[mrtg] Re: mrtg of Cisco routers via Internet fails
tom.voussure at sita.be
tom.voussure at sita.be
Tue May 11 15:05:37 MEST 2004
Hi,
thx for the quick reply ...
the firewall is configured correctly.
SNMP (udp 161) is allowed from the mrtg-server to the internet. (and I
don't get any deny's in the firewall logs).
I tried to connect to the wan ip adres of the router and the ethernet, but
the result is the same ...
(ping & telnet works, snmp not)...
I've also created a rule on the firewall that allows any ip traffic between
the mrtg-server and router but it didn't help...
Kind regards,
tom
Merton Campbell
Crockett To: tom.voussure at sita.be
<mcc at CATO.GD-AIS cc: mrtg at list.ee.ethz.ch
.COM> Subject: Re: [mrtg] mrtg of Cisco routers via Internet fails
11/05/2004 14:26
On Tue, 11 May 2004 tom.voussure at sita.be wrote:
> But I have a problem with monitoring routers via Internet.
>
> I have several Internet connection. Some or completely separated from our
> main network.
>
> So to monitor these routers, i have to go thru a firewall, on the
internet,
> to the other router.
> (mrtg server --> firewall --> INTERNET --> router)
>
> I always get the same error:
> --base: Get Device Info on xxx at 210.88.234.215:
> SNMP Error:
> no response received
> SNMPv1_Session (remote host: "210.88.234.215" [210.88.234.215].161)
> community: ""xxx"
> request ID: -1222128975
> PDU bufsize: 8000 bytes
> timeout: 2s
> retries: 5
> backoff: 1)
> at /usr/local/mrtg-2/bin/../lib/mrtg2/SNMP_util.pm line 570
> SNMPWALK Problem for 1.3.6.1.2.1.1 on xxx at 210.88.234.215.
> at /usr/local/mrtg-2/bin/cfgmaker line 709
>
>
> If a try a snmpget i get also "Timeout, no response from ..."
The "no response received" indicates that the firewall is not configured
to allow UDP packets
(1) from the "Internet" to the system that is running MRTG
or
(2) to the "Internet" from the system that is running MRTG.
As UDP can be used for downloading malware, you don't want to allow UDP to
cross over your security perimeter. You need to construct specific rules
that allow UDP port 161 traffic between your routers and the MRTG system.
Also, be sure to specify the IP address of the router that is "nearest"
the MRTG system.
Merton Campbell Crockett
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced
Information Systems;
Intelligence and
Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive http://www.ee.ethz.ch/~slist/mrtg
FAQ http://faq.mrtg.org Homepage http://www.mrtg.org
WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
More information about the mrtg
mailing list