8 Replies Latest reply on Dec 5, 2018 7:38 AM by Ana Lorite

    Fortigate 200E No Access

    Ana Lorite

      Hi all,

       

      My issue is according to a Fortinet device: Fortigate 200E. Discovery cannot infer the device due to an error in getMacAddress method. The thing is we have a similar device (same vendor and OS) that is correctly discovered by Discovery.

       

      Logs from the ok one:

       

      getTable 1.3.6.1.2.1.2.2.1, columns .1, .2, .3, .5, .6, .8, .22

      getTable: Using GETBULK, size 10

      GETBULK WALK via SNMP++: OIDs = 1.3.6.1.2.1.2.2.1.1, 1.3.6.1.2.1.2.2.1.2, 1.3.6.1.2.1.2.2.1.3, 1.3.6.1.2.1.2.2.1.5, 1.3.6.1.2.1.2.2.1.6, 1.3.6.1.2.1.2.2.1.8, 1.3.6.1.2.1.2.2.1.22

      Write record data to /usr/tideway/var/record/10/142/5/100/SNMP-column-1.3.6.1.2.1.2.2.1.1

      Write record data to /usr/tideway/var/record/10/142/5/100/SNMP-column-1.3.6.1.2.1.2.2.1.2

      Write record data to /usr/tideway/var/record/10/142/5/100/SNMP-column-1.3.6.1.2.1.2.2.1.3

      Write record data to /usr/tideway/var/record/10/142/5/100/SNMP-column-1.3.6.1.2.1.2.2.1.5

      Write record data to /usr/tideway/var/record/10/142/5/100/SNMP-column-1.3.6.1.2.1.2.2.1.6

      Write record data to /usr/tideway/var/record/10/142/5/100/SNMP-column-1.3.6.1.2.1.2.2.1.8

      Write record data to /usr/tideway/var/record/10/142/5/100/SNMP-column-1.3.6.1.2.1.2.2.1.22

      Write record data to /usr/tideway/var/record/10/142/5/100/SNMP-index-1.3.6.1.2.1.2.2.1

      1. 10.142.5.100: getTable: got 36 rows
      2. 10.142.5.100: getMACAddresses(): got 36 rows for IF-MIB::ifEntry
      3. 10.142.5.100: getMACAddresses(): process data
      4. 10.142.5.100: getMACAddresses(): Got 27 addresses

      finished NetworkDevice_i::getMACAddresses() for 10.142.5.100

       

       

      Logs from the fail one. I tried both GETBULK enable and disabled.

       

      getTable 1.3.6.1.2.1.2.2.1, columns .1, .2, .3, .5, .6, .8, .22

      getTable: Using GETBULK, size 10

      GETBULK WALK via SNMP++: OIDs = 1.3.6.1.2.1.2.2.1.1, 1.3.6.1.2.1.2.2.1.2, 1.3.6.1.2.1.2.2.1.3, 1.3.6.1.2.1.2.2.1.5, 1.3.6.1.2.1.2.2.1.6, 1.3.6.1.2.1.2.2.1.8, 1.3.6.1.2.1.2.2.1.22

      getMACAddresses(): IF-MIB::ifEntry

      Traceback (most recent call last):

        File "/var/tmp/tw-build-27812/tmp/tideway-devices-buildroot/usr/tideway/python/discovery/devices/engine.py", line 706, in _queryTables

        File "/var/tmp/tw-build-27812/tmp/tideway-devices-buildroot/usr/tideway/python/discovery/devices/engine.py", line 391, in execute

        File "./peer.py", line 723, in getTable

        File "./peer.py", line 352, in GETBULK_WALK

      SNMPException: Loop detected: current OID is 1.3.6.1.2.1.2.2.1.1.16, previous OID was 1.3.6.1.2.1.2.2.1.1.16, ILD OID is 1.3.6.1.2.1.2.2.1.1.16

      1. discovery.devices.engine: DEBUG: 10.118.5.100: getMACAddresses(): queries failed: Loop detected: current OID is 1.3.6.1.2.1.2.2.1.1.16, previous OID was 1.3.6.1.2.1.2.2.1.1.16, ILD OID is 1.3.6.1.2.1.2.2.1.1.16
      2. discovery.device: DEBUG: NetworkDevice_i::getMACAddresses() for 10.118.5.100 - Expected exception raised (this is for tracing purposes only)

