From: Mihalow, J. <JMi...@rw...> - 2011-11-08 17:23:47
|
I have been having an issue discovering some of the Cisco devices that we have in our environment. It appears that snmp works when I test using snmpwalk or snmpget against the devices but Netdisco fails to discover the devices. There doesn't appear to be any pattern with a specific model device or specific IOS image version that is causing the issues. I have installed the latest net-snmp package and even installed the latests mibs from Cisco. ftp://ftp-sj.cisco.com/pub/mibs/v1/v1.tar.gz ftp://ftp-sj.cisco.com/pub/mibs/v2/v2.tar.gz IP addresses have been sanitized and snmp community strings have been changed. I have verified via a packet capture that the configured snmp community string configured in Netdisco does match the devices. netdisco@rancid: uname -a Linux rancid 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux netdisco@rancid: netdisco -v n e t d i s c o -------------------------------------------------- Netdisco Version : 1.1 SNMP::Info Version : 2.06 Net-SNMP Version : 5.0701 Perl Version : 118.53.46.49.48.46.49 Here is the attempted discovery for our Cisco ASA Firewall netdisco -D -d 1.1.1.1 n e t d i s c o -------------------------------------------------- Using Config File : /usr/local/netdisco/netdisco.conf Loading topology information from /etc/netdisco/netdisco-topology.txt 5 entries loaded [10.125.60.3] Discover starting get_device(1.1.1.1) create_device(1.1.1.1,O,2,AutoSpecify,bw:default) SNMP::Info::init() - Adding new mibdir:/usr/local/netdisco/mibs/aruba SNMP::Info::init() - Adding new mibdir:/usr/local/netdisco/mibs/cisco SNMP::Info::init() - Adding new mibdir:/usr/local/netdisco/mibs/rfc SNMP::Info::init() - Adding new mibdir:/usr/local/netdisco/mibs/net-snmp SNMP::Info::_global layers : sysServices.0 SNMP::Info::_global(layers) Timeout at /usr/bin/netdisco line 1359 SNMP::Info::_global description : sysDescr.0 SNMP::Info::_global(description) Timeout at /usr/bin/netdisco line 1359 SNMP::Info::specify() - Could not get info from device at /usr/bin/netdisco line 1359 [10.125.60.3] [Trying SNMP Version 1] create_device(1.1.1.1,O,1) SNMP::Info::_global layers : sysServices.0 SNMP::Info::_global(layers) Timeout at /usr/bin/netdisco line 1380 SNMP::Info::_global description : sysDescr.0 SNMP::Info::_global(description) Timeout at /usr/bin/netdisco line 1380 SNMP::Info::specify() - Could not get info from device at /usr/bin/netdisco line 1380 Can't connect to 1.1.1.1 ! Device Not Supported or I can't connect to it via SNMP. netdisco@rancid: snmpget -v 2c -c 000000 1.1.1.1 sysServices.0 SNMPv2-MIB::sysServices.0 = INTEGER: 4 netdisco@rancid:/packages/net-snmp$ snmpget -v 2c -c 000000 1.1.1.1 sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: Cisco Adaptive Security Appliance Version 8.4(2) I get the same issue with a couple other Cisco switches in the environment. One is a stack of 3750G switches, another is a single 3750v2 switch, and another is a single 3750G switch. We have other stacks of 3750G switches as well as other stand-alone 3750 switches in the environment and Netdisco had no issue discovering them. Any help would be much appreciated. Jason Mihalow Senior Network & Security Architect Robert Wood Johnson University Hospital - Hamilton jmi...@rw...<mailto:jmi...@rw...> |
From: Thomas W. <tw...@wo...> - 2011-11-09 09:17:28
|
