Discussion:
snmp access to pfsense box
tigerpaws
2013-03-10 14:59:54 UTC
Permalink
tigerpaws [http://community.zenoss.org/people/tigerpaws] created the discussion

"snmp access to pfsense box"

To view the discussion, visit: http://community.zenoss.org/message/72323#72323

--------------------------------------------------------------
I am running zenoss-core 3.2.1. I am trying to monitor a pfsense (bsd) box, and snmp is acting very strangely. I have opened to pfsense firewall to the zenoss machine for udp and icmp echo, so I can ping the box and run snmpwalk from the zenoss device interface. But doing a device model, snmp times out. A packet trace on the pfsense box shows incoming snmp packets to the pfsense box, but no outgoing. To me, this would seem to indicate that zenoss is issuing some snmp request that the pfsense box does not like. I changed the snmp version to v1, to no avail. I also upped the timeout to 30 seconds. Yet the snmpwalk command works fine, and doing a full snmpwalk from the command line on the zenoss box also works fine.

I've gone through the zenoss logs looking for the exact snmp command used, but no luck. I'm using the device/router class and the pfsense plugin.

Would anyone have any ideas as to what may be misconfigured?

Thanks in advance if you have any ideas.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72323#72323]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2013-03-12 14:49:54 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: snmp access to pfsense box"

To view the discussion, visit: http://community.zenoss.org/message/72374#72374

--------------------------------------------------------------
A few thoughts...
When you say "run snmpwalk from the zenoss device interface.", do you mean that you use the Zenoss GUI to navigate to the main page of your pfsense box and then use the bottom Command menu to do an snmpwalk???  If so and this does work then it shows that you do have the correct SNMP version and community name configured into Zenoss. 

If you are simply using snmpwalk from a command line on the Zenoss system, then my strong suspicion would be an SNMP version and/or community name mismatch - that would fit with your trace showing SNMP requests going into your box but no response coming out.

Other things you could try to debug the situation:
1) Run zenmodeler in the foreground with full debugging.  Eg (as the zenoss user):
zenmodeler run -v 10 -d <name of device>
You can also run zenmodeler just for a single modeler plugin if you want. 
zenmodeler run -v 10 -d <name of device> --collect <name of modeler plugin>
Check the output carefully to see what modeler plugins are being asked to run and the SNMP parameters being used

2) Check your packet trace for SNMP version and community parameters.

3) Is your pfsense box configured to send Authentication TRAPs?  If so, where is the trap destination and are any authentication traps being sent?  This would also indicate bad community name parameters.

4) Is there any SNMP logging available on your pfsense box?

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72374#72374]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
tigerpaws
2013-03-12 16:58:51 UTC
Permalink
tigerpaws [http://community.zenoss.org/people/tigerpaws] created the discussion

"Re: snmp access to pfsense box"

To view the discussion, visit: http://community.zenoss.org/message/72378#72378

--------------------------------------------------------------
The snmpwalk was from the zenoss command menu, so I know the settings are correct. I followed your advice and ran the zenmodeler in the foreground (something new I've learned, thank you!)  and the results are somewhat strange (see below).  if I had to guess, I would guess that 30 seconds is too short. I change the timeout to 120 seconds but that just makes the modeler complain about a device timeout (as opposed to an snmp timeout) and dir after 180 seconds.  I checked a few of the oids in the pfsense module to make sure they existed.

