SNMP server on PIX IOS 7.2 over VPN

Similar Messages

• Server 2012 Firewall is blocking RDP over VPN

  I have a 2012 server running a VPN and I cannot connect to the server itself over RDP when I am connected through the VPN. I can connect without issue though from a machine on the local physical network. The standard RDP firewall exceptions are enabled.
  If I turn off the server firewall completely, I can connect with both, so clearly it is a firewall issue, but only with the VPN connections. Turned on logging, and this is what I get. I am not sure why these are different or what adjustment needs to be made
  to the firewall, as I don't want to leave the firewall off.
  #Version: 1.5
  #Software: Microsoft Windows Firewall
  #Time Format: Local
  #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path                                                                                                                                                                                                               
  2014-07-08 23:01:05 ALLOW TCP 192.168.20.100 192.168.20.125 1242 3389 0 - 0 0 0 - - - RECEIVE
  2014-07-08 23:01:26 DROP TCP 192.168.20.200 192.168.20.125 39646 3389 52 S 748485790 0 8192 - - - RECEIVE
  The top line is when I RDP from a local machine (20.100), the second line is an RDP from a remote machine while connected over the VPN (20.200).
  Matt Kleinwaks - MSMVP MSDN Forums Moderator - www.zerosandtheone.com

  Hi,
  Make sure you have enabled all of three Remote Desktop rules in firewall:
  Remote Desktop - Shadow(TCP-In)
  Remote Desktop - User Mode(TCP-In)
  Remote Desktop - User Mode(UDP-In)
  Have you checked the detailed setting of the Remote Desktop rules in firewall? Be caution of Scope tab in the properties.
  If the issue persists, please enable the auditing of windows firewall events
  To enable auditing of Windows Firewall events, please follow the steps below,
  Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Group Policy settings in your organization.
  Open Computer Configuration, open
  Windows Settings, open Security Settings, open
  Local Policies, and then click Audit Policy.
  Double-click Audit process tracking, select the
  Success and Failure check boxes, and then click
  OK.
  Double-click Audit policy change, select the
  Success and Failure check boxes, and then click
  OK.
  For detailed information, please view the link below,
  Enable Auditing of Windows Firewall Events
  http://technet.microsoft.com/en-us/library/cc786961(v=ws.10).aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Hello.I wanted to upgrade my iPad 1 to iOS 5.1 Over the Air.I was running iOS 5.0.1.It said it had an error connecting to server.It is already 5 hours i cant install this update.I also have an iPhone 4 with iOS 5.0.1 with the same issues.Help please!

  Hello.I wanted to upgrade my iPad 1 to iOS 5.1 Over the Air.I was running iOS 5.0.1.It said it had an error connecting to server.It is already 5 hours i cant install this update.I also have an iPhone 4 with iOS 5.0.1 with the same issues.Help please!

  You're probably running into the servers simply being swamped. Thousands of people are all going for the software update at the same time. Give it a try again and if that doesn't work, then try plugging it into your computer and trying it that way.
  I didn't get a notion of the size, it doesn't seem to be as big as the 700 meg 5.0 update, but it did take me 20+ minutes to download via cable internet so it's a large file. That in and of itself takes a while.
  If you're trying to download it directly to your iPhone, you'll need to be on wifi since I'm sure it's well over the 20 meg file size limit for 3G.

• Migrating IOS to NX-OS equivalent command snmp-server enable traps config

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hello,
  I am trying to figure out what is the equivalent command to configure the IOS "snmp-server enable traps config" on a Nexus 5020 running NX-OS version 4.2.1.N2.1 ,can someone please help me with this problem.
  Also I would like to know if there is a cisco howto document or tool to migrate from IOS to NX-OS  ?
  Any help is greatly appreciated
  Thanks
  Frank

