Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNMP v3 behind Firewall not working after Upgrade to pfsense + 23.05.1

    Scheduled Pinned Locked Moved
    SNMP
    1
    2
    418
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mOrbo
      last edited by mOrbo

      Hi,

      we made an Upgrade of several Netgate 6100 Devices to 23.05.1 (from 22.05). With 22.05 everything was fine.

      We have Switches behind this pfsense devices, which are manged by SNMP v3 through an IPSEC Tunnel. After the Upgrade, only snmp v2 request get through to our Switches. If we try to get the status with snmp v3, our NAC Software throws an exception "SnmpException: Error while reading [1.3.6.1.2.1.2.2.1.1] from x.x.x.x: request timed out".

      It still works behind the other pfsense devices which are still on 22.05. But it does not work behind 4 different updated devices.
      There are no entries in the logs, which indicate that snmp v3 gets blocked by pfsense. We also configured an "IP - any" rule for our NAC Software, which is trying to connect to the switches with snmp v3.

      Any ideas why snmp v3 is not passing through the updated pfsense 23.05.1 devices anymore?

      1 Reply Last reply Reply Quote 0
      • M
        mOrbo
        last edited by mOrbo

        We now analyzed the problem with the Support of our NAC Software. It has nothing to do with V2 or V3.
        The problem is, that with pfsense+ 23.05.1 all SNMP requests get delayed by the factor 3-4.

        With pfsense+ 22.05, it takes between 2-3 seconds to get the status of all Interfaces from a Switch:
        2205.jpg

        With pfsense+ 23.05.1, its takes between 9-11 seconds to get the status of all Interfaces from a Switch:
        23051.jpg

        They say, that there is probably some kind of "internal QOS" delaying SNMP requests in the new firmware, or SNMP has a very low priority in some system services.
        Is that the fact? Or why does the SNMP responses get such a high delay?

        The base configuration of our NAC Software is 32 OIDs per request, with 30 values per response packet in the answer, with a timeout of 2 Seconds per answer. This worked without problems under 22.05.
        We could make a workaround for our NAC Software. We had to set it to 1 OID, with 8 values per packet and a timeout of 10 seconds. SNMP is working with this config again, but as I said above, with a delay factor of 3-4 compared to pfsense 22.05.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post