Troubleshooting Tip: SNMP walk getting failed when using firewall in HA

achandelkar · ‎08-18-2023

Description

This article describes when to use the ha-direct feature under the SNMP configuration.

Scope

FortiGate v6 and above.

Solution

In this example, let's have a look into two scenarios:

When trying to pull SNMP information from HA Dedicated management port.
When trying to pull SNMP information from HA's Non-dedicated management port.

Scenario 1: When trying to pull SNMP information from the dedicated management port.

Setup: SNMP server (10.5.63.202) --------------------------------- port2 Fortigate (10.5.61.78)

Configuration.

Port 2 configuration:

edit "port2"
set ip 10.5.61.78 255.255.240.0
set allowaccess ping https ssh snmp http telnet

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

HA configuration:

set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port2"
set dst 0.0.0.0 0.0.0.0
set gateway 10.5.63.254
set gateway6 ::
next

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

SNMP configuration:

config system snmp community
edit 1
set name "public"
config hosts
edit 2
set source-ip 0.0.0.0
set ip 10.5.63.202 255.255.255.255 <----- SNMP server.
set ha-direct disable
set host-type any
next

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Initiated SNMP walk from the SNMP server.

From the SNMP sniffers collected on FortiGate, it is possible to see that FortiGate is not responding to SNMP request coming from the SNMP server

2023-08-16 13:50:58.482222 port2 in 10.5.63.202.60434 -> 10.5.61.78.161: udp 36 <----- FortiGate is receiving the SNMP packets but it is not responding back.

Solution:

Since HA dedicated management interface has been configured on port2 and SNMP traffic is hitting on port2 interface, it is necessary to enable ha-direct under SNMP settings

FGT #(community) # show full-configuration
config system snmp community
edit 1
set name "public"
set status enable
config hosts
edit 2
set source-ip 0.0.0.0
set ip 10.5.63.202 255.255.255.255
set ha-direct enable<----- Enable Ha-direct.
set host-type any
next

Now, it is possible to see the SNMP server is successfully able to get SNMP responses from the FortiGate's Port2 Interface:

FGT# diagnose sniffer packet any "port 161" 4 0
Using Original Sniffing Mode
interfaces=[any]
filters=[port 161]
2023-08-16 13:54:15.936267 port2 in 10.5.63.202.63734 -> 10.5.61.78.161: udp 36
2023-08-16 13:54:15.936981 port2 out 10.5.61.78.161 -> 10.5.63.202.63734: udp 43
2023-08-16 13:54:15.941182 port2 in 10.5.63.202.63734 -> 10.5.61.78.161: udp 43
2023-08-16 13:54:15.941336 port2 out 10.5.61.78.161 -> 10.5.63.202.63734: udp 55

Scenario 2: When trying to pull SNMP information from a Non-dedicated management port.

Setup: SNMP server (172.31.143.202) --------------------------------- port3 Fortigate (172.31.141.78) [But here Port2 is ha dedicated mgmt port]

Configuration.

HA configuration:

set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port2" <----- Dedicated management port is Port2.
set dst 0.0.0.0 0.0.0.0
set gateway 10.5.63.254
set gateway6 ::
next

SNMP requests will be coming on Port3.

Port3 configuration:

config system interface
edit "port3"
set vdom "root"
set ip 172.31.141.78 255.255.240.0
set allowaccess ping https ssh snmp http telnet

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

SNMP configuration:

config system snmp community
edit 1
set name "public"
config hosts
edit 1
set ip 172.31.143.202 255.255.255.255
set ha-direct enable <----- Here ha-direct is enabled.
next

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Initiated SNMP walk from the SNMP server.

From the SNMP sniffers collected on FortiGate, it is possible to see that FortiGate is not responding to SNMP request coming from the SNMP server.

FGT# diagnose sniffer packet any "port 161" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 161]
2023-08-16 14:15:57.045331 port3 in 172.31.143.202.56199 -> 172.31.141.78.161: udp 36 >>>>> Fortigate is receiving the SNMP packets but it is not responding back

Solution:

When an SNMP request is for a non-dedicated management port in this case FortiGate will not respond to any SNMP query if ha-direct is enabled because it is non dedicated management port.

Hence, it is necessary to disable ha-direct when SNMP request is for a non-dedicated management interfaces.

FGT # config system snmp community

config system snmp community
edit 1
set name "public"
set status enable
config hosts
edit 1
set source-ip 0.0.0.0
set ip 172.31.143.202 255.255.255.255
set ha-direct disable<----- Disable HA-direct.
set host-type any
next
end

Initiated SNMP walk from the SNMP server.

Now, it is possible to see the SNMP server is successfully able to get SNMP responses from FortiGate's non-dedicated management port.

In this case Port3 Interface:

FGT # diagnose sniffer packet any "port 161" 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[port 161]
2023-08-16 12:25:00.366851 port3 in 172.31.143.202.65295 -> 172.31.141.78.161: udp 36
2023-08-16 12:25:00.367485 port3 out 172.31.141.78.161 -> 172.31.143.202.65295: udp 43
2023-08-16 12:25:00.373565 port3 in 172.31.143.202.65295 -> 172.31.141.78.161: udp 43
2023-08-16 12:25:00.373783 port3 out 172.31.141.78.161 -> 172.31.143.202.65295: udp 55

Note.

If the issues are persistent, confirm the below settings:

Is there a trusted host configured under the Administrator login? Then, add the SNMP server in the trusted-host setting.

Is the SNMP server reachable from FortiGate?

Collect the below output and share it with TAC for further assistance.

Terminal 1:

diag debug application snmpd -1

diag debug enable

Terminal 2:

diag sniffer packet any "port 161 or 162" 6 0 l