      Traceback (most recent call last):

        File "./device.py", line 145, in callProxy

        File "/var/tmp/tw-build-27812/tmp/tideway-devices-buildroot/usr/tideway/python/discovery/devices/network.py", line 940, in getMACAddresses

        File "/var/tmp/tw-build-27812/tmp/tideway-devices-buildroot/usr/tideway/python/discovery/devices/network.py", line 289, in executeMethod

        File "/var/tmp/tw-build-27812/tmp/tideway-devices-buildroot/usr/tideway/python/discovery/devices/engine.py", line 562, in execute

      NoAccessMethod: DiscoveryCORBA.NoAccessMethod(meta=DiscoveryCORBA.MetaData(data=[ModelCORBA.KeyValuePair(key='method_failure_list', value=CORBA.Any(orb.create_sequence_tc(bound=0, element_type=orb.create_sequence_tc(bound=0, element_type=CORBA.TC_any)), [[CORBA.Any(CORBA.TC_string, 'getMACAddresses'), CORBA.Any(CORBA.TC_string, 'Loop detected: current OID is 1.3.6.1.2.1.2.2.1.1.16, previous OID was 1.3.6.1.2.1.2.2.1.1.16, ILD OID is 1.3.6.1.2.1.2.2.1.1.16'), CORBA.Any(CORBA.TC_string, 'SNMP v2c'), CORBA.Any(CORBA.TC_null, None), CORBA.Any(CORBA.TC_null, None), CORBA.Any(CORBA.TC_null, None)]])), ModelCORBA.KeyValuePair(key='access_results', value=CORBA.Any(orb.create_sequence_tc(bound=0, element_type=CORBA.TC_any), [])), ModelCORBA.KeyValuePair(key='processing_messages', value=CORBA.Any(orb.create_sequence_tc(bound=0, element_type=CORBA.TC_any), [])), ModelCORBA.KeyValuePair(key='cmd_status', value=CORBA.Any(orb.create_sequence_tc(bound=0, element_type=CORBA.TC_any), []))]))

      1. discovery.device: INFO: finished NetworkDevice_i::getMACAddresses() for 10.118.5.100

       

      I don't know why the method is trying to get the OID 1.3.6.1.2.1.2.2.1.1.16. What "Loop detected: current OID is 1.3.6.1.2.1.2.2.1.1.16, previous OID was 1.3.6.1.2.1.2.2.1.1.16, ILD OID is 1.3.6.1.2.1.2.2.1.1.16" means?

       

      I was checking the post getmacaddresses script failure on ADDM 11.1 for Fortigate 1500D but it isn't the same error: the snmp agent has a configured MAC Address configured.

       

      Thanks in advance.

       

      Ana.

        • 1. Re: Fortigate 200E No Access
          Brian Morris

          You could disable GETBULK in your SNMP credential and try the discovery again. Some devices don't support it or just return odd results which cause issues sometimes.

          1 of 1 people found this helpful
          • 2. Re: Fortigate 200E No Access
            Ana Lorite

            Hi Brian,

             

            First of all, thanks for your answer.

             

            As I've commented in my original post, I tried both: disable GETBULK and enable GETBULK with the same result:

             

             