  Hello,
  both Nexus 5k are not generating a trap after a config change, because on both Nexus running same NX-OS version show up the snmp-server enable traps config command. This is really strange behavior, because we are using the same software version for the Nexus 5k devices it doesn't make sense to me. In the meantime I checked the command line guide for this software version but the command wasnt showing up.
  nx5k-mt-2# show snmp trap | grep config
  nx5k-mt-2#
  nx5k-mt-2# show snmp trap
  Trap type                                                              Enabled
  entity               : entity_mib_change                            Yes
  entity               : entity_module_status_change                  Yes
  entity               : entity_power_status_change                   Yes
  entity               : entity_module_inserted                       Yes
  entity               : entity_module_removed                        Yes
  entity               : entity_unrecognised_module                   Yes
  entity               : entity_fan_status_change                     Yes
  link                 : linkDown                                     Yes
  link                 : linkUp                                       Yes
  link                 : extended-linkDown                            Yes
  link                 : extended-linkUp                              Yes
  link                 : cieLinkDown                                  Yes
  link                 : cieLinkUp                                    Yes
  link                 : connUnitPortStatusChange                     Yes
  link                 : fcTrunkIfUpNotify                            Yes
  link                 : fcTrunkIfDownNotify                          Yes
  link                 : delayed-link-state-change                    Yes
  link                 : fcot-inserted                                Yes
  link                 : fcot-removed                                 Yes
  callhome             : event-notify                                 Yes
  callhome             : smtp-send-fail                               Yes
  cfs                  : state-change-notif                           Yes
  cfs                  : merge-failure                                Yes
  fcdomain             : dmNewPrincipalSwitchNotify                   Yes
  fcdomain             : dmDomainIdNotAssignedNotify                  Yes
  fcdomain             : dmFabricChangeNotify                         Yes
  rf                   : redundancy_framework                         Yes
  aaa                  : server-state-change                          Yes
  license              : notify-license-expiry                        Yes
  license              : notify-no-license-for-feature                Yes
  license              : notify-licensefile-missing                   Yes
  license              : notify-license-expiry-warning                Yes
  scsi                 : scsi-disc-complete                           Yes
  fcns                 : reject-reg-req                               Yes
  fcns                 : local-entry-change                           Yes
  fcns                 : db-full                                      Yes
  fcns                 : remote-entry-change                          Yes
  rscn                 : rscnElsRejectReqNotify                       Yes
  rscn                 : rscnIlsRejectReqNotify                       Yes
  rscn                 : rscnElsRxRejectReqNotify                     Yes
  rscn                 : rscnIlsRxRejectReqNotify                     Yes
  fcs                  : request-reject                               Yes
  fcs                  : discovery-complete                           Yes
  fctrace              : route                                        Yes
  zone                 : request-reject1                              Yes
  zone                 : merge-success                                Yes
  zone                 : merge-failure                                Yes
  zone                 : default-zone-behavior-change                 Yes
  zone                 : unsupp-mem                                   Yes
  vsan                 : vsanStatusChange                             Yes
  vsan                 : vsanPortMembershipChange                     Yes
  fspf                 : fspfNbrStateChangeNotify                     Yes
  upgrade              : UpgradeOpNotifyOnCompletion                  Yes
  upgrade              : UpgradeJobStatusNotify                       Yes
  feature-control      : FeatureOpStatusChange                        Yes
  snmp                 : authentication                               Yes
  nx5k-mt-2#
  nx5k-mt-2#

• Snmp-server community over VRF

  I'm in the process of rolling out snmp-server community for LMS for all our devices. A few devices is VRF enabled, hence I need to ping the LMS server through a VRF and not the global routing table. To my knowledge the ' snmp-server host 11.22.33.44 vrf VRF XXXX' command only sends traps/notifications to DFM , is there a similar comand for the 'snmp-server community xxxx RO 1' ?
  I can ping the device from the LMS server but the snmp-server community access-list  does not show any hits for the LMS IP and hence the device is not registered in LMS.
  Any ideas?

  So manually-initiated communications appear to be working in both directions. That's good.
  Since you're not seeing hits on your acl at the device, I'd next check to see the traffic leaving your LMS server. You can run a Wireshark capture there (or use the built-in packet tracer), filtering on your device's destination IP. I'd initiate a comms check from Device Center in LMS (or snmpwalk from the cli) to manually trigger an SNMP query.
  If you don't see any SNMP queries leaving, LMS is the culprit (I'd check the DCR entry for the device in question). If you do see the traffic leaving then there is a network / device issue.

