Check_snmp command doesn't work but snmpwalk does

ewb · August 4, 2020, 12:09pm

Hi, I’ new to this so i’m not quite sure how to do that.

I’m using icinga2 and icingaweb2 to monitor remote linux servers. I am using manubulon plugin. I have managed to configure check_snmp for one of my servers. I have configured icinga2 the same way for another server (just changed the community which is not the same) but i can’t make it work.
I have checked that the port 161 was open for my server, it is. I even opened the tcp connexions on this server to be sure. It doesn’t change anything.
The command snmpwalk works on my monitoring server, but on icinga I have the message "No response from host ‘ip’ "

stevie-sy · August 4, 2020, 12:16pm

Hi,

could you show us the command and service definition?
What does the logs says?

ewb · August 4, 2020, 12:33pm

Hi, here is my service definition and my template (don’t know f the last one is useful)

apply Service “snmp-CPU” {
import “snmp-template”
check_command = “snmp-process”
assign where host.vars.snmp_community
}

template Service “snmp-template” {
vars.snmp_community = host.vars.snmp_community
max_check_attempts = 5
check_interval = 1m
retry_interval = 30s
check_command = “hostalive”
}

I’m not sure what to look for in the logs.

stevie-sy · August 4, 2020, 12:41pm

Why is the check_command “hostalive” and not “check_snmp”?

In the logs you can look for diffrent things:

is the firewall blocking?
is SELinux/Appamor blocking?
is icinga missing parameter for calling the binary
or other “strange” messages

ewb · August 4, 2020, 12:57pm

The check_command “hostalive” is from the generic-template that, I thnik, has to be imported for every service. The actual command that is important is the snmp-process. I don’t think there is a pobleme with the hostalive command because I have an another server for which it is working.

Regarding logs, I don’t see anything strange.

stevie-sy · August 4, 2020, 1:03pm

My mistake I didn’t read the line “check_command = “snmp-process””.

What happens if you run the check_snmp command manually on the bash (with the root and the icinga user)?

ewb · August 4, 2020, 1:16pm

When running the check_snmp command manually I have “CRITICAL - Plugin timed out while executing system call”. I have the same message on icingaweb2.

stevie-sy · August 4, 2020, 1:36pm

did you try e.g. net-snmp on your server? Does the snmpwalk work with them? If not, something is blocking the requests e.g. the local firewall, firewall in the middle, the other device.

ewb · August 4, 2020, 1:40pm

The snmpwalk and snmpget commands work perfectly. I don’t understand what difference there is between the snmpwalk command and the check command don manually, froms what I understood that’s where the issue is.

stevie-sy · August 4, 2020, 1:46pm

Our experience is very often troubles with SELinux.

ewb · August 4, 2020, 1:48pm

Could that explain the fact that the same configuration is working for a server but not for another one ?

stevie-sy · August 4, 2020, 1:52pm

Yes, if enabled, the OS is blocking process, activity until is allowd.
If you are using SELinux (like on CentOS) you will find this in the logs. That’s why I asked if something is written in the logs.
So what logs you’ve checked before, when I asked this?

ewb · August 4, 2020, 1:56pm

The problem is if I am using SELinux on the monitoring server or is it if I am using it on the server I want to monitor ?

I have checked icinga2.log

stevie-sy · August 4, 2020, 2:09pm

the server which is calling the check command.

SELinux is part of the OS. So you don’t will see this in icinga2.log. On CentOS the logfile for SELinux /var/log/audit/audit.log. If you are using Ubuntu there is AppArmor installed. I don’t know where you have to look there. I have no knowledge about Ubuntu.

But I’m sure something is blocking the check command. Specially if you can do a snmpwalk with the commands from net-snmp.

ewb · August 4, 2020, 2:27pm

I am going to check that. Im using Debian.

ewb · August 5, 2020, 7:55am

In fact, SELinux is disabled on my server

stevie-sy · August 5, 2020, 8:28am

Ok, than I have no idea what also could block the snmp requests under Debian. i hope other people from the community have also some ideas for you

sebbbastien · February 9, 2022, 10:30am

Hi,

I had the same problem, checks were KO with response “CRITICAL - Plugin timed out while executing system call”.

Running the whole command from bash gave the same message, and tcpdump don’t display any packet from icinga to the target.
snmpwalk works fine.

I solve my problem using numeric OID instead of “ascii”.

'/usr/lib/nagios/plugins/check_snmp' '-A' 'xxxxxxxxxxxx' '-H' 'X.X.X.X' '-L' 'authPriv' '-P' '3' '-U' 'xxxxx' '-X' 'xxxxxxxxxxxx' '-a' 'SHA' '-o' 'STONESOFT-NETNODE-MIB::nodeOperState.0' '-s' 'online(1)' '-t' '10' '-x' 'AES'
CRITICAL - Plugin timed out while executing system call


'/usr/lib/nagios/plugins/check_snmp' '-A' 'xxxxxxxxxxxx' '-H' 'X.X.X.X' '-L' 'authPriv' '-P' '3' '-U' 'xxxxx' '-X' 'xxxxxxxxxxxx' '-a' 'SHA' '-o' '.1.3.6.1.4.1.1369.5.2.1.1.0' '-s' '1' '-t' '10' '-x' 'AES'
SNMP OK - 1 | iso.3.6.1.4.1.1369.6.1.1.3.0=1

Hope it will help,

BR