            getTable: Using GETNEXT
            GETNEXT WALK via SNMP++: OIDs = 1.3.6.1.2.1.2.2.1.1, 1.3.6.1.2.1.2.2.1.2, 1.3.6.1.2.1.2.2.1.3, 1.3.6.1.2.1.2.2.1.5, 1.3.6.1.2.1.2.2.1.6, 1.3.6.1.2.1.2.2.1.8, 1.3.6.1.2.1.2.2.1.22
            getMACAddresses(): IF-MIB::ifEntry
            Traceback (most recent call last):
              File "/var/tmp/tw-build-27812/tmp/tideway-devices-buildroot/usr/tideway/python/discovery/devices/engine.py", line 706, in _queryTables
              File "/var/tmp/tw-build-27812/tmp/tideway-devices-buildroot/usr/tideway/python/discovery/devices/engine.py", line 391, in execute
              File "./peer.py", line 714, in getTable
              File "./peer.py", line 331, in GETNEXT_WALK
            SNMPException: Loop detected: current OID is 1.3.6.1.2.1.2.2.1.1.16, previous OID was 1.3.6.1.2.1.2.2.1.1.16, ILD OID is 1.3.6.1.2.1.2.2.1.1.16
            getMACAddresses(): queries failed: Loop detected: current OID is 1.3.6.1.2.1.2.2.1.1.16, previous OID was 1.3.6.1.2.1.2.2.1.1.16, ILD OID is 1.3.6.1.2.1.2.2.1.1.16
            NetworkDevice_i::getMACAddresses() for 10.118.5.100 - Expected exception raised (this is for tracing purposes only)
            Traceback (most recent call last):
              File "./device.py", line 145, in callProxy
              File "/var/tmp/tw-build-27812/tmp/tideway-devices-buildroot/usr/tideway/python/discovery/devices/network.py", line 940, in getMACAddresses
              File "/var/tmp/tw-build-27812/tmp/tideway-devices-buildroot/usr/tideway/python/discovery/devices/network.py", line 289, in executeMethod
              File "/var/tmp/tw-build-27812/tmp/tideway-devices-buildroot/usr/tideway/python/discovery/devices/engine.py", line 562, in execute
            NoAccessMethod: DiscoveryCORBA.NoAccessMethod(meta=DiscoveryCORBA.MetaData(data=[ModelCORBA.KeyValuePair(key='method_failure_list', value=CORBA.Any(orb.create_sequence_tc(bound=0, element_type=orb.create_sequence_tc(bound=0, element_type=CORBA.TC_any)), [[CORBA.Any(CORBA.TC_string, 'getMACAddresses'), CORBA.Any(CORBA.TC_string, 'Loop detected: current OID is 1.3.6.1.2.1.2.2.1.1.16, previous OID was 1.3.6.1.2.1.2.2.1.1.16, ILD OID is 1.3.6.1.2.1.2.2.1.1.16'), CORBA.Any(CORBA.TC_string, 'SNMP v2c'), CORBA.Any(CORBA.TC_null, None), CORBA.Any(CORBA.TC_null, None), CORBA.Any(CORBA.TC_null, None)]])), ModelCORBA.KeyValuePair(key='access_results', value=CORBA.Any(orb.create_sequence_tc(bound=0, element_type=CORBA.TC_any), [])), ModelCORBA.KeyValuePair(key='processing_messages', value=CORBA.Any(orb.create_sequence_tc(bound=0, element_type=CORBA.TC_any), [])), ModelCORBA.KeyValuePair(key='cmd_status', value=CORBA.Any(orb.create_sequence_tc(bound=0, element_type=CORBA.TC_any), []))]))
            finished NetworkDevice_i::getMACAddresses() for
            • 3. Re: Fortigate 200E No Access
              Brian Morris

              Yes, you're correct, sorry I missed that and was focusing on the highlighted errors, which were showing GETBULK. Can you do a successful device capture against the one that's giving you an error?  What version of Discovery do you have and what TKU release are you using?

               

              This could just be an odd thing with that particular device or the SNMP agent on it, it may be worth sending in the device capture to BMC Support and see what they can do with it.  I don't see the supported SysObjectID in your logs that we have defined on the configipedia for your FortiGate 200E device: https://docs.bmc.com/docs/display/Configipedia/Supported+SNMP+Devices#SupportedSNMPDevices-Fortinet(132)

               

              Does the good one show 1.3.6.1.4.1.12356.101.1.2009?

               

              I assume that you are using a supported version of SNMP, and that your user (or community string) is configured properly on the device.  It might also be worth seeing if there are any patches or firmware for the device available from the vendor that might address this issue.

              2 of 2 people found this helpful
              • 4. Re: Fortigate 200E No Access
                Ana Lorite

                Hi again, Brian

                 

                Thanks for your help.

                 

                As you suggested:

                • Successful Device Capture:

                Port Scan information captured

                Failed to read Telnet banner

                HTTP Server header: xxxxxxxx-xxxxx

                HTTPS Server header from port 443: xxxxxxxx-xxxxx

                Failed to read HTTPS HEAD from port 445

                Failed to read FTP banner

                OS Scan information captured

                sysDescr: CBCN08FCOHA

                sysObjectID: 1.3.6.1.4.1.12356.101.1.2009

                Using MIB Profile: Generic

                Dumping range: Start of MIB to End of MIB

                Dumped 93229 OIDs

                Dumped 93229 OIDs in total

                Capture complete

                • Unsuccessful Device Capture:

