, ssh etc are > still working across the router. Its just SNMP and only to a subset of > devices that is the problem. > > FWITW the switches I've lost contact with are Netgear Layer 2 and 3 > managed switches, not that brand should make a difference. Some other > Netgear WAPs are fine and all CISCO devices are fine. With a machine on > the same VLAN all is happy. > > I've tried the obvious on the C6 box: iptables, routing tables, > SELinux. No luck. Tried snmpwalk with DNS and IP address, no luck. > The generic response is: > > snmpwalk -v1 -c YYYY XXX.XXX.XXX.XXX > Timeout: No Response from XXX.XXX.XXX.XXX > > with an exit code of 1. > > I've got a MacOSX box running Yosemite on the same VLAN80 with the same > rules in the ASA, which works perfectly. They both share the same ASA > rule set, which leads me to suspect that the ASA is not at fault - but > can't be 100% certain. Also on the ASA logs I can see the incoming > connections being accepted and opened through. I'm not running any SNMP > packet inspection on the ASA. > > I noticed that the snmp versions between C6 (5.5) and OSX 10.10 (5.7) > were different, so have tried a C7 VM (5.7). Still no luck. > > A second OSX box on a third VLAN, with a different ASA ruleset also works. > > A third physical C6 box on a fourth VLAN also shows the same symptoms: > can ping, ssh etc but no SNMP. > > Given the above symptoms, I'm leaning to a CentOS/RHEL problem because > the OSX boxes work fine. I can't definitively rule out the ASA being > the cause of this though. > > This one's got me stumped so any suggestions would be gratefully accepted. > > Thanks in advance, > -peteNever mind. I'd been staring at this for too long. Routing table issue on the switches that I'd missed. Cheers -pete -- Peter Brady Email: pdbrady at ans.com.au Skype: pbrady77 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 881 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150327/711a27e5/attachment-0001.sig>
On Thu, Mar 26, 2015 at 5:27 PM, Peter Brady <subscriptions at simonplace.net> wrote:> FWITW the switches I've lost contact with are Netgear Layer 2 and 3 > managed switches, not that brand should make a difference. Some other > Netgear WAPs are fine and all CISCO devices are fine. With a machine on > the same VLAN all is happy. >Could be asymmetric routing... Do the Netgear and Cisco devices have the same default gateway? Do the Cisco devices have SVI or vlan-interface in multiple VLANs? Do the CentOS and MAC use the same default gateway? Capture at the device: Does the SNMP request make it to $device? Does $device respond? This will tell you if you are troubleshooting the sending of the SNMP query or the SNMP response. Are the ASA rules actually in place? I've seen firewall say X is allowed at a software level but changing the order of rules and then changing back and re-pushing fix things.