SNMP is not working on UTM 9

I have tried to add the External WAN to the allowed networks field with no result or change in behavior. The current allowed network I have listed in the allowed networks is the public IP address of our network monitor. 

The hosts/networks in the previous screenshots were for testing. Ideally, we will only have the one labeled Skyhawk Netman as an allowed network.

To define what each is:

Skyhawk Netman - External to network, bandwidth monitoring server

Skyhawk - Dude - External to network, PING monitor (Used for up/down alerts for non-Mikrotik devices.)

Skyhawk Office - External to network, ONLY for testing from my physical location.

FPCBR01 - Internal to network, internal server. Used to do some testing for our RMM tool. 

To address the lack of VPN concern:

Our thought process on why an IPSEC tunnel is not necessary at this time is that we are trying to only allow the IP from our network monitor, also using a non-typical community string, and we have not interested in writing to the box, just querying interface statistics. It would be a completely different story if any one of those three reasons changes. As our needs evolve (Or if it is required to expose the box to more than just our monitoring IP.) we will certainly look at something.

I'm having to work too hard to review the entire thread, Joshua.  Please copy snips of your 'Query' and 'Traps' tabs into a single post (not Imgur) and tell us from which Network/Host you're querying.  Rather than trying to give us the whole picture, let's just focus on one proof point.

Also, it doesn't make sense that you can see the packets leaving your querying device but not arriving at the UTM.  Are you sure you were listening on the correct NIC?  Is there anything in between the two devices that might block your traffic?

Cheers - Bob

Same issue here:

Hallo and welcome to the UTM Community!

Your firewall rules are probably the problem.  Are you seeing related blocks in the firewall log?

Where is "OW6 - Infrastructure" - out on the Internet or in a LAN?

Cheers - Bob

BAlfson said:

Your firewall rules are probably the problem.  Are you seeing related blocks in the firewall log? 

nope :(

BAlfson said:

Where is "OW6 - Infrastructure" - out on the Internet or in a LAN?

It's LAN, but coming from (as WAN defined) interface

Please show a picture of the Edit of the "OW6 - Infrastructure" object.

Cheers - Bob

Hi Joshua,

I had Cacti with a few Sophos SG Boxes running.

On the SG you only need to setup Management -> SNMP (try first with SNMP v2c) with the IP of the Cacti host covered by a entry in "Allowed Networks". There is no need for any additional firewall rules.

In Cacti add the device with the host template "und/net SNMP Host" (Version 2, Port 161).

If you don't see coming anything from you public IP when sniffing with tcpdump on the Sophos box, then there must be a problem anywhere between your cacti box and the SG. Hint, some providers filter SNMP (UDP/161) in there customers networks.

BAlfson said:

Please show a picture of the Edit of the "OW6 - Infrastructure" object.

Cheers - Bob

Will do asap. But think its a firewall issue, cause it worked without (license was running out so the machine was reachable via external - everything works fine. After uploading the new licence snmp stoped working (even with firewall rulez) and admin is only reachable via vpn ;)

Finally found the issue. There was a Site-to-Site VPN configured wrongly on the remote site which creates a back route for the server network through the VPN. The response packages never find their way ;)