• Multiple SNMP strings on Pix-501

  Does the pix-501 support multiple SNMP communities?  Im trying to add a second one, but the original community string gets removed when I add the new one.  If we can have multiple SNMP hosts, then I woud imagine you could have multiple strings. I thought it was like most switches and routers, which can have the following:
  snmp-server community STRING1
  snmp-server community STRING2
  The Pix-501 is currently running on version 6.3(5).

  Hi Bro
  You can’t possible compare Cisco IOS Routers and Switches with Cisco Firewalls. They are both different types of product, with totally different behaviors and purposes.
  This is a Cisco FWSM/PIX/ASA Firewall limitation. You can only define one snmp community string, and that too has to be RO, and NOT RW. Perhaps, this Cisco URL link may shed some light on your query http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20031215-pix
  There’s a reason to why Cisco Firewalls don’t support RW. RW is used generally, by network management tools such as Cisco Security Manager, Cisco MARS, CiscoWorks etc. to push configurations, IOS etc. to Cisco products in large masses. In fact, RW can also be used as a mitigation approach. Cisco Firewalls being a defensive product by nature, will not allow this to occur. There could be a possibility of un-stealth-ing the product. Hence, only RO is available. Mitigation approach in Cisco Firewalls can always be done through telnet/ssh, if needed.
  Note: Perhaps, it doesn't make sense to use a vulnerable/non-secure protocol such as SNMP to manage a security appliance, unless SNMP v3 is introduced.
  P/S: If you think this comment is useful, please do rate them nicely :-) and select the option "THIS QUESTION IS ANSWERED"

• What traps are generated from "snmp-server enable traps module"?

  I'm at wit's end here ... I've been browsing doucmentation like a madman, but I just can't find it.
  I've got a 6500 sup 720 running Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXI3, RELEASE SOFTWARE (fc2) with this in the config:
  esdb8#sh run | inc module
  snmp-server enable traps module
  esdb8#
  Can anyone tell me what traps would be generated on what conditions with this statement?  Pointers to docs are more than welcome!
  Thanks in advance,
  Olof

  This command will enable the following traps:
  moduleUp NOTIFICATION-TYPE
          OBJECTS       { moduleIndex, moduleType }
          STATUS        current
          DESCRIPTION   "A moduleUp trap signifies that the agent entity
                        has detected that the moduleStatus object in this
                        MIB has transitioned to the ok(2) state for one of
                        its modules.
                        The generation of this trap can be controlled by
                        the sysEnableModuleTraps object in this MIB."
          ::= { ciscoStackNotificationsPrefix 3}
  moduleDown NOTIFICATION-TYPE
          OBJECTS       { moduleIndex, moduleType }
          STATUS        current
          DESCRIPTION   "A moduleDown trap signifies that the agent entity
                        has detected that the moduleStatus object in this
                        MIB has transitioned out of the ok(2) state for
                        one of its modules.
                        The generation of this trap can be controlled by
                        the sysEnableModuleTraps object in this MIB."
          ::= { ciscoStackNotificationsPrefix 4}
    This is from the CISCO-STACK-MIB, review the link for entire MIB.  I could not find an IOS document,
  however this 6500 CatOS command reference shows the same command in CatOS lingo (set snmp trap module).

• Disable SNMP mac-notification only for one snmp-server host

  Hi,
  we use NAC in our network and because of that I need the MAC-notification trap.
  My problem is, the NAC needs that trap, but my network monitoring system doesn't.
  Is it possible to disable only that trap for my monitoring?
  For the NAC I use the following command to filter all other traps:
  snmp-server host 192.168.1.1 version 2c public mac-notification
  That works!
  Is there something like
  snmp-server host 192.168.1.20 version 2c public no mac-notification         
  to disable that mac-notification?
  Thanks!
  Sven

