network::stormshield::snmp::plugin --mode=interfaces

[Test2-0]

Hello,

I supervise differents stormshield firewalls but some firewalls do not respond.

They have the same firmware and it's the same model.

`$ /usr/lib/centreon/plugins//centreon_linux_snmp.pl --plugin=os::linux::snmp::plugin --mode=interfaces --hostname=xx.xx.xx.xx --snmp-version='2c' --snmp-port='161' --snmp-community='public' --interface='^((?!lo0).)*$$' --interface --name --add-traffic OK: All interfaces are ok | 'traffic_in_mvxpe0'=2963547.48b/s;;;0;10000000 'traffic_out_mvxpe0'=1404903.25b/s;;;0;10000000 'traffic_in_eth4'=0.00b/s;;;0;20000000 'traffic_out_eth4'=0.00b/s;;;0;20000000 'traffic_in_eth5'=0.00b/s;;;0;20000000 'traffic_out_eth5'=0.00b/s;;;0;20000000 'traffic_in_eth6'=0.00b/s;;;0;20000000 'traffic_out_eth6'=0.00b/s;;;0;20000000 'traffic_in_eth7'=0.00b/s;;;0;20000000 'traffic_out_eth7'=0.00b/s;;;0;20000000 'traffic_in_tun0'=0.00b/s;;;0; 'traffic_out_tun0'=0.00b/s;;;0; 'traffic_in_tun1'=0.00b/s;;;0; 'traffic_out_tun1'=0.00b/s;;;0; 'traffic_in_vlan0'=0.00b/s;;;0;20000000 'traffic_out_vlan0'=0.00b/s;;;0;20000000 'traffic_in_vlan1'=5510977.47b/s;;;0;20000000 'traffic_out_vlan1'=2200863.12b/s;;;0;20000000 'traffic_in_ng0'=5365627.45b/s;;;0;64000 'traffic_out_ng0'=2134053.24b/s;;;0;64000 'traffic_in_mvxpe1'=13128661.65b/s;;;0;10000000 'traffic_out_mvxpe1'=6396456.22b/s;;;0;10000000 'traffic_in_enc0'=17903.50b/s;;;0; 'traffic_out_enc0'=24815.28b/s;;;0; 'traffic_in_lo0'=724.67b/s;;;0; 'traffic_out_lo0'=724.67b/s;;;0; 'traffic_in_lagg0'=8011435.36b/s;;;0;20000000 'traffic_out_lagg0'=7700210.92b/s;;;0;20000000 'traffic_in_eth0'=5537403.20b/s;;;0;20000000 'traffic_out_eth0'=2218247.09b/s;;;0;20000000 'traffic_in_eth1'=2427643.80b/s;;;0;20000000 'traffic_out_eth1'=5471363.17b/s;;;0;20000000 'traffic_in_eth2'=0.00b/s;;;0;20000000 'traffic_out_eth2'=0.00b/s;;;0;20000000 'traffic_in_eth3'=90.16b/s;;;0;20000000 'traffic_out_eth3'=0.00b/s;;;0;20000000

$ /usr/lib/centreon/plugins//centreon_linux_snmp.pl --plugin=os::linux::snmp::plugin --mode=interfaces --hostname=yy.yy.yy.yy --snmp-version='2c' --snmp-port='161' --snmp-community='public' --interface='^((?!lo0).)*$$' --interface --name --add-traffic UNKNOWN: SNMP GET Request : Timeout

$ /usr/lib/centreon/plugins//centreon_linux_snmp.pl --plugin=os::linux::snmp::plugin --mode=interfaces --hostname=yy.yy.yy.yy --snmp-version='2c' --snmp-port='161' --snmp-community='public' --interface='^((?!lo0).)*$$' --interface --name --add-traffic UNKNOWN: SNMP GET Request : Timeout

$ /usr/lib/centreon/plugins//centreon_linux_snmp.pl --plugin=os::linux::snmp::plugin --mode=interfaces --hostname=yy.yy.yy.yy --snmp-version='2c' --snmp-port='161' --snmp-community='public' --interface='^((?!lo0).)*$$' --interface --name --add-traffic UNKNOWN: SNMP GET Request : Timeout`

[Sims24]

Hi,

Timeout means that either you don't use the correct community string, or something between your poller and the device is filtering your request.

[Test2-0]

In this case, the others services can't the status : OK ?

[Sims24]

These services belong to the same host?

[Sims24]

You can also try to increase the timeout value just in case the Stormshield box is a little bit busy and take some extra time processing plugin's requests.

Try to add --snmp-timeout=3

[Test2-0]

I still have the same problem, example with the host where the service is unknown and the host where the service is OK.