Hello, from the debug output you can see that netdisco is trying snmp v1 to discover the device: [10.125.60.3] [Trying SNMP Version 1] try to set snmpver = 2 in netdisco.conf and retry the discovery... hope it helps, best regards, Tom Zitat von "Mihalow, Jason" <JMi...@rw...>: > I have been having an issue discovering some of the Cisco devices > that we have in our environment. It appears that snmp works when I > test using snmpwalk or snmpget against the devices but Netdisco > fails to discover the devices. There doesn't appear to be any > pattern with a specific model device or specific IOS image version > that is causing the issues. I have installed the latest net-snmp > package and even installed the latests mibs from Cisco. > > ftp://ftp-sj.cisco.com/pub/mibs/v1/v1.tar.gz > ftp://ftp-sj.cisco.com/pub/mibs/v2/v2.tar.gz > > IP addresses have been sanitized and snmp community strings have > been changed. I have verified via a packet capture that the > configured snmp community string configured in Netdisco does match > the devices. > > netdisco@rancid: uname -a > Linux rancid 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux > > netdisco@rancid: netdisco -v > n e t d i s c o > -------------------------------------------------- > Netdisco Version : 1.1 > SNMP::Info Version : 2.06 > Net-SNMP Version : 5.0701 > Perl Version : 118.53.46.49.48.46.49 > > Here is the attempted discovery for our Cisco ASA Firewall > netdisco -D -d 1.1.1.1 > n e t d i s c o > -------------------------------------------------- > Using Config File : /usr/local/netdisco/netdisco.conf > Loading topology information from /etc/netdisco/netdisco-topology.txt > 5 entries loaded > [10.125.60.3] Discover starting > get_device(1.1.1.1) > create_device(1.1.1.1,O,2,AutoSpecify,bw:default) > SNMP::Info::init() - Adding new mibdir:/usr/local/netdisco/mibs/aruba > SNMP::Info::init() - Adding new mibdir:/usr/local/netdisco/mibs/cisco > SNMP::Info::init() - Adding new mibdir:/usr/local/netdisco/mibs/rfc > SNMP::Info::init() - Adding new mibdir:/usr/local/netdisco/mibs/net-snmp > SNMP::Info::_global layers : sysServices.0 > SNMP::Info::_global(layers) Timeout at /usr/bin/netdisco line 1359 > SNMP::Info::_global description : sysDescr.0 > SNMP::Info::_global(description) Timeout at /usr/bin/netdisco line 1359 > SNMP::Info::specify() - Could not get info from device at > /usr/bin/netdisco line 1359 > [10.125.60.3] [Trying SNMP Version 1] > create_device(1.1.1.1,O,1) > SNMP::Info::_global layers : sysServices.0 > SNMP::Info::_global(layers) Timeout at /usr/bin/netdisco line 1380 > SNMP::Info::_global description : sysDescr.0 > SNMP::Info::_global(description) Timeout at /usr/bin/netdisco line 1380 > SNMP::Info::specify() - Could not get info from device at > /usr/bin/netdisco line 1380 > Can't connect to 1.1.1.1 > ! Device Not Supported or I can't connect to it via SNMP. > > netdisco@rancid: snmpget -v 2c -c 000000 1.1.1.1 sysServices.0 > SNMPv2-MIB::sysServices.0 = INTEGER: 4 > > netdisco@rancid:/packages/net-snmp$ snmpget -v 2c -c 000000 1.1.1.1 > sysDescr.0 > SNMPv2-MIB::sysDescr.0 = STRING: Cisco Adaptive Security Appliance > Version 8.4(2) > > I get the same issue with a couple other Cisco switches in the > environment. One is a stack of 3750G switches, another is a single > 3750v2 switch, and another is a single 3750G switch. We have other > stacks of 3750G switches as well as other stand-alone 3750 switches > in the environment and Netdisco had no issue discovering them. > > Any help would be much appreciated. > Jason Mihalow > Senior Network & Security Architect > Robert Wood Johnson University Hospital - Hamilton > jmi...@rw...<mailto:jmi...@rw...> > > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. |
From: Ingen S. J. v. (ICTS) <j.v...@ut...> - 2011-11-09 09:28:40
|
