14.14. Testing Remote SNMP Queries

Problem

You want your MRTG server to monitor a number of remote devices, such as other servers or routers. How do you test to make sure that SNMP is going to work correctly? Because if SNMP queries fail, so will MRTG.

Solution

Test this with snmpwalk just like you did for localhost, substituting the hostname or IP address of the remote host, and using whatever OID you like, or no OID at all:

	$ snmpwalk -v 2c -c password uberpc interfaces

What if you get the common and vexing "Timeout: No Response from uberpc" error message? This is the standard response to a lot of errors, such as:

• Wrong password (community string).

• Firewall is blocking port UDP 631.

• tcpwrappers is blocking port UDP 631.

• snmpd is listening to a different port.

• snmpd is not accepting queries from outside of localhost.

Port UDP 631 needs to be open on all SNMP hosts, and snmpd needs to be listening to 0.0.0.0:161, which you will see by running netstat -untap. On Debian, snmpd is restricted to localhost by default. You will see this with netstat and ps:

	$ netstat -untap
	udp   0   0   127.0.0.1:161     0.0.0.0:*
	$ ps ax|grep snmpd
	9630 ? S 0:01 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/
	snmpd.pid 127.0.0.1

This is controlled in /etc/default/snmpd with this line:

	SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'

Delete 127.0.0.1, restart snmpd, and you'll be fine. We're using snmpd.conf for access controls, so this is unnecessary.

This iptables rule allows traffic going to UDP port 631 to pass:

	$ipt -A INPUT -p udp --dport 631 -j ACCEPT

Discussion

On mailing lists and forums, the most common suggestion for the "Timeout: No Response" error is to check tcpwrappers and make sure it is not blocking SNMP queries. This is rather unhelpful advice because modern Linux distributions don't use tcpwrappers very much. It's still installed on most stock installations, and it's easy enough to check—see if you have /etc/hosts.allow or /etc/hosts.deny, and if they are present, check to see if they are gumming up your SNMP queries. Chances are the files won't even exist on your system.

The most common causes are misconfiguring your SNMP access controls. See Recipe 14.2 or 14.3 to learn more about SNMP access controls.

See Also

• Chapter 3

• Net-SNMP: http://net-snmp.sourceforge.net

• man 1 snmpd.conf

• man 1 snmpwalk.conf