2013-03-12 12:01:46,306 DEBUG zen.SnmpClient: Starting SNMP info for .....
2013-03-12 12:01:46,306 DEBUG zen.twistedsnmp: AgentProxy._getCmdLineArgs: using google ipaddr on ...
2013-03-12 12:01:46,451 DEBUG zen.twistedsnmp: reactor settings: [7], None
2013-03-12 12:01:46,452 DEBUG zen.SnmpClient: Testing SNMP configuration
2013-03-12 12:01:46,453 DEBUG zen.netsnmp: Session.walk: send_status=115502552
2013-03-12 12:01:46,453 DEBUG zen.twistedsnmp: reactor settings: [7], 1.0
2013-03-12 12:01:46,463 DEBUG zen.ZenModeler: Loaded plugin zenoss.snmp.NewDeviceMap
2013-03-12 12:01:46,464 DEBUG zen.ZenModeler: Loaded plugin zenoss.snmp.DeviceMap
2013-03-12 12:01:46,465 DEBUG zen.ZenModeler: Loaded plugin zenoss.snmp.InterfaceMap
2013-03-12 12:01:46,466 DEBUG zen.ZenModeler: Loaded plugin zenoss.snmp.RouteMap
2013-03-12 12:01:46,466 INFO zen.ZenModeler: No portscan plugins found for .....
2013-03-12 12:01:46,466 DEBUG zen.ZenModeler: Running 1 clients
2013-03-12 12:01:46,466 DEBUG zen.ZenModeler: Collection slots filled
2013-03-12 12:01:46,466 DEBUG zen.ZenModeler: Running 1 clients
2013-03-12 12:01:47,454 DEBUG zen.twistedsnmp: reactor settings: [7], 1.0
2013-03-12 12:01:47,467 DEBUG zen.ZenModeler: Running 1 clients
2013-03-12 12:01:48,454 DEBUG zen.twistedsnmp: reactor settings: [7], 1.0
....
013-03-12 12:02:15,562 DEBUG zen.twistedsnmp: reactor settings: [7], 0.89048700000000003
.....
2013-03-12 12:02:45,495 DEBUG zen.twistedsnmp: reactor settings: [7], 0.958507
.... more of these (total of 60)
2013-03-12 12:02:46,456 INFO zen.SnmpClient: Device timed out: SNMP info for ... at ... timeout: 30.0 tries: 2 version: v1  community: ...
2013-03-12 12:02:46,456 INFO zen.SnmpClient: snmp client finished collection for ...
2013-03-12 12:02:46,456 WARNING zen.SnmpClient: Device ... timed out: are your SNMP settings correct?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72378#72378]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2013-03-12 17:32:02 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: snmp access to pfsense box"

To view the discussion, visit: http://community.zenoss.org/message/72379#72379

--------------------------------------------------------------
Hmmm.
Do you have any logging you can turn on on the target?? 

When you run the snmpwalk command, is response slow or pretty immediate?  I suspect that this is not slow response but a problem on the target side - hence my suggestion to look for logging on the target.

Does your Zenoss box have more than one IP interface?   Any chance that SNMP requests sometimes come from different IP interfaces and your target device is configured to only respond to one?

Any chance you can configure your target box to accept SNMP from a wider default set of devices?

Can you configure the target with a TRAP destination of your Zenoss box and see whether TRAPs can get through?

The snmpwalk test only gets the system MIB variables.  I am not familiar with your pfsense devices but certainly some Unix/Linux distros come with an SNMP agent configuration that limits MIB requests to ONLY seeing the system MIB variables.  This would mean that the snmpwalk test works but nearly all modelers would fail.  Typically you are looking for a "view" parameter in the agent's SNMP configuration file.

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72379#72379]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
tigerpaws
2013-03-12 21:00:50 UTC
Permalink
tigerpaws [http://community.zenoss.org/people/tigerpaws] created the discussion

"Re: snmp access to pfsense box"

To view the discussion, visit: http://community.zenoss.org/message/72382#72382

--------------------------------------------------------------
Il will look to see if there is some logging I can turn on. pfsense is a freebsd based router distribution, so it is very minimal, and I am not very familiar with freebsd. However, to answer some of the other questions: In my case, it is a vmware virtual machine, with two interfaces: a wan interface and a lan. zenoss talks to the wan interface.

There isn't any snmp configuration beyond setting the port and community string, not even a version (but I've tried both 1 and v2c) in the web interface. In the config file, it's pretty much the same, except there I can load the modules used and the write community string.

- snmpwalk returns very quickly.

If I do the full snmpwalk (without specifying system), from the zenoss system and zenoss user, I get an immediate response and it has a large amount of output, very much like a normal redhat box. From this, I get System-mib, if-mib, ip-forward-mib, ip-mib, tcp-mib, udp-mib,host-resources-mib, - in all, a little over 1/2Mb of output. However, I timed it and it takes 1m13s to do.

I will look at setting up traps to send to zenoss. At the moment, I haven't set this up yet.

More later when I've set up the traps and has a closer look at the logs.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72382#72382]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...