Hi Jason, Tom, > from the debug output you can see that netdisco is trying snmp v1 to > discover the device: > > > [10.125.60.3] [Trying SNMP Version 1] > > try to set snmpver = 2 in netdisco.conf and retry the discovery... I don't think that's it, because Netdisco always falls back to trying v1 after SNMP v2 doesn't succeed. The debug entries show it tries with v2 first (the "2" or "1" in the create_device line). > > [10.125.60.3] Discover starting > > get_device(1.1.1.1) > > create_device(1.1.1.1,O,2,AutoSpecify,bw:default) ^^ note the "2" before AutoSpecify > > SNMP::Info::_global layers : sysServices.0 > > SNMP::Info::_global(layers) Timeout at /usr/bin/netdisco line 1359 > > SNMP::Info::specify() - Could not get info from device at > > /usr/bin/netdisco line 1359 > > [10.125.60.3] [Trying SNMP Version 1] > > create_device(1.1.1.1,O,1) ^^ and this is retrying the same community, but with SNMP v1. > > SNMP::Info::_global layers : sysServices.0 > > SNMP::Info::_global(layers) Timeout at /usr/bin/netdisco line 1380 > > SNMP::Info::specify() - Could not get info from device at > > /usr/bin/netdisco line 1380 which fails again... Strange issue though... perhaps the timeout is relatively low? Jason, you said you captured the SNMP packets and the community was correct... I assume the OID is also correct? Netdisco says it times out, but do you see any response from the device you test (eg this ASA) in the capture? Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands |
From: Mihalow, J. <JMi...@rw...> - 2011-11-09 14:05:12
|
Hi Guys, I did a packet capture during the attempted discovery from Netdisco and then during a request using snmpget for the same system.sysDescr.0 and system.sysServices.0 values that Netdisco first reaches out for during discovery and the OID values match in the packet captures. The community strings in both packet captures match as well. The only difference is that the ASA does not respond when Netdisco tries discovery. I also did the packet capture from the firewall and those packet captures match what I captured coming out of the Netdisco box. I have made sure the ASA is configured to respond to the snmp queries from the Netdisco box. It complicates the picture even more that this same behavior shows itself on some of the 3750 switches. Some of the 3750s discovered without issues and some others act just like the ASA. I'll keep digging and update if I get anywhere. Thanks, Jason Mihalow jmi...@rw... -----Original Message----- From: Ingen Schenau, Jeroen van (ICTS) [mailto:j.v...@ut...] Sent: Wednesday, November 09, 2011 4:28 AM To: Thomas Wollner; Mihalow, Jason Cc: net...@li... Subject: Re: [Netdisco] Problem discovering some Cisco devices Hi Jason, Tom, > from the debug output you can see that netdisco is trying snmp v1 to > discover the device: > > > [10.125.60.3] [Trying SNMP Version 1] > > try to set snmpver = 2 in netdisco.conf and retry the discovery... I don't think that's it, because Netdisco always falls back to trying v1 after SNMP v2 doesn't succeed. The debug entries show it tries with v2 first (the "2" or "1" in the create_device line). > > [10.125.60.3] Discover starting > > get_device(1.1.1.1) > > create_device(1.1.1.1,O,2,AutoSpecify,bw:default) ^^ note the "2" before AutoSpecify > > SNMP::Info::_global layers : sysServices.0 > > SNMP::Info::_global(layers) Timeout at /usr/bin/netdisco line 1359 > > SNMP::Info::specify() - Could not get info from device at > > /usr/bin/netdisco line 1359 > > [10.125.60.3] [Trying SNMP Version 1] > > create_device(1.1.1.1,O,1) ^^ and this is retrying the same community, but with SNMP v1. > > SNMP::Info::_global layers : sysServices.0 > > SNMP::Info::_global(layers) Timeout at /usr/bin/netdisco line 1380 > > SNMP::Info::specify() - Could not get info from device at > > /usr/bin/netdisco line 1380 which fails again... Strange issue though... perhaps the timeout is relatively low? Jason, you said you captured the SNMP packets and the community was correct... I assume the OID is also correct? Netdisco says it times out, but do you see any response from the device you test (eg this ASA) in the capture? Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands |
From: Mihalow, J. <JMi...@rw...> - 2011-11-09 14:54:57
|
