Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dmillan
Staff
Staff

Created on ‎01-04-2017 08:20 PM Edited on ‎08-16-2025 01:28 PM By Staff

Article Id 195334

Troubleshooting Tip: How to use snmpd debug to troubleshoot SNMP

Description

 

This describes how to troubleshoot when SNMP fails to deliver data to the poller. In this example, let's focus on retrieving interface status information.

 

Scope

 

FortiGate.


Solution

 

  1. To validate if SNMP is enabled and the process is running, use the following commands

 

diagnose debug disable
diagnose debug reset
diagnose test application snmpd -1
diagnose debug enable 

 

Or:

 

diagnose sys top 5 100 | grep snmp

 

Example:

 

FortiGate-VM64-KVM # diagnose test application snmpd 1

snmpd pid = 162

 

Or:

 

FortiGate-VM64-KVM # diagnose sys top 5 100 | grep snmp

           snmpd      162      S       0.0     1.1    0

 

  1. Validate whether the SNMP request is reaching the FortiGate:
  1.  

diagnose sniffer packet any 'port 161 or port 162' 4 0 a
interfaces=[any]
filters=[port 161 or port 162]

0.374066 port3 in 192.168.23.24.46924 -> 192.168.23.50.161: udp 46

1.265093 port3 in 192.168.23.24.46926 -> 192.168.23.50.161: udp 46

1.801043 port3 in 192.168.23.24.46928 -> 192.168.23.50.161: udp 46

3.679096 port3 in 192.168.23.24.46930 -> 192.168.23.50.161: udp 46
3.688234 port3 out 192.168.23.50.161 -> 192.168.23.24.46930: udp 48

 

As an example, note that the first 3 packets do not receive any reply, meaning that the problem should be checked with the debug flow.

 

Debug flow:


diagnose debug reset
diagnose debug flow filter addr <SNMP manager IP>
diagnose debug flow filter port 161
diagnose debug flow show iprope en
diagnose debug flow trace start 299
diagnose debug enable

 

To stop the debugging:

 

diagnose debug disable

 

The request is reaching the FortiGate, but it is not being processed by the SNMP daemon.

The last packet receives a reply (FortiGate replied to the SNMP request). This is the working sequence.

 

  1. Check and collect logs on FortiGate to validate the SNMP request by using the following commands:

 

diagnose debug reset
diagnose debug application snmpd -1

diagnose debug enable

diagnose debug disable <-- Command to disable the debug.

 

Example:

To validate the SNMP interface status from the SNMP manager:

 

c:> snmpwalk -v2c -c fortinet 192.168.23.50 1.3.6.1.2.1.2.2.1.7
iso.3.6.1.2.1.2.2.1.7.1 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.7.2 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.3 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.4 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.5 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.6 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.7 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.8 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.9 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.10 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.11 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.12 = INTEGER: 2

 

Note:


INTEGER: 1 = UP

INTEGER: 2 = DOWN

 

Important Commands to test SNMP:

 

diagnose test application snmpd 1  - verify the snmp process

diagnose test application snmpd 2  - provide snmp statistics

diagnose test application snmpd 3 - clear snmp counters

diagnose test application snmpd 4 - generate snmp trap (via port 162)
diagnose test application snmpd 5 - kill all child process

diagnose test application snmpd 99 - Restart snmp deamon

 

For additional troubleshooting steps for SNMP, see Troubleshooting Tip: General SNMP issue troubleshooting guide.

Labels:
86140
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.