$ /usr/lib/centreon/plugins//centreon_linux_snmp.pl --plugin=os::linux::snmp::plugin --mode=interfaces --hostname=xx.xx.xx.xx --snmp-version='2c' --snmp-port='161' --snmp-community='public' --interface='^((?!lo0).)*$$' --interface --name --add-traffic --snmp-timeout=6 UNKNOWN: SNMP GET Request : Timeout

$ /usr/lib/centreon/plugins//centreon_linux_snmp.pl --plugin=os::linux::snmp::plugin --mode=interfaces --hostname=yy.yy.yy.yy --snmp-version='2c' --snmp-port='161' --snmp-community='public' --interface='^((?!lo0).)*$$' --interface --name --add-traffic --snmp-timeout=6 OK: All interfaces are ok | 'traffic_in_mvxpe0'=0.00b/s;;;0;1000000000 'traffic_out_mvxpe0'=0.00b/s;;;0;1000000000 'traffic_in_vlan2'=1121.14b/s;;;0;1000000000 'traffic_out_vlan2'=1051.06b/s;;;0;1000000000 'traffic_in_mvxpe1'=56428.33b/s;;;0;1000000000 'traffic_out_mvxpe1'=43317.90b/s;;;0;1000000000 'traffic_in_mvxpe2'=87591.26b/s;;;0;1000000000 'traffic_out_mvxpe2'=27284.11b/s;;;0;1000000000 'traffic_in_enc0'=0.00b/s;;;0; 'traffic_out_enc0'=0.00b/s;;;0; 'traffic_in_lo0'=493.33b/s;;;0; 'traffic_out_lo0'=493.33b/s;;;0; 'traffic_in_tun0'=0.00b/s;;;0; 'traffic_out_tun0'=0.00b/s;;;0; 'traffic_in_tun1'=0.00b/s;;;0; 'traffic_out_tun1'=0.00b/s;;;0; 'traffic_in_vlan0'=1065.49b/s;;;0;1000000000 'traffic_out_vlan0'=74.58b/s;;;0;1000000000 'traffic_in_vlan1'=0.00b/s;;;0;1000000000 'traffic_out_vlan1'=0.00b/s;;;0;1000000000

[garnier-quentin]

Try to use --snmp-autoreduce option for that host.

[guillaumechardin]

Hey there, I got the same issue here :

/usr/lib/centreon/plugins/centreon_stormshield_snmp.pl --plugin=network::stormshield::snmp::plugin --mode=interfaces --hostname=WW.XX.YY.ZZ --snmp-version='2c' --snmp-community='public' --add-status --add-traffic --interface="" --name --snmp-autoreduce --statefile-dir ./stateFiletest --snmp-timeout=6

UNKNOWN: SNMP GET Request: Timeout

Using this command (with --snmp-autoreduce) the statefile is populated with data . But still timeout error thrown. If arg --snmp-autoreduce is not used : state file is not populated.

Note that snmpwalk against the same target is working :

snmpwalk -v 2c -c public WW.XX.YY.ZZ

SNMPv2-MIB::sysDescr.0 = STRING: NS-BSD SN210A17Bxxxxxx arm SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.11256.2.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (121161286) 14 days, 0:33:32.86 SNMPv2-MIB::sysContact.0 = STRING: XXXXXXXXXXXX

[garnier-quentin]

Please use also option: --force-counters64

[guillaumechardin]

--force-counters64 option do not seem to works too

/usr/lib/centreon/plugins/centreon_stormshield_snmp.pl --plugin=network::stormshield::snmp::plugin --mode=interfaces --hostname=W.XYZ-snmp-version='2c' --snmp-community='public' --add-status --add-traffic --interface="" --name --snmp-autoreduce --statefile-dir ./stateFiletest --snmp-timeout=1 --force-counters64

UNKNOWN: SNMP GET Request: Timeout

[garnier-quentin]

Maybe you can add directly: /usr/lib/centreon/plugins/centreon_stormshield_snmp.pl --plugin=network::stormshield::snmp::plugin --mode=interfaces --hostname=W.XYZ-snmp-version='2c' --snmp-community='public' --add-status --add-traffic --interface="" --name --snmp-autoreduce --statefile-dir ./stateFiletest --force-counters64 --snmp-force-getnext --subsetleef=10

[guillaumechardin]

I was trying all snmp options while you where writing your message. adding --snmp-force-getnext --subsetleef=10 do not work either.

I tried to add --verbose option but it does not seem to do anything, you know how to make it works, maybe it should give more debug data.

[garnier-quentin]

it seems like an issue with the stormshield snmp agent. you should ask to stormshield support maybe

[guillaumechardin]

I just open a new case to stormshield technical support. will post any relevant update here. Can someone tell me how to active debug on centreon_stormshield_snmp.pl script ?

[garnier-quentin]

You have a --debug-stream option.

[guillaumechardin]

It does not work either (do not output anything on stdout/stderr)

[garnier-quentin]

It should display some OIDs. Or there is the timeout directly.

