Skip to main content
ESIT
ESIT
Visitor III
March 20, 2023
Solved

SNMP "no response" from gateway on the other side of IPSEC tunnel - What's the secret?

  • March 20, 2023
  • 2 replies
  • 4005 views

Hi All,

 

I have a central 100F and a small number of 60E's in regional offices. 60E's connect back to the 100F via IPSEC tunnels. I'm trying to monitor the 60E's via SNMP.

 

Key points:

IPSEC setup using default static FG-FG tunnel template.

VDOM is not being used at either end.

Specific rules have been setup for testing allowing essentially ANY/ANY for SNMP and ICMP to and from both ends.

SNMP is enabled on the interface at the remote site.

Tunnels have performed well for 2+ years and I can fire anything I need across it. (ie, DNS and Routing seem fine).

Community has been set, along with ACL (which has also been removed and tested).

I have extensive SNMP checks all over my networks which are working fine (ie, this isn't my first rodeo).

 

Result:

I can ping the remote interface gateway.

SNMPGET and WALK returns "no response" (commands tested locally work fine).

 

I can SNMPGET a bunch of other devices on that remote subnet and it works. When directing SNMP to the remote gateway, I can see the packets leave the 100F and arrive on the 60E but they just seem to stop. The behaviour is the same on all of my remote 60E's so I feel like I'm missing a FG specific switch somewhere.

 

Any help appreciated.

 

 

Best answer by ESIT

Sorry I didn't explain that very well in frustration.

 

System --> Administrators --> Give any user the IP of the SNMP Host

 

From what I read elsewhere, if you have used ACL's at the admin account level they will be checked first, then the SNMP host. I have confirmed this is the behaviour I am experiencing.

2 replies

adambomb1219
SuperUser
adambomb1219
SuperUser
March 20, 2023

I was first thinking this:  https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/848980/local-out-traffic

 

But I don't think there is SNMP impact for this.

ESIT
ESITAuthor
Visitor III
March 20, 2023

It's not local-out traffic. It's a monitoring server on a subnet behind the 100F. I should have mentioned that in the OP

adambomb1219
SuperUser
adambomb1219
SuperUser
March 20, 2023

Is the SNMP Agent enabled on the FortiGate?  System->SNMP

ESIT
ESITAuthor
Visitor III
March 20, 2023

Well that was a frustrating waste of a day. Not only does the host need to be added to the SNMP settings, but also a local user. 

 

Excuse my frustration but, WTAF? I don't see that anywhere in the documentation under SNMP configuration or any logical connection between the two.

Markus_M
Staff & Editor
Markus_M
Staff & Editor
March 21, 2023

Hi Esit,

 

what exactly do you mean by local user?

You do need to enable the agent, allow the querying IPs and add either community (v1) or user credentials (v3).

 

Best regards,

 

Markus

Terms & ConditionsCookie settingsAccessibility statement