Scenario
Device: Firewall
Make: Cisco ASA
Model: ASA 5506-X, 5508-X, 5516-X, and ISA 3000
Issue: SNMP POLL & SNMP TRAP Stopped working after upgrading ASA firmware to 9.14.x
After upgrading ASA to the new Cisco IOS 9.14.x it has been observed that SNMP Polling is not responding as expected. The reason behind the SNMP polling issue is the new bugs that are there in the new Cisco IOS 9.14.x.
SNMP nodes in the SolarWinds will stop responding and the node will be “Unknown” state.
You would not be able to add the node in SolarWind for monitoring as the SNMP test will fail. If you try to add a node to SolarWinds (which works on SNMP Poll/TRAP) you will get an error. SNMP Poll testing will fail with SNMPv2 and SNMPv3.
To know more about the bugs please click here.
Workaround: – Cisco has advised/issues workarounds for these bugs. Workarounds are as below:
1) Setting “SNMP-Server location” sets the same value for “SNMP-Server Contact” as well on ASA 9.14.x.
2) If the SNMP server is at a remote site that is connected with ASA through site-to-site VPN [IPSec Tunnel] and the management- access is used as an interface of the ASA. This bug will create issues for SNMP POLL-SNMP TRAP. To resolve the issue there is one workaround available.
On the ASA configure the SNMP server on the ‘outside‘ interface where the tunnel terminates. Add the “crypto ACL” entry for traffic from “ASA_outside_IP” to “SNMP server IP”. This will encrypt the traffic.It could be a topic of discussion to have an SNMP server on the outside interface. Since the outside interface is considered as an internet-facing interface.
Solution: –
The immediate solution of the issue is to downgrade the firmware to any other IOS version like 9.13.x. SNMP polling issue will be resolved with 9.13.x version.
9.13.x has been tested fully and it is good IOS which is working fine as of now. We will have to wait for a new fixed or interim version pf IOS in which both bugs will be fixed.
Hopefully, Cisco will release new IOS with the fix of these bugs and issues.
Please refer to the attached article if you are looking to upgrade or downgrade the firmware of IOS of the Cisco ASA. Upgrade/downgrade of firmware can be done via CLI method as well as GUI method.
Source: Cisco, Knowledge Base, Internet, Lab
EA00009