Making SNMP queries in iRules

I haven't seen an example of iRule with the ability to SNMP query but if you can provide a specific use case i.e., an example of what you are trying to measure, someone might be able to help you out.

You cannot use an external Tcl package in iRules. You can manually construct SNMP requests and responses using

binary format

binary scan

The use case for us is that we would like to query some snmp values from a device (not a server within the pool but some other device) when a request is incoming to a vip and use an irule to then do custom routing and logic based on the response from the snmp queries.

I have never looked into iRulesLX but will do that or will just use the binary format and scan stuff.

Built in support for snmp queries into iRules would be nice though. :)

Thanks!

To be clear, the

binary scan

binary format

Related question then. I think I got the packets formatted correctly and have connected a sideband connection using the 'connect' function, and then sent using the 'send' function. The returned number of bytes sent is 40 bytes. But then when I do the recv I don't get anything back.

My code looks like this:

   set conn_id [connect -protocol UDP -timeout 100 -status conn_status 192.168.0.1:161]
   set send_bytes [send -timeout 1000 -status send_status $conn_id $snmp_packet]
   set recv_bytes [recv -timeout 10000 -status recv_status $conn_id recv_packet]

conn_status comes back as "connected"

send_status comes back as "sent"

send_bytes comes back as 40

recv_status comes back as "received" or "closed" depending on how long I make the timeout

recv_bytes comes back as 0

I expect that even if my snmp_packet is not formatted correctly, it should still give me something back rather than 0 bytes.

Any idea what I'm doing wrong? There isn't any example or doc I can see for receiving UDP traffic from a sideband connection, so maybe there is something special I need to do for UDP connections? It feels like the connection is there, the request sent, but the response is coming back over a different port or something like that and the 'recv' command is not able to pick it up.

Actually, with SNMP, unless everything is correct (including the community for v1/v2c or the auth credentials for v3), then the remote end usually does not respond. A good way to test is to use

tcpdump

Incidentally, when using a sideband connection, it is always best to go through a Virtual Server, rather than sending traffic directly. Virtual Servers provide much better control. Simply create an internal VS with a pool containing your target, and set the protocol to UDP.

For those wondering, I got this working. It took a bit of work, but I can query for one or more snmp OIDs in my irule now and get the correct responses back. It is as Vernon was saying I get nothing back unless the snmp packet is exactly correct.

In doing this, I found out that the ASN1::encode and ASN1::decode iRule functions don't work to expectation at all. I was using them thinking they would do the right thing but then found out they don't encode/decode properly, so I ended up doing the raw encoding/decoding myself. For example, you would think the below would give you a sequence with two integers inside:

ASN1::encode "(ii)" $firstInteger $secondInteger

but it doesn't. It doesn't put the correct sequence header and length into the encoded bytes. I had trouble with encoding/decoding other things with it too, and there is no way to encode an OID which is needed for SNMP.

Thanks!