[guillaumechardin]

No OIDs displayed, 'timeout' is displayed right after the command line

[guillaumechardin]

I juste tryied one more time today and i have more data displayed, now it shoes OIDs

/usr/lib/centreon/plugins/centreon_stormshield_snmp.pl --plugin=network::stormshield::snmp::plugin --mode=interfaces --hostname=XXXXXXXXX --snmp-version='2c' --snmp-community='XXXXXX' --add-status --add-traffic --statefile-dir ./stateFiletest --interface='' --name --snmp-autoreduce --debug-stream .1.3.6.1.2.1.31.1.1.1.1.1 = mvxpe0 .1.3.6.1.2.1.31.1.1.1.1.2 = mvxpe1 .1.3.6.1.2.1.31.1.1.1.1.3 = mvxpe2 .1.3.6.1.2.1.31.1.1.1.1.4 = enc0 .1.3.6.1.2.1.31.1.1.1.1.5 = lo0 .1.3.6.1.2.1.31.1.1.1.1.6 = tun0 .1.3.6.1.2.1.31.1.1.1.1.7 = tun1 UNKNOWN: SNMP GET Request: Timeout

[garnier-quentin]

There is an snmp agent issue. Maybe you could use the new plugin stormshield with the API: https://github.com/centreon/centreon-plugins/archive/refs/heads/MON-15453-add-stormshield-api.zip

$ perl centreon_plugins.pl--plugin=network::stormshield::api::plugin --mode=interfaces --hostname=10.25.7.145 --api-username=xxx --api-password=yyy  --verbose  --statefile-dir=/tmp --add-status --add-traffic --add-errors

[guillaumechardin]

I got an error : Can't locate network/stormshield/api/plugin.pm What is the lastest plugin version that is supporting stormshield API

Or, where do i have to copy files from the above (MON-15453-add-stormshield-api.zip )

[garnier-quentin]

You can copy it and unzip in /tmp for example (to test it)

[guillaumechardin]

It seems to works : perl centreon_plugins.pl --plugin=network::stormshield::api::plugin --mode=interfaces --hostname=aa.bb.cc.dd --api-username=admin --api-password='mypass' --verbose --statefile-dir=/tmp --add-status --add-traffic --add-errors --port=37443 --insecure

[.....truncated......] Interface 'Ethernet0' [out] status: plugged (enabled), traffic in: 5.00b/s (-), traffic out: 5.00b/s (-), packets accepted: 18.75% (3 on 16), packets blocked: 81.25% (13 on 16) Interface 'Ethernet1' [in] status: plugged (enabled), traffic in: 155.00b/s (-), traffic out: 144.00b/s (-), packets accepted: 38.71% (24 on 62), packets blocked: 61.29% (38 on 62)

[guillaumechardin]

--filter-user-name and --filter-real-name options seems fail on data filtering : perl centreon_plugins.pl --plugin=network::stormshield::api::plugin --mode=interfaces --hostname=aa.bb.cc.dd --api-username=admin --api-password='mypass' --verbose --statefile-dir=/tmp --add-status --add-traffic --add-errors --port=37443 --insecure --filter-real-name="out2"

