Check_snmp command doesn't work but snmpwalk does

Hi, I’ new to this so i’m not quite sure how to do that.

I’m using icinga2 and icingaweb2 to monitor remote linux servers. I am using manubulon plugin. I have managed to configure check_snmp for one of my servers. I have configured icinga2 the same way for another server (just changed the community which is not the same) but i can’t make it work.
I have checked that the port 161 was open for my server, it is. I even opened the tcp connexions on this server to be sure. It doesn’t change anything.
The command snmpwalk works on my monitoring server, but on icinga I have the message "No response from host ‘ip’ "

Hi,

could you show us the command and service definition?
What does the logs says?

Hi, here is my service definition and my template (don’t know f the last one is useful)

apply Service “snmp-CPU” {
import “snmp-template”
check_command = “snmp-process”
assign where host.vars.snmp_community
}

template Service “snmp-template” {
vars.snmp_community = host.vars.snmp_community
max_check_attempts = 5
check_interval = 1m
retry_interval = 30s
check_command = “hostalive”
}

I’m not sure what to look for in the logs.

Why is the check_command “hostalive” and not “check_snmp”?

In the logs you can look for diffrent things:

  • is the firewall blocking?
  • is SELinux/Appamor blocking?
  • is icinga missing parameter for calling the binary
  • or other “strange” messages

The check_command “hostalive” is from the generic-template that, I thnik, has to be imported for every service. The actual command that is important is the snmp-process. I don’t think there is a pobleme with the hostalive command because I have an another server for which it is working.

Regarding logs, I don’t see anything strange.

My mistake I didn’t read the line “check_command = “snmp-process””.

What happens if you run the check_snmp command manually on the bash (with the root and the icinga user)?

When running the check_snmp command manually I have “CRITICAL - Plugin timed out while executing system call”. I have the same message on icingaweb2.

did you try e.g. net-snmp on your server? Does the snmpwalk work with them? If not, something is blocking the requests e.g. the local firewall, firewall in the middle, the other device.

The snmpwalk and snmpget commands work perfectly. I don’t understand what difference there is between the snmpwalk command and the check command don manually, froms what I understood that’s where the issue is.

Our experience is very often troubles with SELinux.

Could that explain the fact that the same configuration is working for a server but not for another one ?

Yes, if enabled, the OS is blocking process, activity until is allowd.
If you are using SELinux (like on CentOS) you will find this in the logs. That’s why I asked if something is written in the logs.
So what logs you’ve checked before, when I asked this?

The problem is if I am using SELinux on the monitoring server or is it if I am using it on the server I want to monitor ?

I have checked icinga2.log

the server which is calling the check command.

SELinux is part of the OS. So you don’t will see this in icinga2.log. On CentOS the logfile for SELinux /var/log/audit/audit.log. If you are using Ubuntu there is AppArmor installed. I don’t know where you have to look there. I have no knowledge about Ubuntu.

But I’m sure something is blocking the check command. Specially if you can do a snmpwalk with the commands from net-snmp.

I am going to check that. Im using Debian.

In fact, SELinux is disabled on my server

Ok, than I have no idea what also could block the snmp requests under Debian. i hope other people from the community have also some ideas for you