[clue] (Slightly OT) - This SNMP issue has me baffled

foo7775 at comcast.net foo7775 at comcast.net
Tue Jul 14 21:23:13 MDT 2015

Hey all, I apologize for the fact that this message refers to Solaris rather than Linux, but I'm hoping that there's enough overlap that it might be interesting/useful to others anyway... 

I am really puzzling over an issue I'm fighting on a Solaris 10 system, & I'm hoping that a "2nd pair of eyes" might be able to help me get past this apparent blind spot... The server in question has three network interfaces (B, C, & A - and 'A' is the logical interface created with B & C bonded together). 

Our monitoring admin is trying to set up monitoring of this server on all three interfaces over the typical SNMP protocol (UDP 161). I have confirmed that snmpd is active & listening on UDP 161, and connections can be made from any system to network interfaces A & C. The monitoring server (which is in a different city) is not able to connect to UDP 161 on interface B, although I can repeatedly make a successful connection to interface B using netcat from a Linux server that's on the same network as the monitoring server. The monitoring server is able to monitor several hundred other servers without issue (& has done so for years), so I am making the assumption that that end is working as expected. (And, that server is out of my area of responsibility as well.) 

Firewalls & network check out fine. I have also confirmed that the local OS firewall is not active (using both 'svcs' & 'ipfstat' commands). The snmpd.conf file consists of only nine lines, none of which mentions specific network interfaces/IPs/etc. Since the usual troubleshooting steps haven't led to a resolution, I've coordinated with the monitoring admin, & had him attempt to connect again after I'd fired up 'snoop' on the Solaris box, just so that I could see what's happening when the connection attempts are being made, I've then transferred the packet capture file to my workstation & opened it with WireShark. 

Now I'm not an expert with snoop or WireShark (yet!) but from what I can see, I have 34 packets that arrived at the 'B' interface of the Solaris server, each of which contains an SNMP 'get-request' for the same OID. When I remove the filter that shows only packets addressed to the 'B' interface, I can see that interface A receives packets with 'get-next-request' & OIDs that are incrementing. I do *not* see any responses from the Solaris server to the monitoring server (for any interface) - the snoop command that I used is below: 

snoop -P -V -o <output file> -q -r <IP address of monitoring server> 

I'd initially thought that I had mistakenly captured only incoming packets, but the command arguments that I provided do not support that belief: 

[ -P ] # Turn OFF promiscuous mode 
[ -V ] # Show all summary lines 
[ -q ] # Suppress printing packet count [ -r ] # Do not resolve address to name 

I've considered looking at the configuration for the network interface bonding, but that really doesn't seem as though it would be a likely source of the problem. And before I forget to mention it, I have restarted the snmpd daemon as well. 

Any suggestions that anyone can offer would be appreciated. 

Thanks in advance, 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20150715/fa58beb5/attachment.html 

More information about the clue mailing list