Hi Guys, I finally got this resolved. I started playing around with enabling snmp v3 on one of the devices that are giving me an issue and then changing the default snmp version in Netdisco to version 3. I then tried to discover a problem Cisco 3750 and it worked. I did a packet capture and it looks like it was first trying to use the snmp community of "public" (from the default netdisco.conf file) which fails, it then tries version 3 which doesn't appear to work either, but it finally tries version 2c which the device responds to. It almost appears like a stale entry from the first time I tried to discover these systems in the database for the community string. Only by changing the snmp version did Netdisco try to over write this value. Very strange because the packet captures when it fails showed the correct community string. After changing the default value in netdisco.conf to version 3, it is now discovering all the problem devices without issue and I did not enable snmp version 3 on these devices, only the first test device. The ASA even went through without issue. Thanks, Jason Mihalow jmi...@rw... 609-631-6818 -----Original Message----- From: Mihalow, Jason Sent: Wednesday, November 09, 2011 9:05 AM To: 'Ingen Schenau, Jeroen van (ICTS)'; Thomas Wollner Cc: net...@li... Subject: RE: [Netdisco] Problem discovering some Cisco devices Hi Guys, I did a packet capture during the attempted discovery from Netdisco and then during a request using snmpget for the same system.sysDescr.0 and system.sysServices.0 values that Netdisco first reaches out for during discovery and the OID values match in the packet captures. The community strings in both packet captures match as well. The only difference is that the ASA does not respond when Netdisco tries discovery. I also did the packet capture from the firewall and those packet captures match what I captured coming out of the Netdisco box. I have made sure the ASA is configured to respond to the snmp queries from the Netdisco box. It complicates the picture even more that this same behavior shows itself on some of the 3750 switches. Some of the 3750s discovered without issues and some others act just like the ASA. I'll keep digging and update if I get anywhere. Thanks, Jason Mihalow jmi...@rw... -----Original Message----- From: Ingen Schenau, Jeroen van (ICTS) [mailto:j.v...@ut...] Sent: Wednesday, November 09, 2011 4:28 AM To: Thomas Wollner; Mihalow, Jason Cc: net...@li... Subject: Re: [Netdisco] Problem discovering some Cisco devices Hi Jason, Tom, > from the debug output you can see that netdisco is trying snmp v1 to > discover the device: > > > [10.125.60.3] [Trying SNMP Version 1] > > try to set snmpver = 2 in netdisco.conf and retry the discovery... I don't think that's it, because Netdisco always falls back to trying v1 after SNMP v2 doesn't succeed. The debug entries show it tries with v2 first (the "2" or "1" in the create_device line). > > [10.125.60.3] Discover starting > > get_device(1.1.1.1) > > create_device(1.1.1.1,O,2,AutoSpecify,bw:default) ^^ note the "2" before AutoSpecify > > SNMP::Info::_global layers : sysServices.0 > > SNMP::Info::_global(layers) Timeout at /usr/bin/netdisco line 1359 > > SNMP::Info::specify() - Could not get info from device at > > /usr/bin/netdisco line 1359 > > [10.125.60.3] [Trying SNMP Version 1] > > create_device(1.1.1.1,O,1) ^^ and this is retrying the same community, but with SNMP v1. > > SNMP::Info::_global layers : sysServices.0 > > SNMP::Info::_global(layers) Timeout at /usr/bin/netdisco line 1380 > > SNMP::Info::specify() - Could not get info from device at > > /usr/bin/netdisco line 1380 which fails again... Strange issue though... perhaps the timeout is relatively low? Jason, you said you captured the SNMP packets and the community was correct... I assume the OID is also correct? Netdisco says it times out, but do you see any response from the device you test (eg this ASA) in the capture? Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands |