FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dmillan
Staff
Staff
Article Id 195334

Description

 

 

This describes how to troubleshoot when SNMP fails to deliver data to the poller. In this example, we will focus on retrieving interface status information.

 

Scope

 

FortiGate.


Solution

 

  1. To Validate if SNMP is enabled and the process is running, use the following commands
  2.  
  3. diagnose test application snmpd 1

Or:

 

  1. diagnose sys top 5 100 | grep snmp

     

Example:

 

FortiGate-VM64-KVM # diagnose test application snmpd 1

snmpd pid = 162

 

Or:

 

FortiGate-VM64-KVM # diag sys top 5 100 | grep snmp

           snmpd      162      S       0.0     1.1    0

 

  1. 2.  Validate whether the SNMP request is reaching the FortiGate:
  2.  

diagnose sniffer packet any 'port 161' 4 0 a
interfaces=[any]
filters=[port 161]

0.374066 port3 in 192.168.23.24.46924 -> 192.168.23.50.161: udp 46

1.265093 port3 in 192.168.23.24.46926 -> 192.168.23.50.161: udp 46

1.801043 port3 in 192.168.23.24.46928 -> 192.168.23.50.161: udp 46

3.679096 port3 in 192.168.23.24.46930 -> 192.168.23.50.161: udp 46
3.688234 port3 out 192.168.23.50.161 -> 192.168.23.24.46930: udp 48

 

 

As an example, note that the first 3 packets do not receive any reply, meaning that the problem should be checked with debug flow.

The request is reaching the FortiGate, but it is not reaching or not processed by the snmp daemon.

The last packet receives a reply (FortiGate replied to the SNMP request). This is the working sequence.

 

  1. Check and collect logs on FortiGate to validate the SNMP request by using the following commands:


diag debug reset

diag debug application snmp -1

diag debug enable

 

Example:

To validate the SNMP interface status from SNMP manager:

 

c:> snmpwalk -v2c -c fortinet 192.168.23.50 1.3.6.1.2.1.2.2.1.7
iso.3.6.1.2.1.2.2.1.7.1 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.7.2 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.3 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.4 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.5 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.6 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.7 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.8 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.9 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.10 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.11 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.7.12 = INTEGER: 2

 

Note:
INTEGER: 1 = UP

INTEGER: 2 = DOWN

 

Important Commands to test snmp:

 

diagnose test application snmpd 1  - verify the snmp process

diagnose test application snmpd 2  - provide snmp statistics

diagnose test application snmpd 3 - clear snmp counters

diagnose test application snmpd 4 - generate snmp trap (via port 162)

diagnose test application snmpd 99 - Restart snmp deamon

 

For additional troubleshooting steps for SNMP, see Troubleshooting Tip: General SNMP issue troubleshooting guide.