SNMP uses upd packets. UDP, being connectionless, does not really establish
a session. Therefore, your firewall may not be able to determine where the
session originated. You might try putting a sniffer on the outside of the
firewall and see what is happening there.
> -----Original Message-----
> From: Hal Dorsman [SMTP:DORSMANH@SPH.HBOCVAN.COM]
> Sent: Monday, June 01, 1998 12:17 PM
> To: NV-L@UCSBVM.ucsb.edu
> Subject: Re: 3Com router seen as isComputer on ext. frame relay
> network -Reply
>
> Thanks for the response, but I don't think that is a problem. I am using
> Checkpoint FW-1 and it is a session based system, which logs sessions
> from the source node. In other words, it will log an SNMP query coming
> from my internal Netview station because that is the source of the
> session, but not the response. Inversely, if someone tries to telnet into
> my internal database servers, it logs that because its source is external.
> The firewall does not log responses from the Cisco either, but it works
> just fine.
>
> Again, thank you for the suggestion, but I am afraid I am still missing
> something. I do agree, that logically everything points to the firewall,
> that
> seems like the only logical variable, but everything seems to be behaving
> correctly there, and I have not done anything differently with the Cisco.
> Additionally, if the firewall were rejecting anything from the outside, it
> would be logging that. I am not seeing any failure of a connection from
> the failing router in my firewall. Any other suggestions?
>
> Hal
>
> >>> Edward Ricci <edward_ricci@INS.COM> 06/01/98 10:38am >>>
> Hal,
> You said you can see the SNMP request going out and being accepted.
> You do
> not mention anything about seeing them coming back. I believe
> everything
> is pointing at the firewall. It sounds like it is letting the SNMP out
> but
> stopping the replies.
>
> At 08:38 AM 6/1/98 -0600, you wrote:
> >Greetings,
> >
> >I have a very strange one that has me stumped. Perhaps someone can
> >point out what I am missing.
> >
> >I have Netview V4R1 and Transcend 4.2 running on AIX 4.2.1. I have
> >recently added a 3Com 112 Netbuilder Officeconnect to an external
> >frame relay network. When I put the router on my internal network for
> >initial setup/configuration, Netview saw it just fine, it came up as
> >isIPRouter, and all the device information came up correctly. So far so
> >good. Then I shut it down. Went out to my remote site, renumbered it
> for
> >my external networks, got IP working without any problems. Came
> back
>
> >to the office, deleted the old node with the internal IP number, and
> pinged
> >the remote router. It immediately came up in the frame network submap,
> >but with isIPRouter set to false. Nothing I can do will get to to be
> seen
> as
> >a router. Routing is fine, I can ping and traceroute to it, and from it
> back,
> >even through it. I have a firewall in between, but permissions are
> fine,
> I
> >can see SNMP requests going out and being accepted. I set up the
> >remote router with the proper community name and SNMP host info. I
> >even stopped and restarted Netwiew, did ovtopovix. An snmpwalk
> >times out, as does the SNMP request in demand poll. It is not a
> >performance issue, because nothing else is running on the frame
> circuit,
> >and I have done snmpwalk with increased retries and timeout
> >parameters with no change. I also know that this is not timing because
> a
> >vendor has a Cisco router on another PVC on the same frame network
> >that Netview saw automatically without doing anything special, either in
> >the Cisco or in Netview. I ran into this once before with a low end
> >Livingston on another frame circuit on the same network and I thought it
> >was the Livingston, never found a fix for it. Now Transcend won't see
> a
> >3Com router, so I know it is not MIBs/compatibility. So, it is not
> >performance (pings are immediate, the Cisco works on identical circuit),
> >not the firewall (passing SNMP fine), not IP routing (pings, traceroutes
> >normal), not the router setup (Transcend/3Com compatibility and it
> >worked fine when internal). Anybody see what I am missing? Some
> >help here would be greatly appreciated, this one is driving me nuts.
> >
> >Hal Dorsman
> >Network Administrator
> >Saint Patrick Hospital
> >Missoula, Montana, USA
> >
> >
|