VMware Cloud Community
bfrakes
Contributor
Contributor
‎12-28-2013 07:43 AM

SNMP not working in my DMZ Zone (Juniper ScreenOS)

I have four ESXi 5.5 hosts in my Juniper Trust Zone that I have setup SNMP v1/2c and are being monitored by my Solarwinds SNMP software.  I have three ESXi 5.5 hosts in my DMZ zone being routed by my Juniper SSG-320.  I have both sets of hosts configured exacly the same.  My Solarwinds management software is in my Trust network behind my inner firewall.

When I try to bring the DMZ host servers into the Solarwinds to be monitored, the sofware cannot access the SNMP Agent on the Hosts.  I'm pretty sure this is some kind of routing issue, but cannot find it.  I've check my interfaces and they are set to pass SNMP packet and my policies on the router have the service included.  My Windows 2008 R2 servers are setup the same except the Security is set ot accept any management host.  They work as they should.  If I set the security on the SNMP agent in the windows service, Solarwinds cannot see them.

Has anyone had this problem.  If so, a possible solution would be appreciated.

TIA

0 Kudos
5 Replies
tomtom901
Commander
Commander
‎12-28-2013 01:04 PM

I'm not sure this is related to the SSG perse, but in general: SNMP and NAT do not play well, so have you configured any kind of NAT between the internal network and the DMZ? It's pretty hard to tell you where the problem is at without some kind of insight in how your network looks, but a routed SNMP configuration should not be the issue. Is the ESXi firewall not blocking the traffic?

0 Kudos
bfrakes
Contributor
Contributor
‎12-28-2013 01:28 PM

The subnet is set at the interface and it is different than the trust interface subnet.  There is no NATing going on. I"ve done a debug at the router level and it does look like the traffic is getting to the DMZ subnet. 

0 Kudos
tomtom901
Commander
Commander
‎12-28-2013 01:29 PM

Seems OK. Is the ESXi host able to connect back to the SNMP server? Does it have the correct routes, and does the SSG allow the traffic?

0 Kudos
bfrakes
Contributor
Contributor
‎12-28-2013 01:36 PM

Yes, all the routes are there and I can ping any interface from the CLI of the ESX Host.

0 Kudos
bfrakes
Contributor
Contributor
‎12-28-2013 02:48 PM

Found the problem.

There were two issues.

You got me to thinking about being able to ping the SNMP manager.  It turns out that the Windows Firewall had the 161 and 162 ports blocked.  I make exceptions on it but I still could not connect via the primary VM DMZ interface.

I have two nic's in the DMZ for failover protection.  I did a traceraoute and found that it is communicating on the second IP.  Changed the settings in the CLI of the Host server and connected normally from the SNMP manager.

Thanks for your help...

0 Kudos