                Port Scan information captured

                Failed to read Telnet banner

                HTTP Server header: xxxxxxxx-xxxxx

                HTTPS Server header from port 443: xxxxxxxx-xxxxx

                Failed to read HTTPS HEAD from port 445

                Failed to read FTP banner

                OS Scan information captured

                sysDescr: CALC01FCOHA

                sysObjectID: 1.3.6.1.4.1.12356.101.1.2009

                Using MIB Profile: Generic

                Dumping range: Start of MIB to End of MIB

                ERROR: Loop detected: current OID is 1.3.6.1.2.1.2.2.1.1.16, previous OID was 1.3.6.1.2.1.2.2.1.1.16, ILD OID is 1.3.6.1.2.1.2.2.1.1.16

                • 5. Re: Fortigate 200E No Access
                  Ana Lorite

                  I complete the information:

                   

                  • Successfull Device Capture:

                  <?xml version="1.0"?>

                  <capture>

                      <uuid>aa941d36da06bdaff4160a6c08140b19</uuid>

                      <state>SUCCEEDED</state>

                      <user>system</user>

                      <manufacturer>Fortinet</manufacturer>

                      <model>FortiGate 200E</model>

                      <description></description>

                      <endpoint>10.142.5.100</endpoint>

                      <sysDescr>CBCN08FCOHA</sysDescr>

                      <sysObjectID>1.3.6.1.4.1.12356.101.1.2009</sysObjectID>

                      <snmp_credential>4f9e47352386fd0cc5240a6c08142c7c</snmp_credential>

                      <oidcount>93229</oidcount>

                      <num_files>1</num_files>

                      <total_duration>338</total_duration>

                      <snmp_duration>314</snmp_duration>

                      <created>1543937122.946049</created>

                      <last_captured>1543937461.897646</last_captured>

                  </capture>

                   

                  • Unsuccesfulll Device Capture:

                  <?xml version="1.0"?>

                  <capture>

                      <uuid>aa941d36da0519f670640a6c08140b19</uuid>

                      <state>FAILED</state>

                      <user>system</user>

                      <manufacturer>Fortinet</manufacturer>

                      <model>FortiGate 200E</model>

                      <description></description>

                      <endpoint>10.118.5.100</endpoint>

                      <sysDescr>CALC01FCOHA</sysDescr>

                      <sysObjectID>1.3.6.1.4.1.12356.101.1.2009</sysObjectID>

                      <snmp_credential>92cc0936d9d4ef0c8f4e0a6c08140aef</snmp_credential>

                      <oidcount>0</oidcount>

                      <num_files>0</num_files>

                      <total_duration>24</total_duration>

                      <snmp_duration>0</snmp_duration>

                      <created>1543936418.765262</created>

                      <last_captured>1543936487.012777</last_captured>

                  </capture>

                  • 6. Re: Fortigate 200E No Access
                    Brian Morris

                    Thanks for the additional information Ana Lorite! I don't think there's much else you can do on the Discovery side at this point.  It looks to me like the sysobjID is correct, but there's some problem with the MIB or SNMP agent on that device. A reboot of the SNMP agent might help, but seems unlikely. I also coudln't find the MIB for that specific device on OIDView or MIB Depot but I'm not sure that would have made a different as the ID it's complaining about doesn't appear to be vendor specific.

                     

                    So I can only think of two things maybe to try still, one is to maybe extend the SNMP timeout a bit and see if that helps, and two would be to see if there's an update for that SNMP device from the manufacturer and apply it, then restest.

                    3 of 3 people found this helpful
                    • 7. Re: Fortigate 200E No Access
                      Andrew Waters

                      This is nothing to do with the sysObjectId.

                       

                      For some reason when Discovery asks for the next OID after 1.3.6.1.2.1.2.2.1.1.16 the agent on the device returns the exact same OID. To prevent going into a loop which never ends Discovery recognises this and fails the request.

                       

                      Possibly there is something wrong the the data on the device. As you mention it may be sufficient to restart the agent / reboot the device.

                      1 of 1 people found this helpful
                      • 8. Re: Fortigate 200E No Access
                        Ana Lorite

                        Thanks Brian Morris and Andrew Waters for your help! I am very grateful.

                         

                        I will inform to my customer and I will tell you!

                         

                        Thanks again.

                         

                        Kinds regards from Spain.

                         

                        Ana.