Page 1 of 1
snmp
Posted: Tue Oct 23, 2012 8:59 am
by gue_br
Hi!
I use NagiosXI in a VMWare to try them.
Now I want to use snmp to watch a server.
Ok it is an IBM i5, but there exists a plugin, wich uses snmp and seems to work.
By using FreeSnmp on my PC I got response from the server, but not in Nagios.
So I think basically it must work.
I also tried to type in the snmpwalk command, but I always get "Timeout: No Response from <IP>"
I don't know if the NagiosXi-VM uses a firewall like iptables, but I found a thread, where anything
is mentioned, so I tried to add rules (
http://support.nagios.com/forum/viewtop ... all#p24690)
Please can anyone help me. I want use Nagios, but it is very heavy to learn.
Thanks,
Guenter
Re: snmp
Posted: Tue Oct 23, 2012 4:29 pm
by jsmurphy
The nagiosXI VM definitely uses iptables and if you want to be certain that iptables isn't interfering then run "/etc/init.d/iptables stop" then turn it back on later when you work it if it is causing the problem or not (/etc/init.d/iptables start).
I'm not overly familiar with management of the IBM server platform, but do you need to specify allowed hosts for SNMP in the management software? The only other thing I can think of is:
a. Another firewall between your Nagios server and your i series is blocking the request.
b. You can't route from the network your Nagios server is in to the network your iSeries is in and the network is configured to "black hole" those requests (otherwise it would say "no route to host").
In short; failing everything else ask your network team.
Re: snmp
Posted: Tue Oct 30, 2012 2:39 am
by gue_br
Hello!
My Nagios works now and monitors our iSeries.
But only when I disable iptables.
I added some rules, but if I start iptables snmp-traffic is blocked.
Here is my iptables config:
Code: Select all
# Generated by iptables-save v1.4.7 on Tue Oct 23 13:43:40 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [327:125252]
-A INPUT -p udp -m udp --dport 162 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 162 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10162 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10161 -j ACCEPT
-A INPUT -p udp -m udp --dport 10162 -j ACCEPT
-A INPUT -p udp -m udp --dport 10161 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 161 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Oct 23 13:43:40 2012
Can you tell me, what's wrong?
thx Guenter
Re: snmp
Posted: Fri Nov 02, 2012 4:26 pm
by jsmurphy
There's nothing inherently wrong with your iptables config as far as I can tell... I think the best way to debug this might be to turn on firewall logging if it isn't turned on by default (I don't think it is with CentOS). That will then at least tell you why it's dropping the packets.
We had a similar issue with our Netapp filers where I discovered that the filers were replying on a different interface to the one they were receiving the SNMP request on, iptables would then drop it because as far as it was concerned there was no valid open connection to that IP address.