SNMP don't response traffic

HungDT · ‎06-03-2024

Hi Everyone,

I have the problem with configure SNMP. I use a pair fortigates model: 201F, version 7.2.7. I config HA mode Active-Passive. So I want to monitor 2 fortigates, I have enable snmp agent and config community snmp v2, config interface administrator access service: snmp, ping, https. Test ping from NMS to Fortigate is successful but when NMS send SNMP get but not receive response packet from Fortigate. Can you help me ? Thanks a lot.

local traffic

srajeswaran · ‎06-05-2024

The debug shows the route lookup is happening on vsys_hamgmt vdom, which is default vdom when ha-mgmt is enabled. The interface port5 will be part of root (default vdom) and thats why the SNMP packet is getting dropped. Can you enable "set ha-direct enable" under SNMP community as below and test?

# show system snmp community
config system snmp community
edit 1
set name "hostmonitor"
config hosts
edit 1
set ip 10.5.0.36 255.255.255.255
set ha-direct enable ------>>>>Here
next
end
next
end

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

HungDT · ‎06-05-2024

HI @AEK @hbac ,

10.200.0.36 is NMS server, query to this port 5 on fortigate. Hope you guys help me solve this problem. Thanks a lot.

srajeswaran · ‎06-05-2024

The debug shows the route lookup is happening on vsys_hamgmt vdom, which is default vdom when ha-mgmt is enabled. The interface port5 will be part of root (default vdom) and thats why the SNMP packet is getting dropped. Can you enable "set ha-direct enable" under SNMP community as below and test?

# show system snmp community
config system snmp community
edit 1
set name "hostmonitor"
config hosts
edit 1
set ip 10.5.0.36 255.255.255.255
set ha-direct enable ------>>>>Here
next
end
next
end

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

HungDT · ‎06-05-2024

Thank you so much,

My problem has been solved. Port 5 is configed Mangement Interface Reservation, so that block traffic from fortigate to NMS, is that right. Why don't i see block log on forward traffic and local traffic ?

srajeswaran · ‎06-08-2024

We may have to check from vsys_hamgmt vdom as mentioned in below article.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface-s-hidden-...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

AEK · ‎06-05-2024

Hi Hung

As a test, can you enable SNMP on port5 and send the SNMP query to port5's IP address?

AEK

HungDT · ‎06-05-2024

HI @AEK ,

I have enabled SNMP on port5 and send the SNMP query to port5's IP address with the previous picture. Do you detect anything unusual in the log

funkylicious · ‎06-05-2024

Something is very strange in your config, because in the debug i can see being specified, vsys_hamgmt which typically refers to a ha cluster interface.

Can you show the output of the command, show system ha ?

---------------------------
geek
---------------------------

mahesh_pm · ‎06-05-2024

Hi,

please check snmp index in all the interface.

config system interface

show

Cheers,