Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 11830 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

cannot access SNMP through VPN

Mast_01

Hello,

i'm having an issue trying to access the SNMP of a XG firewall in a branch office from the head office via VPN, XG is MR7

  • SNMP is enabled and a community is created with v1 and v2c, no traps, with the ip of the HO management station
  • device access has SNMP enabled for the VPN zone
  • there's a system IPSEC route for the entire HO network
  • there's a system nat rule for the mgmgt ip to the XG
  • PF rules in both side allow ALL traffice btetween HO to BO and BO to HO

tcpdump is showing NO snmp packets arriving from the management station on HO, yet ping and other services do work

If i add a community with a local BO IP then snmp works perfectly.

i've seen other threads asking the same issue but they got all solved by one of the steps i already have in place

What am i missing?



This thread was automatically locked due to age.
Parents
  • 0

    Mast_01,

    what firmware version are you running?

    If you run a tcpdump from your XG, the output is empty?

    Thanks

  • 0 in reply to lferrara

    I'm having a similar issue with SNMP traffic. I read another post about this being a bug so I waited till we updated to the newest firmware and issue still persists.

    When I run tcpdump from XG I do see some traffic IN:

    07:16:15.536521 ipsec0, IN: IP ip-x.x.x.x.us-west-2.compute.internal.43087 > ip-x.x.x.x.us-west-2.compute.internal.snmp:  C="Community String" GetNextRequest(25)

    I referenced https://community.sophos.com/products/xg-firewall/f/vpn/76983/snmp-to-the-vpn to create SNAT and Advanced FW rule. I can ping the LAN interface from my SNMP server, and pass SNMP traffic from other switches monitored in the BO through this VPN. Verified SNMP is checked in device access for LAN and VPN. Any assistance would be

    Any assistance would be appreciated!

Reply
  • 0 in reply to lferrara

    I'm having a similar issue with SNMP traffic. I read another post about this being a bug so I waited till we updated to the newest firmware and issue still persists.

    When I run tcpdump from XG I do see some traffic IN:

    07:16:15.536521 ipsec0, IN: IP ip-x.x.x.x.us-west-2.compute.internal.43087 > ip-x.x.x.x.us-west-2.compute.internal.snmp:  C="Community String" GetNextRequest(25)

    I referenced https://community.sophos.com/products/xg-firewall/f/vpn/76983/snmp-to-the-vpn to create SNAT and Advanced FW rule. I can ping the LAN interface from my SNMP server, and pass SNMP traffic from other switches monitored in the BO through this VPN. Verified SNMP is checked in device access for LAN and VPN. Any assistance would be

    Any assistance would be appreciated!

Children
  • 0 in reply to Adam Mirro

    I am having the exact same issue. I have 4 XG devices in remote locations that I cannot get SNMP monitoring from. I can receive SNMP from all other systems at those locations via the IPsec tunnels.

  • 0 in reply to Doug Addison

    Does anyone know if there is a bug filed for this?   This still is not working it appears(SNMP monitoring of Sophos internal interface over IPSEC VPN connection)?

     

    Thanks,

    -Scott

  • 0 in reply to Scott_D_L

    Hey  

    To provide an update to this thread for the rest of the community, this SNMP over IPsec VPN issue is related to the bug ID (NC-16090). The fix for this is tentatively scheduled to be included in the next SFOS 17.1 firmware release.

    A temporary workaround for this issue in the meantime involves bypassing the related IP's from the advanced firewall. Ex: Commands inputted on the CLI of the HO XG - (console> set advanced-firewall bypass-stateful-firewall-config add source_host x.x.x.x dest_host x.x.x.x) - first x.x.x.x being the IP of the HO SNMP Polling Manager and the second x.x.x.x being the IP of the BO SNMP Agent. 

    Best,