SNMP don't response traffic

HungDT · ‎06-03-2024

Hi Everyone,

I have the problem with configure SNMP. I use a pair fortigates model: 201F, version 7.2.7. I config HA mode Active-Passive. So I want to monitor 2 fortigates, I have enable snmp agent and config community snmp v2, config interface administrator access service: snmp, ping, https. Test ping from NMS to Fortigate is successful but when NMS send SNMP get but not receive response packet from Fortigate. Can you help me ? Thanks a lot.

local traffic

srajeswaran · ‎06-05-2024

The debug shows the route lookup is happening on vsys_hamgmt vdom, which is default vdom when ha-mgmt is enabled. The interface port5 will be part of root (default vdom) and thats why the SNMP packet is getting dropped. Can you enable "set ha-direct enable" under SNMP community as below and test?

# show system snmp community
config system snmp community
edit 1
set name "hostmonitor"
config hosts
edit 1
set ip 10.5.0.36 255.255.255.255
set ha-direct enable ------>>>>Here
next
end
next
end

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

HungDT · ‎06-04-2024

No, I don't use HA dedicated management port to query

funkylicious · ‎06-04-2024

ok, can you try and do a manual snmp query from the server and see if you get any values returned ?

snmpwalk -v2c -c COMMUNITY IP 1.3.6.1.4.1.12356.101 or 1.3.6.1.4.1.12356.1.1

---------------------------
geek
---------------------------

HungDT · ‎06-04-2024

HI @funkylicious ,

I can't query from NMS server to Fortigate.

funkylicious · ‎06-04-2024

Ok, just use another host from which you can do a query and add it in the SNMP configuration on the FGT.

If it works then it's a NMS issue, imo.

---------------------------
geek
---------------------------

HungDT · ‎06-05-2024

HI @funkylicious ,

It still doesn't work. Do you have any ideas ?

srajeswaran · ‎06-04-2024

do you have VDOMs? Is the interface part of management vdom as suggested in https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SNMP-is-not-established-after-comple... ?

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

HungDT · ‎06-04-2024

HI @srajeswaran ,

I don't enable Virtual Domains. If you know where the problem is, let me know. Thanks a lot.

hbac · ‎06-04-2024

Hi @HungDT,

You can also run debug flow to see if it is being dropped:

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter port 161
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 9999
diagnose debug enable

Regards,

HungDT · ‎06-04-2024

Thanks @hbac,

But I still don't know the problem occurs.

AEK · ‎06-05-2024

Hi Hung

If you can run the commands shared by hbac on your FortiGate's CLI then we can see what your FortiGate is doing with NMC's SNMP queries.

AEK