Description

This article addresses an issue where the FortiGate does not reply to SNMP queries over an IPSec tunnel.

Scope

FortiOS.

Solution

SNMP queries are reaching the FortiGate over the IPSec tunnel, but no response is received from the firewall.

Network diagram:

FortiGate-VM---IPsec VPN-----FortiGate------SNMP server.

The packet sniffer shows incoming traffic on Port 161, but no outgoing response traffic.

By default, FortiGate uses the routing table to send SNMP traffic, the 'set source-ip' command must be added to route traffic through the tunnel interface.

set source-ip x.x.x.x  <- Set an address that belongs to a local network in VPN phase2 selectors.

Note: The tunnel does not have an IP address, and without a defined source IP in the community host configuration, the traffic will be sent out using the lower index value by default.

The source IP is configured under 'config system snmp community', but no return traffic is observed.

No local policy exists to block SNMP traffic, and no trusted host is configured under the local admin account.

The SNMP debug capture shows the error message 'name mismatch while HA is on'.

Solution:
Disable the ha-direct option under 'config system snmp community'.

Note: When an SNMP request is made to a non-dedicated management port, FortiGate will not respond to any SNMP query if ha-direct is enabled, as it is a non-dedicated management port. Hence, disabling ha-direct is necessary for SNMP requests on non-dedicated management interfaces.

Once the ha-direct option is disabled, traffic flows through the tunnel, and the SNMP server successfully pulls the information.