Skip to main content
dmillan
Staff
dmillan
Staff
January 5, 2017

Troubleshooting Tip: How to use snmpd debug to troubleshoot SNMP

  • January 5, 2017
  • 0 replies
  • 91993 views

Description

 

This describes how to troubleshoot when SNMP fails to deliver data to the poller. In this example, let's focus on retrieving interface status information.

 

Scope

 

FortiGate.


Solution

 

  1. To validate if SNMP is enabled and the process is running, use the following commands:


diagnose test application snmpd 1 


Or:

diagnose sys top 5 100 | grep snmp

 

Example:

FortiGate-VM64-KVM # diagnose test application snmpd 1

snmpd pid = 162

 
Or:

FortiGate-VM64-KVM # diagnose sys top 5 100 | grep snmp

           snmpd      162      S       0.0     1.1    0

 

  1. Validate whether the SNMP request is reaching the FortiGate:


diagnose sniffer packet any 'port 161 or port 162' 4 0 a
interfaces=[any]
filters=[port 161 or port 162]

0.374066 port3 in 192.168.23.24.46924 -> 192.168.23.50.161: udp 46

1.265093 port3 in 192.168.23.24.46926 -> 192.168.23.50.161: udp 46

1.801043 port3 in 192.168.23.24.46928 -> 192.168.23.50.161: udp 46

3.679096 port3 in 192.168.23.24.46930 -> 192.168.23.50.161: udp 46
3.688234 port3 out 192.168.23.50.161 -> 192.168.23.24.46930: udp 48

 

As an example, note that the first 3 packets do not receive any reply, meaning that the problem should be checked with the debug flow.

 

Debug flow:

diagnose debug reset
diagnose debug flow filter addr <SNMP manager IP>
diagnose debug flow filter port 161
diagnose debug flow show iprope en
diagnose debug flow trace start 299
diagnose debug enable

 

To stop the debugging:

diagnose debug disable

 

The request is reaching the FortiGate, but it is not being processed by the SNMP daemon. The last packet receives a reply (FortiGate replied to the SNMP request). This is the working sequence.

 

  1. Check and collect logs on FortiGate to validate the SNMP request by using the following commands:


diagnose debug reset
diagnose debug application snmpd -1
diagnose debug enable
diagnose debug disable <----- Command to disable the debug.

 

Example:

To validate the SNMP interface status from the SNMP manager:

c:> snmpwalk -v2c -c fortinet 192.168.23.50 1.3.6.1.2.1.2.2.1.7
iso.3.6.1.2.1.2.2.1.7.1 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.7.2 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.3 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.4 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.5 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.6 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.7 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.8 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.9 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.10 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.11 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.12 = INTEGER: 2

 

Note:

INTEGER: 1 = UP
INTEGER: 2 = DOWN

 

Important commands to test SNMP:

diagnose test application snmpd 1  - verify the snmp process
diagnose test application snmpd 2  - provide snmp statistics
diagnose test application snmpd 3 - clear snmp counters
diagnose test application snmpd 4 - generate snmp trap (via port 162)
diagnose test application snmpd 5 - kill all child process
diagnose test application snmpd 99 - Restart snmp deamon

 

For additional troubleshooting steps for SNMP, see Troubleshooting Tip: General SNMP issue troubleshooting guide.

Terms & ConditionsAccessibility statement