FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff
Article Id 190311

Description


SNMP communication is failing between network device and appliance.  The following symptoms are experienced:

  • When the Credential Validation button in the Model Configuration under the Credentials tab is clicked, a message displays stating SNMP communication failed. 
  • 'SNMP Failure' events are generated with message: 'SNMP failed for device <device name> with message <ip address> Timed out'.
  • snmpwalk results display: "snmpwalk: Timeout"

 

Scope
 
FortiNAC.


Solution

Before any troubleshooting first check if SNMP agent is active on target device. For example on FortiGate should look like this:
FGT_snmp_agent_enable.jpg
 

SNMP timeouts typically occur when there is no response to an SNMP request.

1.  Verify switch successfully responds to ICMP (PING) requests.
2.  Confirm the appliance is not receiving SNMP responses from the switch using tcpdump.

a. Open two windows for the Control Server CLI.
b. In first window, start a tcpdump by running the following command (specifying the IP address of the switch):
tcpdump -nni eth0 host <ip address> and port 161

c. In the second window, run the snmpwalk.
 
SNMP v1: 
snmpwalk -v1 -c <R/W Community String> <ip address> system
 
SNMP v2: 
snmpwalk -v2c -c <R/W Community String> <ip address> system
 
SNMP v3: 
snmpwalk -v3 -u <username> -l <authpriv/authnopriv> -a <MD5/SHA> -A <password> -x <DES/AES> -X <password> <ipAddressOfDevice> system

 
Example:
snmpwalk -v1 -c public 192.168.1.2 system
d. Once the snmpwalk completes and the error message is returned, type CTRL-C to stop the tcpdump.


If the tcpdump does not show any packets returned from the switch, verify the SNMP traffic from the appliance is reaching the switch (either by a packet trace on the switch side or logging on the switch itself).

  • If the SNMP traffic is not reaching the switch, troubleshoot the network path.
  • If the SNMP traffic is reaching the switch, but the switch is not responding, troubleshoot the switch itself.  Consult switch vendor for assistance.