Description
This article describes basic steps to troubleshoot SNMP Communication Issues.
Scope
FortiNAC, FortiNAC-F.
Solution
- Confirm community string is correct.by navigating to Network -> Inventory, select Validate Credentials button under the Credentials tab for the device model in Topology.
In FortiNAC-F 7.4 and greater versions it is possible to validate SNMP credentials through CLI:
diagnose network device test-snmp ip <ip>
Usage: diagnose network device test-snmp (ip <ip> | mac <mac> | dbid <dbid> | device-name <device-name> | group <group> | container-name <container-name> | class-id <class-id> | attribute-name <attribute-name> | all) all select all devices
attribute-name <attribute-name> select by device attribute
class-id <class-id> select device(s) by class in the range 0-56
container-name <container-name> select device by container name
dbid <dbid> select device by database Id
device-name <device-name> select device by name
group <group> select device(s) by group name
ip <ip> select device by IP Address
mac <mac> select device by MAC Address
- Confirm SNMP credentials used has read-write permissions. Read-only permissions will still pass credential validation, yet will be unable to change configurations.
SNMPv1 - community string
SNMPv2c - community string
SNMPv3
SNMP Protocol (SNMPv3-AuthPriv or SNMPv3-AuthNoPriv)
User Name
Authentication Protocol (MD5 or SHA1)
Authentication Password
Privacy Protocol (DES or AES-128. Used only for AuthPriv)
Privacy Password (Used only for AuthPriv)
- Determine the nature of the failure by looking for SNMP errors using one or both of the following methods:
snmpwalk:
Perform snmpwalk of the System OID in the CLI of NAC (or some other device with this SNMP tool). Linux syntax to use in NAC CLI:
snmpwalk -v 1 -c <Read/Write Community string> <ip address> system
snmpwalk -v2c -c <communitystring> <ip_address> system
- SNMPv3:
snmpwalk -v3 -u <username> -l <AuthPriv or authNoPriv> -a <MD5 or SHA> -A <password> -x <DES or AES> -X <password> <ip_address> system
If the following response is returned, NAC does not have all the required permissions:
SNMPv2-SMI::mib-x.x.x.x.x.x.= No more variables left in this MIB View (It is past the end of the MIB tree)
In FortiNAC-F 7.4 and greater versions perform a snmpwalk using the following command:
diagnose network snmp walk <ip>
Usage: diagnose network snmp walk <ip> <oid> [--bulk] [--debug] [--c <context>]
<ip> IP Address of the device
<oid> OID value to manipulate data through snmp4j commands
--c, --context <context> The context value
--debug Turns on detailed debug
--bulk Does a bulk get instead of a getNext
Verifications in Administration UI:
Check for 'SNMP Failure' and 'SNMP Read Error' events and review details for cause of failure. To view events, either 'right-click' on the device in Topology/Inventory and select Show Events, or navigate to Logs -> Events & Alarms
v3 Errors:
- SNMP Failure event result when Engine ID doesn't match NAC's cache would contain the message 'Received engine Id <id string> is not correct'.
- SNMP Failure event result when device is not responding to SNMP would contain the message '<ip address> Timed out'. Refer to the related KB article below.
- SNMP Failure event result would contain 'Error reading Snmp object'. This can occur when the account used by FortiNAC does not have all the required SNMP server group permissions. For tips on configuring and validating Cisco SNMP v3, refer to related KB article below.
- SNMP test fails with an error - "Error: passphrase chosen is below the length requirements of the USM (min=8).". The error could happen when the passphrases used in SNMPv3 consist '$' sign. To be able to test SNMP communication, type both passwords inside single quotes ('). *If still getting error, most probably network device trying to add can not verify the password due to any specific symbols. Our suggestion is to try to skip specific symbols, at least " @, $, (', single quotes)".
Example of executing the command:
username - fnactest.
passphrases - String$78.
device ip - 192.168.1.1.
snmpwalk -v3 -u fnactest -l AuthPriv -a SHA -A 'String$78' -x DES -X 'String$78' 192.168.1.1 1.3.6.1.4.1.12356.101.4.1
Important:
Switches using SNMP v3 must have unique Engine IDs (msgAuthoritativeEngineID). SNMP v3 is used to identify the device. If multiple switches have the same Engine ID, sporadic unpredictable results may occur.
Managing Cisco using SNMP v3:
Cisco wired switches (and potentially other switches using VLAN contexts) must define SNMPv3 context values for every VLAN created in the switch. If this is not done, NAC may not be able to switch VLANs consistently. For tips on configuring and validating Cisco SNMP v3, refer to related KB article below.
If the above steps do not resolve the behavior, then there may be an issue with the SNMP stack. Refer to related KB article below.
Related articles:
Technical Note: Troubleshooting SNMP Timeout Errors
Technical Tip: Configure and validate Cisco SNMPv3
Technical Note: SNMPv3 Communication Fails for Certain Devices
Technical Note: Cannot discover device in Topology due to SNMP failure
Technical Note: SNMP OID access requirements for management of Juniper switches
