Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ESIT
New Contributor II

SNMP "no response" from gateway on the other side of IPSEC tunnel - What's the secret?

Hi All,

 

I have a central 100F and a small number of 60E's in regional offices. 60E's connect back to the 100F via IPSEC tunnels. I'm trying to monitor the 60E's via SNMP.

 

Key points:

IPSEC setup using default static FG-FG tunnel template.

VDOM is not being used at either end.

Specific rules have been setup for testing allowing essentially ANY/ANY for SNMP and ICMP to and from both ends.

SNMP is enabled on the interface at the remote site.

Tunnels have performed well for 2+ years and I can fire anything I need across it. (ie, DNS and Routing seem fine).

Community has been set, along with ACL (which has also been removed and tested).

I have extensive SNMP checks all over my networks which are working fine (ie, this isn't my first rodeo).

 

Result:

I can ping the remote interface gateway.

SNMPGET and WALK returns "no response" (commands tested locally work fine).

 

I can SNMPGET a bunch of other devices on that remote subnet and it works. When directing SNMP to the remote gateway, I can see the packets leave the 100F and arrive on the 60E but they just seem to stop. The behaviour is the same on all of my remote 60E's so I feel like I'm missing a FG specific switch somewhere.

 

Any help appreciated.

 

 

1 Solution
ESIT
New Contributor II

Sorry I didn't explain that very well in frustration.

 

System --> Administrators --> Give any user the IP of the SNMP Host

 

From what I read elsewhere, if you have used ACL's at the admin account level they will be checked first, then the SNMP host. I have confirmed this is the behaviour I am experiencing.

View solution in original post

6 REPLIES 6
adambomb1219
SuperUser
SuperUser

I was first thinking this:  https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/848980/local-out-traffic

 

But I don't think there is SNMP impact for this.

ESIT
New Contributor II

It's not local-out traffic. It's a monitoring server on a subnet behind the 100F. I should have mentioned that in the OP

adambomb1219
SuperUser
SuperUser

Is the SNMP Agent enabled on the FortiGate?  System->SNMP

ESIT
New Contributor II

Well that was a frustrating waste of a day. Not only does the host need to be added to the SNMP settings, but also a local user. 

 

Excuse my frustration but, WTAF? I don't see that anywhere in the documentation under SNMP configuration or any logical connection between the two.

Markus_M

Hi Esit,

 

what exactly do you mean by local user?

You do need to enable the agent, allow the querying IPs and add either community (v1) or user credentials (v3).

 

Best regards,

 

Markus

ESIT
New Contributor II

Sorry I didn't explain that very well in frustration.

 

System --> Administrators --> Give any user the IP of the SNMP Host

 

From what I read elsewhere, if you have used ACL's at the admin account level they will be checked first, then the SNMP host. I have confirmed this is the behaviour I am experiencing.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors