Description
This article describes basic steps to troubleshoot SNMP Communication Issues.
Solution
Version 8.x: Navigate to Network Devices - > Topology
Version 9.x: Navigate to Network - > Inventory
1) Confirm community string is correct. Select Validate Credentials button under the Credentials tab for the device model in Topology.
2) Confirm SNMP credentials used has read-write permissions. Read-only permissions will still pass credential validation, yet will be unable to change configurations.
SNMP v1 - community string
SNMP v3 -
SNMP Protocol (SNMPv3-AuthPriv or SNMPv3-AuthNoPriv)
User Name
Authentication Protocol (MD5 or SHA1)
Authentication Password
Privacy Protocol (DES or AES-128. Used only for AuthPriv)
Privacy Password (Used only for AuthPriv)
3) Determine the nature of the failure by looking for SNMP errors using one or both of the following methods:
snmpwalk:
Perform snmpwalk of the System OID in the CLI of NAC (or some other device with this SNMP tool). Linux syntax to use in NAC CLI:
v1
snmpwalk -v 1 -c <Read/Write Community string> <ip address> system
v3
snmpwalk -v3 -u <username> -l <AuthPriv or authNoPriv> -a <MD5 or SHA> -A <password> -x <DES or AES> -X <password> <ip_address> system
If the following response is returned, NAC does not have all the required permissions:
SNMPv2-SMI::mib-x.x.x.x.x.x.= No more variables left in this MIB View (It is past the end of the MIB tree)
Administration UI:
Check for 'SNMP Failure' and 'SNMP Read Error' events and review details for cause of failure. To view events, either right click on the device in Topology/Inventory and select Show Events, or navigate to
Version 8.x: Logs - > Events
Version 9.x: Logs - > Events & Alarms
v3 Errors
- SNMP Failure event result when Engine ID doesn't match NAC's cache would contain the message 'Received engine Id <id string> is not correct'.
- SNMP Failure event result when device is not responding to SNMP would contain the message '<ip address> Timed out'. Refer to related KB article below.
- SNMP Failure event result would contain 'Error reading Snmp object'. This can occur when the account used by FortiNAC does not have all the required SNMP server group permissions. For tips on configuring and validating Cisco SNMP v3, refer to related KB article below.
- SNMP test fails with an error - "Error: passphrase chosen is below the length requirements of the USM (min=8).". The error could happen when the passphrases used in SNMPv3 consists '$' sign. To be able to test snmp communication, type both passwords inside single quotes ('). *If you still getting error, most probably network device you are trying to add can not verify password due to any specific symbols. Our suggestion is try to skip specific symbols, at least " @, $, (', single quotes)".
Example of executing the command:
username - fnactest.
passphrases - String$78.
device ip - 192.168.1.1.
snmpwalk -v3 -u fnactest -l AuthPriv -a SHA -A 'String$78' -x DES -X 'String$78' 192.168.1.1 1.3.6.1.4.1.12356.101.4.1
Important: Switches using SNMP v3 must have unique Engine IDs (msgAuthoritativeEngineID). SNMP v3 are used to identify the device. If multiple switches have the same Engine ID, sporadic unpredictable results may occur.
Managing Cisco using SNMP v3:
Cisco wired switches (and potentially other switches using VLAN contexts) must define SNMPv3 context values for every VLAN created in the switch. If this is not done, NAC may not be able to switch VLANs consistently. For tips on configuring and validating Cisco SNMP v3, refer to related KB article below.
If the above steps do not resolve the behavior, then there may be an issue with the SNMP stack. Refer to related KB article below.
Related KB Articles
Technical Note: Troubleshooting SNMP Timeout Errors
Technical Tip: Configure and validate Cisco SNMPv3
Technical Note: SNMPv3 Communication Fails for Certain Devices
Technical Note: Cannot discover device in Topology due to SNMP failure
Technical Note: SNMP OID access requirements for management of Juniper switches
