Devices behind a PIX 515
I have 3 Cisco devices that are in DMZs behind a pix firewall. All 3 switches have the same correct community string, and they all point to opmanager which resides on the internal side of the firewall. All cisco devices on the internal network were discovered fine, and give accurate alarms. The 3 cisco devices that are in the dmz's however will not stay green. I have the firewall opened to all 3 dmzs from the internal network with static acls allowing udp and tcp 161, and tcp 162, and udp snmptraps to my Opmanager server. I have enabled debugging on the switches,.. and the snmp packets are clearly getting through the firewall and to the switches... please see debugging of snmp on the switch below:
000947: 31w6d:
Incoming SNMP packet
000948: 31w6d: v1 packet
000949: 31w6d: community string: <omitted for security>
000950: 31w6d: SNMP: Response, reqid 88052, errstat 0, erridx 0
ifEntry.16.5 = 1006593192
000951: 31w6d: SNMP: Packet received via UDP from <omitted for security>on Vlan1
000952: 31w6d: SNMP: Packet sent via UDP to <omitted for security>
000953: 31w6d: SNMP: Packet received via UDP from <omitted for security>on Vlan1
000954: 31w6d: SNMP: Packet received via UDP from <omitted for security>on Vlan1
000955: 31w6d: SNMP: Get-next request, reqid 88053, errstat 0, erridx 0
ifEntry.16.5 = NULL TYPE/VALUE
ifEntry.5.5 = NULL TYPE/VALUE
000956: 31w6d:
Incoming SNMP packet
000957: 31w6d: v1 packet
000958: 31w6d: community string: <omitted for security>
000959: 31w6d: SNMP: Response, reqid 88053, errstat 0, erridx 0
ifEntry.16.6 = 3815430789
ifEntry.5.6 = 100000000
000960: 31w6d: SNMP: Get-next request, reqid 88054, errstat 0, erridx 0
ifEntry.10.5 = NULL TYPE/VALUE
000961: 31w6d:
Incoming SNMP packet
000962: 31w6d: v1 packet
000963: 31w6d: community string: <omitted for security>
000964: 31w6d: SNMP: Response, reqid 88054, errstat 0, erridx 0
ifEntry.10.6 = 1085530038
000965: 31w6d: SNMP: Get-next request, reqid 88055, errstat 0, erridx 0
ifEntry.10.5 = NULL TYPE/VALUE
ifEntry.5.5 = NULL TYPE/VALUE
The problem is that when i rediscover, or add a device in a dmz, such as the switch above,.. it will say that it was discovered successfully, and status will be green, within a minute it will be in a status of warning, and then it will be red and say that the device is down and not responding to polls... This happened on another dmz switch, and the device remained in a down status according to opmanager although it was up,.. but when i bounced an interface on that 'down" switch, opmanager saw the interface bounce and set off an alarm??? Very weird things,. please help.
000947: 31w6d:
Incoming SNMP packet
000948: 31w6d: v1 packet
000949: 31w6d: community string: <omitted for security>
000950: 31w6d: SNMP: Response, reqid 88052, errstat 0, erridx 0
ifEntry.16.5 = 1006593192
000951: 31w6d: SNMP: Packet received via UDP from <omitted for security>on Vlan1
000952: 31w6d: SNMP: Packet sent via UDP to <omitted for security>
000953: 31w6d: SNMP: Packet received via UDP from <omitted for security>on Vlan1
000954: 31w6d: SNMP: Packet received via UDP from <omitted for security>on Vlan1
000955: 31w6d: SNMP: Get-next request, reqid 88053, errstat 0, erridx 0
ifEntry.16.5 = NULL TYPE/VALUE
ifEntry.5.5 = NULL TYPE/VALUE
000956: 31w6d:
Incoming SNMP packet
000957: 31w6d: v1 packet
000958: 31w6d: community string: <omitted for security>
000959: 31w6d: SNMP: Response, reqid 88053, errstat 0, erridx 0
ifEntry.16.6 = 3815430789
ifEntry.5.6 = 100000000
000960: 31w6d: SNMP: Get-next request, reqid 88054, errstat 0, erridx 0
ifEntry.10.5 = NULL TYPE/VALUE
000961: 31w6d:
Incoming SNMP packet
000962: 31w6d: v1 packet
000963: 31w6d: community string: <omitted for security>
000964: 31w6d: SNMP: Response, reqid 88054, errstat 0, erridx 0
ifEntry.10.6 = 1085530038
000965: 31w6d: SNMP: Get-next request, reqid 88055, errstat 0, erridx 0
ifEntry.10.5 = NULL TYPE/VALUE
ifEntry.5.5 = NULL TYPE/VALUE
The problem is that when i rediscover, or add a device in a dmz, such as the switch above,.. it will say that it was discovered successfully, and status will be green, within a minute it will be in a status of warning, and then it will be red and say that the device is down and not responding to polls... This happened on another dmz switch, and the device remained in a down status according to opmanager although it was up,.. but when i bounced an interface on that 'down" switch, opmanager saw the interface bounce and set off an alarm??? Very weird things,. please help.