Hello everyone,
I am working with FortiNAC-F 7.4 and I have imported a Cisco Catalyst switch v3. The ports on the switch are in VLANs. I can read them on the device, but the problem is that I cannot retrieve certain endpoints on the ports. When I check the events on FortiNAC, I receive an error:
SNMP Failure SNMP failed for device SW-INFO with message SNMP getNext/getBulk Failed for device: 10.30.5.0.2
Can you please help me?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Sam
In your config I see only trap related config.
I usually add the following for SNMP queries and all works fine.
snmp-server group nacgroup v3 priv read nacgroup write nacgroup notify nacgroup
snmp-server group nacgroup v3 priv context vlan- match prefix read nacgroup
snmp-server view nacgroup iso included
snmp-server view nacgroup system included
snmp-server view nacgroup interfaces included
Hi Sam
When you click "Validate credentials" for the device, is it successful?
Do you get a correct answer when you try snmpwalk (with SNMPv3) from FNAC CLI?
E.g.:
snmpwalk -v3 -u fnac -l AuthPriv -a sha -A <AuthPass> -x aes 128 -X <EncPass> 10.30.5.2
Hi AEK,
yes i receive a successful notification. But on FNAC cli, i cannot use snmpwalk command directly: It's not recognise on FortiOS . But When i use diagnose command for snmp walk, i can read all switch OID.
You can still run the snmpwalk command in NAC-OS after entering shell access:
fnacl74 # exe enter
fnacl74:~$ snmpwalk
USAGE: snmpwalk [OPTIONS] AGENT [OID]
You can gather more information by enabling the SNMP debug:
# diagnose debug plugin enable SnmpV1
# diagnose debug plugin list-debug-enabled
# diagnose tail output.master -f | grep Snmp
In the end don't forget to disable the debug:
# diagnose debug plugin disable SnmpV1
Usually this problems are solved by finding a compatible Authentication/Privacy protocol between the switch and FNAC.
Hi Ebilcari,
I can now use this command and it works correctly, I can read OID on switch.
Thanks a lot.
Are you still facing issues with the host status update for connected hosts in switch?
There are two methods that FNAC uses to update the host for this switch type:
- SNMP MAC notification traps, (not directly related to SNMP query) that need to be configured in the switch.
- L2 polling, FNAC access the switch via CLI, get the output of the MAC address table and parses it.
Hi Ebllcari,
The problem I'm having now is that I can't read the IPs of the endpoints connected to the fortinac. The IP I see is only that of the switch interface.
Do you have any idea how to solve it ?
The IP of the hosts are learned through reading the ARP table of the managed network devices. The ARP table is populated on the network device where the gateway of the users resides. If the hosts have the GW in another L3 device you have to add it to be managed by FNAC in order to get this visibility.
Can you share the SNMPv3 related config of the switch used for FNAC? (you can hide IP addresses and passwords).
Can you also try with SNMPv2 and see if it works? (just for test purpose).
Hi AEK,
below SNMP config:
NB: the ports are in vlans other than the default vlan.
On the ports I've enabled: "snmp trap mac-notification added" and "snmp trap mac-notification removed".
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.