Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 23 replies
  • Answers 5 answers
  • Subscribers 33 subscribers
  • Views 74635 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNMP to the VPN

MoMx

i have 2 firewall one in HO and another in the branch . and a PRTG server in the HO . i allwo any to any for all network including vpn .

vpn is using site to site ipsec and every thing is working fine.

in enabled snmp agnet on the branch office vpn interface and it work fine i can get snmp traffic using a prtg in the branch site . but when i try to get the same snmp traffic using the prtg in the HO site i couldnot .

so how can i enable this ? as i said all service network every thing is allowed .



This thread was automatically locked due to age.
  • 0 in reply to MayurMakvana

    Hello,

     

    Any news on the subject for SFOS 16?

    It seems that the issue still persists. 

     

    Christos Zachos

  • 0 in reply to Christos Zachos

     I think I'm running into this also.

    Two networks 172.16.10.0/24 and 172.16.20.0/24... connected by two Sophos XGs and an IPSec VPN. SNMP NMS (Observium)  is on 172.16.10.0/24 and I want to probe the remote Sophos via it's LAN interface.

    I've enabled SNMP access on the VPN zone, the IPSec rules should (and do) cover the site to site traffic (ICMP & SSH work).

    Just can't get SNMP working.

    Running latest SW-SFOS_16.05.2_MR-2.SFW-160

    ih

  • 0 in reply to IainH

    Hi I´m also monitoring my firewalls throught VPN, I am using Zabbix anf strongSwan to close the VPN with Sophos, folows what I did:

    In sophos:

    1 - Enable SNMP at VPN zone:

    2 - Create a IPSEC profile for the VPN:

    3 - Configure de VPN itself:

    * At the red mark you will put the WAN interface IP that connects the VPN...

    * And at the blue mark put the IP of your management server (mine is at cloud, so it has a valid IP)

     

    Now at StrongSwan:

    /etc/ipsec.secrets

    sophos.ip.xxx.xxx : PSK password

     

    /etc/ipsec.conf

    conn name_of_connection
    auto = start

    rekey = yes
    keyingtries = 3
    aggressive = no
    compress = no

    #PHASE 1
    keyexchange = ikev1
    ike = 3des-sha1-modp1024
    ikelifetime = 1h
    margintime = 120s
    rekeyfuzz = 0%
    dpdaction = restart
    dpddelay = 30s
    dpdtimeout = 120s

    #PHASE 2
    esp = 3des-sha1-modp1024
    lifetime = 1h

    #IPSEC CONNECTIONS

    type = tunnel
    closeaction = restart
    authby = psk
    left = server.ip.xxx.xxx
    leftid = server.ip.xxx.xxx
    right = sophos.ip.xxx.xxx
    rightid = sophos.ip.xxx.xxx

     

    So with those I could connect the VPN and pass SNMP throught it...

    Hope it helps.

     

  • 0 in reply to Fernando Durso

    Hi All,

     

    The Bug ID is resolved in latest version. Kindly get the device upgraded and report to support if still does not work.

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to MayurMakvana

    The issue was indeed resolved with SFOS 16.05.5 MR-5 but it seems that it came back with SFOS 16.05.8 MR-8.

     

    I've updated just yesterday and the snmp community is not reachable from a lan-to-lan VPN, again.

     

    --

     

    Ivan Sassi

  • 0 in reply to Ivan Sassi

    Thanks Ivan, for updating this thread.

    can you check what Ivan is saying?

    can you update/open a ticket?

    Thanks

  • 0 in reply to lferrara

    Sure, I've opened the case id 7618852.

     

    --

     

    Ivan Sassi

  • 0 in reply to Ivan Sassi

    Hi Ivan,

    I checked the case it was something related to License transfer. I will try to communicate with Mayur who looked at this thread in the past and update it.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Sorry, the same day I opened two cases, and I gave you the wrong one. The correct case ID is 7618881.

     

    --

     

    Ivan Sassi

  • 0 in reply to Ivan Sassi

    Hi everyone, i´m writing this just to report a strange thing that occurred with SNMP after upgrading to MR-8

     

    I use VPN to send SNMP data to my zabbix (with a valid IP) and I connect the VPN using the BACKUP WAN configured at Network/Wan Link Manager...

    As soon as the firewall booted up, SNMP stopped working, so at packet capture I saw that SNMP packages were comming through IPSEC_0 and leaving through ACTIVE WAN....

    So to fix that I had to configure a static route forcing the firewall send the SNMP packages through BACKUP WAN. 

     

    Could someone test it for me? I think VPN is not necessary for testing, just send the SNMP requests to BACKUP LINK e verify if the response is leaving at ACTIVE LINK.

    Thanks.