Skip to main content
SamK0
SamK0
New Member
May 23, 2024
Solved

SNMP V3 ERROR ABOUT CISCO SWITCH

  • May 23, 2024
  • 2 replies
  • 4791 views

Hello everyone,
I am working with FortiNAC-F 7.4 and I have imported a Cisco Catalyst switch v3. The ports on the switch are in VLANs. I can read them on the device, but the problem is that I cannot retrieve certain endpoints on the ports. When I check the events on FortiNAC, I receive an error:

SNMP Failure SNMP failed for device SW-INFO with message SNMP getNext/getBulk Failed for device: 10.30.5.0.2

Can you please help me?

FortiNAC 

Best answer by AEK

Hi Sam

In your config I see only trap related config.

I usually add the following for SNMP queries and all works fine.

snmp-server group nacgroup v3 priv read nacgroup write nacgroup notify nacgroup
snmp-server group nacgroup v3 priv context vlan- match prefix read nacgroup

snmp-server view nacgroup iso included
snmp-server view nacgroup system included
snmp-server view nacgroup interfaces included

 

2 replies

AEK
SuperUser
AEK
SuperUser
May 23, 2024

Hi Sam

When you click "Validate credentials" for the device, is it successful?

Do you get a correct answer when you try snmpwalk (with SNMPv3) from FNAC CLI?
E.g.:

snmpwalk -v3 -u fnac -l AuthPriv -a sha -A <AuthPass> -x aes 128 -X <EncPass> 10.30.5.2
AEK
    SamK0
    SamK0Author
    New Member
    May 23, 2024

    Hi AEK,

    yes i receive a successful notification. But on FNAC cli, i cannot use snmpwalk command directly: It's not recognise on FortiOS . But When i use diagnose command for snmp walk, i can read all switch OID. 

    ebilcari
    Staff
    ebilcari
    Staff
    May 25, 2024

    You can still run the snmpwalk command in NAC-OS after entering shell access:

    fnacl74 # exe enter

    fnacl74:~$ snmpwalk
    USAGE: snmpwalk [OPTIONS] AGENT [OID]

     

    You can gather more information by enabling the SNMP debug:

    # diagnose debug plugin enable SnmpV1

    # diagnose debug plugin list-debug-enabled

    # diagnose tail output.master -f | grep Snmp

     

    In the end don't forget to disable the debug:

    # diagnose debug plugin disable SnmpV1

     

    Usually this problems are solved by finding a compatible Authentication/Privacy protocol between the switch and FNAC.

    Emirjon
      AEK
      SuperUser
      AEK
      SuperUser
      May 24, 2024

      Can you share the SNMPv3 related config of the switch used for FNAC? (you can hide IP addresses and passwords).

      Can you also try with SNMPv2 and see if it works? (just for test purpose).

      AEK
        SamK0
        SamK0Author
        New Member
        May 24, 2024

        Hi AEK, 
        below SNMP config: 

        CaptureAAAA.PNG

        NB: the ports are in vlans other than the default vlan.
        On the ports I've enabled: "snmp trap mac-notification added" and "snmp trap mac-notification removed".

        AEK
        SuperUser
        AEKAnswer
        SuperUser
        May 24, 2024

        Hi Sam

        In your config I see only trap related config.

        I usually add the following for SNMP queries and all works fine.

        snmp-server group nacgroup v3 priv read nacgroup write nacgroup notify nacgroup
        snmp-server group nacgroup v3 priv context vlan- match prefix read nacgroup

        snmp-server view nacgroup iso included
        snmp-server view nacgroup system included
        snmp-server view nacgroup interfaces included

         

        AEK
          Terms & ConditionsAccessibility statement