  Hi Sven,
  try using the syslog discriminator - I think it should be possible with this feature but I have not had the chance to play with it:
  http://www.cisco.com/en/US/partner/docs/ios/12_4t/12_4t11/htnmsylg.html
  and some interesting threads:
  https://supportforums.cisco.com/message/3446512#3446512
  https://supportforums.cisco.com/message/3340796#3340796
  and others (search for "syslog discriminator")
  Martin

• PIX - IOS Router Redundancy

  PIX at remote, Dual Interface/Dual ISP IOS Router at core.
  Is there a way to have an IPSEC Tunnel fromt he PIX to the Dual ISP Router at the core?
  Can't get the PIX to pass traffic over the second IPSEC Tunnel when one ISP/Interface goes down at the IOS Router.
  Help!
  Thanks,
  Bob

  PIX-501 at the remote
  Cisco1721 with Dual ISP feeds at Central site.
  I want two tunnels from the PIX to the Cisco1721.
  One ISP goes down, tarffic goes over the second tunnel.
  Thanks,
  Bob

• ASR1000 missing " snmp-server hc poll " command

  Hi, customer wants to poll some interface-counter more or less in realtime for some reasons, IOS does not update the Mib-vRiables in real-time.
  So the was a hidden command in "normal" IOS to change this behaviour , to force IOS to update the counters quicker.
  It was
  snmp-server hc poll value
  unfortunately this command is not present in IOS XE.
  I s there any equivalent command in IOS XE?
  Thx
  Hubert

  I suppose this command is also supported in IOS-XE. When you apply this command does it gives you any error?
  I am not sure if it is practical to poll devices via SNMP in real time or in very shorter duration.
  This may be mostly interfaces details your customer is after, that's not how SNMP counters are designed to respond back.  IfTable counters will get updated every 10 seconds on most platforms.  So it doesn't even make any sense to poll them faster than once every 10 seconds.  There are other SNMP objects (like gauges) which are real time and will give you updated information on each poll.  There are reasons why this was designed that way, and not abiding by this can cause other much more critical problems like high CPU and each platform will have different impacts.
  You can check some other performance enhancing commands (may be platform specific):
  service counters max age 10
  snmp-server ifmib internal cache max-duration
  -Thanks
  Vinod
  ** Encourage Contributors. RATE them **

• Snmp-server for IPv6 only?

  I am trying to figur eout how to enable the snmp-server on a 7200 that has only IPv6 addresses.
  Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.2(33)SRC, RELEASE SOFTWARE (fc3)
  I searched and saw there was a bug related to this, but I thought I had a IOS version that it is fixed in.  I still see the following errors, which must mean I do have have a working load.
  *Mar  1 15:28:24.759: %IP_SNMP-3-SOCKET: can't open UDP socket
  *Mar  1 15:28:24.763: Unable to open socket on port 161
  What is the correct IOS to get this working?  I do not want to dual stack this device.
  Thanks,
  Greg

  That works better.  Related to that, where can I find the list of other trains that got fixed in?  Trying to find working IPv6 MIBS is challenging.  We tried 12.4T and 15.0, but neither seems to have working v6 MIBs let alone v6 agent support.
  Thanks,
  Greg

• Syslog equivalent to "snmp-server enable traps fru-ctrl"?

  Does "[no] snmp-server enable traps fru-ctrl" toggle cefcMIBNotificationEnables of CISCO-ENTITY-FRU-CONTROL-MIB such that traps/notifications concerning cefcModuleOperStatus get generated?
  Are there syslog equivalents to the traps/notifications above? If so, can anyone post a sample entry, so I know what it looks like and what keywords to search for?

  It depends on the platform and IOS release. There is the %ENTITY_ALARM-6-INFO syslog which signifies an entity change. This would come closest to the cefcModuleStatusChange trap.
  Generally speaking, card insert and removal operations, the OIR syslog messages are supported across platforms:
  %OIR-6-INSCARD : Card is inserted
  %OIR-6-REMCARD : Card is removed
  Other platforms and card types may provide additional details if a module fails (e.g. %FECPM-1-INITFAIL for a NM module in a 2600/3600).

