Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SamK0
New Contributor II

Created on ‎05-23-2024 09:46 AM

SNMP V3 ERROR ABOUT CISCO SWITCH

Hello everyone,
I am working with FortiNAC-F 7.4 and I have imported a Cisco Catalyst switch v3. The ports on the switch are in VLANs. I can read them on the device, but the problem is that I cannot retrieve certain endpoints on the ports. When I check the events on FortiNAC, I receive an error:

SNMP Failure SNMP failed for device SW-INFO with message SNMP getNext/getBulk Failed for device: 10.30.5.0.2

Can you please help me?

FortiNAC 

Labels:
785
0 Kudos
1 Solution
AEK
SuperUser
SuperUser
In response to SamK0

Created on ‎05-24-2024 04:05 AM

Hi Sam

In your config I see only trap related config.

I usually add the following for SNMP queries and all works fine.

snmp-server group nacgroup v3 priv read nacgroup write nacgroup notify nacgroup
snmp-server group nacgroup v3 priv context vlan- match prefix read nacgroup

snmp-server view nacgroup iso included
snmp-server view nacgroup system included
snmp-server view nacgroup interfaces included

 

AEK

View solution in original post

AEK
567
11 REPLIES 11
AEK
SuperUser
SuperUser

Created on ‎05-23-2024 10:13 AM

Hi Sam

When you click "Validate credentials" for the device, is it successful?

Do you get a correct answer when you try snmpwalk (with SNMPv3) from FNAC CLI?
E.g.:

snmpwalk -v3 -u fnac -l AuthPriv -a sha -A <AuthPass> -x aes 128 -X <EncPass> 10.30.5.2
AEK
AEK
701
SamK0
New Contributor II
In response to AEK

Created on ‎05-23-2024 10:41 AM

Hi AEK,

yes i receive a successful notification. But on FNAC cli, i cannot use snmpwalk command directly: It's not recognise on FortiOS . But When i use diagnose command for snmp walk, i can read all switch OID. 

694
0 Kudos
ebilcari
Staff
Staff
In response to SamK0

Created on ‎05-25-2024 03:41 AM Edited on ‎05-25-2024 03:48 AM

You can still run the snmpwalk command in NAC-OS after entering shell access:

fnacl74 # exe enter

fnacl74:~$ snmpwalk
USAGE: snmpwalk [OPTIONS] AGENT [OID]

 

You can gather more information by enabling the SNMP debug:

# diagnose debug plugin enable SnmpV1

# diagnose debug plugin list-debug-enabled

# diagnose tail output.master -f | grep Snmp

 

In the end don't forget to disable the debug:

# diagnose debug plugin disable SnmpV1

 

Usually this problems are solved by finding a compatible Authentication/Privacy protocol between the switch and FNAC.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
546
SamK0
New Contributor II
In response to ebilcari

Created on ‎05-28-2024 10:44 AM

Hi Ebilcari,
I can now use this command and it works correctly, I can read OID on switch.
Thanks a lot.

424
0 Kudos
ebilcari
Staff
Staff
In response to SamK0

Created on ‎05-29-2024 04:00 AM

Are you still facing issues with the host status update for connected hosts in switch?

There are two methods that FNAC uses to update the host for this switch type:

- SNMP MAC notification traps, (not directly related to SNMP query) that need to be configured in the switch.

- L2 polling, FNAC access the switch via CLI, get the output of the MAC address table and parses it.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
388
SamK0
New Contributor II
In response to ebilcari

Created on ‎06-03-2024 01:31 AM

Hi Ebllcari,
The problem I'm having now is that I can't read the IPs of the endpoints connected to the fortinac. The IP I see is only that of the switch interface.
Do you have any idea how to solve it ?

257
0 Kudos
ebilcari
Staff
Staff
In response to SamK0

Created on ‎06-03-2024 01:49 AM

The IP of the hosts are learned through reading the ARP table of the managed network devices. The ARP table is populated on the network device where the gateway of the users resides. If the hosts have the GW in another L3 device you have to add it to be managed by FNAC in order to get this visibility.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
255
AEK
SuperUser
SuperUser

Created on ‎05-24-2024 12:57 AM

Can you share the SNMPv3 related config of the switch used for FNAC? (you can hide IP addresses and passwords).

Can you also try with SNMPv2 and see if it works? (just for test purpose).

AEK
AEK
597
SamK0
New Contributor II
In response to AEK

Created on ‎05-24-2024 01:55 AM

Hi AEK, 
below SNMP config: 

CaptureAAAA.PNG

NB: the ports are in vlans other than the default vlan.
On the ports I've enabled: "snmp trap mac-notification added" and "snmp trap mac-notification removed".

591
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.