Forum Discussion
NimbostratusSNMP
I am running 11.4.0 HF Engineering Hotfix HF4 on my LTMs and GTMs. We have two data centers, and a total of 8 devices (2 each). I have set up SNMP with the following info:
Client Allow List 127. 192.3.22.13 192.2.22.13
SNMP Access (V1, V2C) IPv4 T/A66Here Read Only IPv4 Ov3r_S!ght Read Only (not all device will take this, and it doesn't tell me why they won't) IPv4 !R!ghthere Read/Write
SNMP Traps T/A66Here 192.3.22.13 Ov3r_S!ght 192.3.22.13 !R!ghthere 192.3.22.13
T/A66Here 192.2.22.13 Ov3r_S!ght 192.2.22.13 !R!ghthere 192.2.22.13
All of the devices are in the same access rules in the firewalls. Our SNMP server can only discover one of the devices. They all have these same settings, besides the Ov3r_S!ght, where some of the devices will take it, and some will not.
When looking at a tcpdump while they are trying to discover the device, the device is responding with "udp port snmp unreachable". Remember, they are all on the same access rules. If someone has an answer to this, I would appreciate it.
12 Replies
Cory_50405Noctilucent
You should probably edit this post and sanitize out the community strings and real IP addresses ASAP.
- Cory_50405
Are you attempting to reach these devices via SNMP on their management interface, or on a production (TMM) interface?
Chris_123510Cory, this post is sanitized, but I made sure to use the same characters so that I could get the answer to why some devices are not accepting that string. We are going to the TMM interface.
- Cory_50405
Okay, just making sure.
So the self IP address on the BIG-IP that you are directing the SNMP queries to, what is the port lockdown setting configured to on the non-working BIG-IP devices? Is it the same as the device that's working?
- Chris_123510
Cory, thank you! It never hit me to go back into the self-IP ports. Do you have any idea why it won't take the community string on some devices and not others?
- Cory_50405
Did you find any differences in the port lockdown settings on the self IPs? And is your SNMP agent client allow list properly populated with the SNMP polling IP addresses/ranges?
You can also try running a tcpdump and capturing on the target self IP on the BIG-IP that should be receiving the SNMP communications.
- Chris_123510
Cory, yes there was differences, and I changed those and now they can discover the devices. However, it still doesn't make since that some of the devices will not take that one community string, while other devices will.
- Cory_50405
I don't think the issue is with the community string. Port lockdown was likely not permitting SNMP traffic to the interface at all.
http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13250.html
- Chris_123510
Yes, agree that the port lockdown was the issue of not being able to discover the devices. However, some of the devices will not take the community string at all, and I need it to be in there. Other then that, everything is working like it is supposed to work.
- Cory_50405
Are the devices giving an error about the format of the community string?
I just put in your community string Ov3r_S!ght into a v11.2.0, a v11.3.0, and a v11.4.1 device and they all took it without issue.
