Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
121122123124125126127128129130
Chapter 10 Troubleshooting SNMP More Information
Advanced Technical Reference Guide 4.1 June 2000 116
3. Make sure that the community strings are correctly defined when trying to establish an SNMP connection.
On Unix platforms, the community strings are defined by $FWDIR/conf/snmp.C . Network object
community strings are defined in the Network Objects window.
4. Use snoop to check SNMP connections.
100% CPU usage when trying to poll information from the FireWall-1
snmpd
One of the most common problems with SNMP is on Solaris 2.6 once you try to poll information about the
FireWall tree using the snmpwalk command or a Network management tool that uses the snmpwalk command.
On the management station you get an error message: “snmpwalk: No response arrived before timeout” and on
the Agent station the FireWall-1 snmpd used almost 100% of CPU resources.
This problem occurs because of the way SNMPD was run on the machine. On Solaris 2.6 the native SNMPD
must run together with the FireWall-1 smpd, otherwise any attempt to poll information fails and causes the
system to reach almost of 100% CPU load.
The solution is as follows:
1. Kill both the snmp daemons
2. Run both the native snmpd and the Firewall snmpd together:
(1) Run /usr/lib/snmp/snmpdx
(2) Run /usr/lib/dmi/snmpXdmid -s <hostname> -c /etc/snmp/conf
(3) Run $FWDIR/bin/snmpd
See the SecureKnowledge Solution (ID 10043.0.4616466.2575219) in the Check Point Technical Services site.
Unable to run $FWDIR/bin/snmpd -p 161
Other symptoms are: The -p option in $FWDIR/bin/snmpd -p 161 is not supported, and On HP-UX,
AIX and Windows NT, the SNMP daemon binds only to port 260 although port 161 is free
The cause is that the SNMP mechanism was designed to work on HP, AIX and Windows NT with the local
SNMP as a proxy. It will always leave port 161 free for the local SNMP daemon. Therefore both daemons
should run and queries should be sent to port 260 only.
Upgrade to FireWall-1 4.0 SP6 or FireWall-1 4.1 SP1 that don't include the -p option for snmpd
See the SecureKnowledge Solution (ID 10022.0.1872144.2482146) in the Check Point Technical Services site.
More Information
For more information on SNMP and FireWall-1, see the chapter on SNMP and Network Management Tools in
FireWall-1 Architecture and Administration User Guide version 4.0, chapter 9.
VPN-1/FireWall-1 Administration Guides for version 4.1 and Check Point 2000, chapter 18.-