Description

This article provides a go-to point for troubleshooting all SNMP issues that may occur with polling information from FortiGate, sorted by issue type.
This article does not focus on SNMP traps.

Scope

FortiGate.

Solution

General setup guide (make sure setup is performed correctly before taking any other troubleshooting steps): Technical Tip: How to Configure FortiGate SNMP Agent for Monitoring.

No reply to SNMP (at all, or only on one interface/VDOM/unit):

• Check if SNMP access is enabled on the interface where the request is received.
• Check if the IP of the polling server is added to the trusted hosts (as well as in the admin user's trusted hosts, if trusted hosts are used): Troubleshooting Tip: Troubleshooting SNMP query failure from the SNMP manager to the firewall.
• Check that the SNMP agent is enabled and configured.
• Check the community name for special characters. See Troubleshooting Tip: SNMP connection failed due to special character.
• Ensure any local-in policies are configured correctly.
• Check if the SNMP request is reaching the expected interface/vlan/vdom (diagnose sniffer packet any "port 161" 4 0).
• Check if the community is matched (diagnose debug app snmpd -1 / diagnose debug enable).
• If the traffic is crossing more than one VDOM, make sure the SNMP is configured for multi-VDOM, and policies exist.
• In HA mode: check if HA-direct is enabled:
  • Technical Tip: FortiGate SNMP polling via the dedicated HA management port.
  • Technical Tip: SNMP and HA clusters.
  • Technical Tip: SNMP communication working scenario with respect to fortigate device in HA and ha-dir...
• Check for a community mismatch when the SNMP is only set up to send traps: Technical Tip: SNMP failed to specific host when host set to trap only
• Check for debug flow and session list. Traffic is allowed, and a new session is allocated. If the SNMP debug shows a mismatch for the host IP, add the SNMP host IP to the SNMP settings.

Debug Flow example:

2024-11-13 13:24:14 id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-11edd8e0, original direction"
2024-11-13 13:24:17 id=20085 trace_id=21 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(proto=17, 192.168.11.123:55398->10.246.16.1:161) tun_id=4.2.55.66 from CNVtoGSC. "
2024-11-13 13:24:17 id=20085 trace_id=21 func=resolve_ip_tuple_fast line=5950 msg="Find an existing session, id-11edd8e0, original direction"

Only some OIDs are not working, or return unexpected values:

• Make sure the most recent MIBs are used in the monitoring tool:
  • Technical Tip: Download FortiOS and FortiCore MIB files
  • Technical Tip: FortiOS MIBs download location for older FortiOS versions
• Check that the output matches the output from specific diagnostic commands.

If all of the above are matched, make sure to have the latest FortiOS version available and then open a support case to investigate.

SNMPD crashes (depending on the type):

• The crashlog can be seen in 'diagnose debug crashlog read'.
• signal 6: make sure all interface indexes are unique. Check as described here: Technical Tip: Watchdog Timeout / Application Crash snmpd (signal 6) abort.
• Signal 11 can be manually triggered by a user or by FortiOS. When triggered by FortiOS, this is only a consequence of Conserve mode most time.

For the other cases, contact TAC support for help with troubleshooting. Collect SNMP debug output (from diagnose debug app snmpd -1 and diagnose debug enable while reproducing the crash).

Troubleshooting actions on FortiGate (after all the above fail):

• Gracefully restart snmpd:

diagnose test application snmpd 99

Debugging (if enabled) will display the following:

diagnose test application snmpd 99

snmpd: received debug test signal
restarting snmp daemon
snmpd: creating community=fortinet
snmpd: community: fortinet mask:       9e9ff9f37f
snmpd: creating community=FortiManager
snmpd: community: FortiManager mask: 7fffffffffffffff
snmpd: set mac_host_timeout as 300

• Alternatively, forcefully restart snmpd:

diagnose sys process pidof snmpd <----- It will return the process ID of snmpd to use.
diagnose sys kill 11 <pid#>

See Technical Tip: Find and restart/kill a process on a FortiGate by the process ID (PID) via pidof. The result will be seen as snmpd showing another process number, and the crashlog will show 'signal 11' sent by the user to snmpd.

• Check the packet capture to ensure packets are seen/received by FortiGate.
• Check the debug flow for the SNMP request to determine if it is passed or blocked.
• Check if the SNMP port is used/open on FortiGate: diagnose sys udpsock | grep 161 
  Technical Tip: SNMP process is not listening
• Check the output of snmpd -1 debug: if the request is not blocked by interface or other security checks, the output will provide the reason for failure.

Note: 

SNMP queries only work on the management (root) VDOM or dedicated management interfaces.

config system interface
    edit <mgmt-iface>
        set vdom root
        set allowaccess snmp
end

Related articles:

• Technical Tip: SNMP v3 connecting to PRTG and adding a custom sensor on PRTG SNMP tool using a Forti...
• Technical Tip: SNMP Charting with PRTG
• Technical Tip: Fortinet OID values to use with SNMP
• Technical Tip: Configuring SNMP polling for FortiGate HA Cluster instances in Microsoft Azure
  
• Technical Tip: FortiGate is not responding to SNMP queries