• Prime Infrastructure 2.0: Running an inventory sync removes "snmp-server location" in running-config

  Hello,
  we're running Prime Infrastructure 2.0 (version VA-2.0.0.0.294).
  I was scared as I figured out one hour ago that running an inventory sync (Device Work Center) removes the command snmp-server location and adds the command snmp-server host "PI-ip address" "snmp rw community" in the running-config.
  Has someone the same behaviour or can reenact this scenario?!
  Can someone imagine that this behaviour has something to do with a configuration setting in PI?
  I'm perplexed and got gray hair now.
  Thank you for your answers or tips.
  Bastian

  Hello Rob,
  I just successfully installed the patch. The snmp-server location is not touched anymore while running a inventory job.
  But PI still enters this string in the running-configuration:
  snmp-server host "PI-IP address" " our snmp RW community- string"
  although there already exists the entry:
  snmp-server host "PI-IP address" version 2c "community-string (not the snmp rw-community-string)"
  Do you or anyone else has the same behaviour that PI adds automaically himself as snmp trap receiver with the SNMP-RW community?
  Regards
  Bastian

• Mount windows file server over vpn

  I have a Windows(2003SP2) file server within some LAN with IP 192.168.10.10 and with shared folder structure like
  /Sity/District/
  I am authorised to connect to this LAN over VPN (it works) and to connect to /Sity, but I am authorized only to see and modify files within /District folder.
  With the command 'smbclient -U username //192.168.10.10/Sity' in Terminal I can connect to the server and e.g. get all the files from /Sity/District/. However, neither mount_smbfs in Terminal nor Connect to Server in Finder can mount the share - error is
  mount_smbfs: negotiate phase failed: syserr = Connection refused, Finder complain about the username and the password. The /etc/nsmb.conf has the following structure
  [default]
  minauth=none
  Is there a way to mount such share?

  Yes, it replies 'could not connect to the server because the name or password is not correct'.
  Same for almost all combinations of smb://WORKGROUP;user:password@IP/Sity[/District]
  I also tried different options for mount_smbfs like '-I' with no result. Error reads
  mount_smbfs: negotiate phase failed: syserr = Connection refused
  There is also no network browsing (mDNSResponder: NOTE: Wide-Area Service Discovery disabled to avoid crashing defective DNS relay 192.168.1.1.)
  But the smbclient works and I can get the folder structure.

• Weblogic Admin server 10.1mp3 migration to 12c over windows

  Hi ,
  The admin server is currently with 10.0mp3 over windows 2008 server .This needs migration to 12c over another windows server
  The admin server is associated with MachineA & there are 3 managed weblogic servers over machineB .Can anyone suggest what are the ways i can migrate
  what are the changes needed to be done over the below files
  commEnv.cmd
  startManagedWebLogic.cmd
  wlsvc.exe -Seeing this file newly over weblogic 12c ?what is the purpose?
  Under D:\bea\wls12\server\bin this directory what are the changed needed
  installSvc.cmd
  installNodeMgrSvc.cmd
  Need to syntax to install weblogic admin & weblogic admin as windows services over windows with customized service name?

  Thanks for the reply, this looks fine (I think)..the below is the output
  Microsoft Windows [Version 6.0.6001]
  Copyright (c) 2006 Microsoft Corporation. All rights reserved.
  C:\Users\Administrator.SEALEDINFO-PROD>cd C:\Oracle\MiddlewareNew\user_projects\
  domains\irm_domain\bin
  C:\Oracle\MiddlewareNew\user_projects\domains\irm_domain\bin>setdomainenv.cmd
  C:\Oracle\MiddlewareNew\user_projects\domains\irm_domain>java -version
  java version "1.6.0_18"
  Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
  Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode)
  C:\Oracle\MiddlewareNew\user_projects\domains\irm_domain>java weblogic.version
  WebLogic Server 10.3.3.0 Fri Apr 9 00:05:28 PDT 2010 1321401
  Use 'weblogic.version -verbose' to get subsystem information
  Use 'weblogic.utils.Versions' to get version information for all modules
  C:\Oracle\MiddlewareNew\user_projects\domains\irm_domain>