Skip to main content
alain
alain
New Member
July 22, 2019
Question

cannot query snmp

  • July 22, 2019
  • 3 replies
  • 25317 views

Hi,

we have a fortigate HA pair 5.6.6 = FG200E-5.6.6-FW-build1630-180913

We would like to poll snmp by the mgmt interface 172.16.11.135 from 172.16.1.104.

Ping is ok

snmp is enable on the mgmt interface

host ip is defined

but snmp v1,v2 or even does not work at all.

Here is the debug log :

 

snmpd: request 1(root)/4/172.16.1.104 == comm 1/0/172.16.1.104/255.255.255.255 snmpd: matched community "public" snmpd: get-next: ifXEntry.1 -> () -> 0 snmpd: </msg> 0

snmpd: <msg> 44 bytes 172.16.1.104:7423 -> 172.16.11.135/172.16.11.135:161 (itf 4.4) snmpd: checking if community "public" is valid snmpd: checking against community "public" snmpd: request 1(root)/4/172.16.1.104 == comm 1/0/172.16.1.104/255.255.255.255 snmpd: matched community "public" snmpd: get-next: ifXEntry.1 -> () -> 0 snmpd: </msg> 0

snmpd: <msg> 44 bytes 172.16.1.104:7423 -> 172.16.11.135/172.16.11.135:161 (itf 4.4) snmpd: checking if community "public" is valid snmpd: checking against community "public" snmpd: request 1(root)/4/172.16.1.104 == comm 1/0/172.16.1.104/255.255.255.255 snmpd: matched community "public" snmpd: get-next: ifXEntry.1 -> () -> 0 snmpd: </msg> 0

    3 replies

    Dave_Hall
    Dave_Hall
    New Member
    July 22, 2019

    This may sound silly, but is the SNMP agent enabled?

     

    alain
    alainAuthor
    New Member
    July 23, 2019

    yes snmp is enabled with a community name v1/v2c. Tried with v3 without luck.

    ChristianM
    ChristianM
    New Member
    July 23, 2019

    Hi,

     

    do you have "trusted hosts" in the admin account defined?

    Is the queriing server listed there?

     

    Routing back to the server correct?

    172.16.1.104 is routed through mgmt-interface?

    If not, a policy is needed, to allow traffic from incoming interface to mgmt-interface

     

    Chris

     

    alain
    alainAuthor
    New Member
    August 20, 2019

    Any comments on my config ?

    Is there a way to restart "SNMP agent"  from cli ?

    What do you think of just rebooting the box ?

    alain
    alainAuthor
    New Member
    August 20, 2019

    Any comments on my config ? Is there a way to restart "SNMP agent"  from cli ? What do you think of just rebooting the box ?

    emnoc
    emnoc
    New Member
    August 20, 2019

    If int4.4 is a mgmt interface and you have no local filters and the community is correct and allowaccess shows snmp allowed, it should work unless routing is bad to 172.16.1.104

     

    Since ping is working, I would suspect routing is good. Are you sure the community has no whitespace or other issues?

     

    You should not need to restart the host or snmp-agent but if you desire you could killed  HUP snmpd

     

    diag sys kill HUP PID

     

    e.g killing update pid based on top

     

    Run Time:  226 days, 1 hours and 58 minutes

    0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 2021T, 1618F

           forticron      129      S       0.1     0.6

              flcfgd      159      S       0.1     0.2

             cmdbsvr      102      S       0.0     1.1

             pyfcgid      123      S       0.0     1.1

              cw_acd      153      S       0.0     0.8

              httpsd      122      S       0.0     0.8

             miglogd      120      S       0.0     0.8

             pyfcgid      180      S       0.0     0.7

             pyfcgid      178      S       0.0     0.7

             pyfcgid      179      S       0.0     0.7

             cw_wtpd      156      S       0.0     0.7

              httpsd      188      S       0.0     0.6

              httpsd      735      S       0.0     0.6

               fgfmd      152      S       0.0     0.5

              newcli     9136      S       0.0     0.5

             miglogd      172      S       0.0     0.5

     initXXXXXXXXXXX        1      S       0.0     0.4

              httpsd      187      S       0.0     0.4

             updated      136      S       0.0     0.4

           ipshelper     9143      S <     0.0     0.3

     

    SOMESTUPIDFGTFW # diag sys kill 9 136

     

    To get the pid do a dump

     

     

    SOMESTUPIDFGTFW # diag sys  process pidof snmpd

    137

     

     

    So in the above case you will kill off pid#137 and ensure it restarts and grab a new pid

     

    SOMESTUPIDFGTFW # diag sys kill 9 137

     

    SOMESTUPIDFGTFW # diag sys  process pidof snmpd

    9154

     

    Your cfg looks good btw. Status are enabled, I doubt the services are running on that interface. I would try another interface for eliminatation with the same community. I seen dedicated mgmt interface do weird things some times.

     

    Also ensure trusted hosted are  not impacting any items.

     

    Ken Felix

     

     

     

     

    alain
    alainAuthor
    New Member
    August 27, 2019

    Hi,

    there is no snmpd process listed with the "top" command...

    Run Time: 55 days, 15 hours and 48 minutes 0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 3963T, 3318F src-vis 169 S 0.1 1.0 insmod 111 S 0.1 0.0 miglogd 209 S 0.0 1.8 miglogd 144 S 0.0 0.9 pyfcgid 19264 S 0.0 0.7 cmdbsvr 126 S 0.0 0.7 forticron 154 S 0.0 0.7 httpsd 16721 S 0.0 0.6 httpsd 11002 S 0.0 0.6 sslvpnd 159 S 0.0 0.6 pyfcgid 19267 S 0.0 0.5 pyfcgid 19266 S 0.0 0.5 pyfcgid 19265 S 0.0 0.5 cw_acd 179 S 0.0 0.5 httpsd 147 S 0.0 0.5 hasync 166 S < 0.0 0.4 initXXXXXXXXXXX 1 S 0.0 0.3 updated 362 S 0.0 0.3 ipshelper 193 S < 0.0 0.3 httpsd 210 S 0.0 0.3

     

    How can I start snmpd or Do i miss something ?

    Terms & ConditionsAccessibility statement