CRITICAL: Interface 'ipsec' [ipsec] status: unplugged (enabled) - Interface 'sslvpn0' [sslvpn] status: unplugged (enabled) - Interface 'sslvpn1' [sslvpn_udp] status: unplugged (enabled) | 'out~Ethernet0#interface.traffic.in.bitspersecond'=4.00;;;0; 'out~Ethernet0#interface.traffic.out.bitspersecond'=4.00;;;0; 'out~Ethernet0#interface.packets.accepted.percentage'=10.87%;;;0;100 'out~Ethernet0#interface.packets.blocked.percentage'=89.13%;;;0;100 'in~Ethernet1#interface.traffic.in.bitspersecond'=212.00;;;0; 'in~Ethernet1#interface.traffic.out.bitspersecond'=309.00;;;0; 'in~Ethernet1#interface.packets.accepted.percentage'=42.95%;;;0;100 'in~Ethernet1#interface.packets.blocked.percentage'=57.05%;;;0;100 'out2~Ethernet2#interface.traffic.in.bitspersecond'=458.00;;;0; 'out2~Ethernet2#interface.traffic.out.bitspersecond'=540.00;;;0; 'out2~Ethernet2#interface.packets.accepted.percentage'=47.09%;;;0;100 'out2~Ethernet2#interface.packets.blocked.percentage'=52.91%;;;0;100 'ipsec~ipsec#interface.traffic.in.bitspersecond'=0.00;;;0; 'ipsec~ipsec#interface.traffic.out.bitspersecond'=0.00;;;0; 'ipsec~ipsec#interface.packets.accepted.percentage'=100.00%;;;0;100 'ipsec~ipsec#interface.packets.blocked.percentage'=0.00%;;;0;100 'sslvpn~sslvpn0#interface.traffic.in.bitspersecond'=0.00;;;0; 'sslvpn~sslvpn0#interface.traffic.out.bitspersecond'=0.00;;;0; 'sslvpn~sslvpn0#interface.packets.accepted.percentage'=0.00%;;;0;100 'sslvpn~sslvpn0#interface.packets.blocked.percentage'=0.00%;;;0;100 'sslvpn_udp~sslvpn1#interface.traffic.in.bitspersecond'=0.00;;;0; 'sslvpn_udp~sslvpn1#interface.traffic.out.bitspersecond'=0.00;;;0; 'sslvpn_udp~sslvpn1#interface.packets.accepted.percentage'=0.00%;;;0;100 'sslvpn_udp~sslvpn1#interface.packets.blocked.percentage'=0.00%;;;0;100
Interface 'Ethernet0' [out] status: plugged (enabled), traffic in: 4.00b/s (-), traffic out: 4.00b/s (-), packets accepted: 10.87% (10 on 92), packets blocked: 89.13% (82 on 92)
Interface 'Ethernet1' [in] status: plugged (enabled), traffic in: 212.00b/s (-), traffic out: 309.00b/s (-), packets accepted: 42.95% (134 on 312), packets blocked: 57.05% (178 on 312)
Interface 'Ethernet2' [out2] status: plugged (enabled), traffic in: 458.00b/s (-), traffic out: 540.00b/s (-), packets accepted: 47.09% (316 on 671), packets blocked: 52.91% (355 on 671)
Interface 'ipsec' [ipsec] status: unplugged (enabled), traffic in: 0.00b/s (-), traffic out: 0.00b/s (-), packets accepted: 100.00% (3 on 3), packets blocked: 0.00% (0 on 3)
Interface 'sslvpn0' [sslvpn] status: unplugged (enabled), traffic in: 0.00b/s (-), traffic out: 0.00b/s (-), packets accepted: 0.00% (0 on 0), packets blocked: 0.00% (0 on 0)
Interface 'sslvpn1' [sslvpn_udp] status: unplugged (enabled), traffic in: 0.00b/s (-), traffic out: 0.00b/s (-), packets accepted: 0.00% (0 on 0), packets blocked: 0.00% (0 on 0)

[garnier-quentin]

it's for you ? You can modify the status

[guillaumechardin]

Sorry, but I dont understand what you asked. Can you make your question more precise ?

[garnier-quentin]

To use the API instead of SNMP is ok for you ? I'm going to add a memory and HA mode (for stormshield API)

[guillaumechardin]

Yeah it worked, but note that when using API, option --filter-user-name and --filter-real-name do not works (see : https://github.com/centreon/centreon-plugins/issues/3899#issuecomment-1337564628)

[garnier-quentin]

Indeed... sorry it's fixed!

[guillaumechardin]

Let me know if you want to test HA and memory feature when ready. I have some devices available

[garnier-quentin]

@guillaumechardin I have added modes: 'ha' and 'memory'. You can test it if you download the archive (same link)

[guillaumechardin]

command HA perl centreon_plugins.pl --plugin=network::stormshield::api::plugin --hostname='fqdn' --api-username=admin --api-password='mypass' --verbose --statefile-dir=/tmp --insecure --port=31443 --ha

reply WARNING: member 'SN710xxxxx' config sync: no | 'members.detected.count'=2;;;0; 'members.none.count'=0;;;0; 'members.starting.count'=0;;;0; 'members.waiting_peer.count'=0;;;0; 'members.running.count'=1;;;0; 'members.ready.count'=1;;;0; 'members.reboot.count'=0;;;0; 'members.down.count'=0;;;0; 'members.initializing.count'=0;;;0; 'SN710A26xxx#member.quality.percentage'=90.00%;;;0;100 'SN710A46xxxx#member.quality.percentage'=90.00%;;;0;100 checking member 'SN710A26xxxxx' state: running [mode: active], link status: ok config sync: no quality: 90.00% checking member 'SN710A46xxxx' state: ready [mode: passive], link status: ok config sync: yes quality: 90.00%

command memory perl centreon_plugins.pl --plugin=network::stormshield::api::plugin --hostname='fqdn' --api-username=admin --api-password='mypass' --verbose --statefile-dir=/tmp --insecure --port=31443 --memory reply OK: Memory usage total: 21.00 %, protected host: 16.00 %, fragmented: 0.00 %, connections: 0.00 %, icmp: 1.00 %, data tracking: 0.00 %, dynamic: 4.00 % | 'memory.usage.percentage'=21.00%;;;0;100 'memory.protected_host.percentage'=16.00%;;;0;100 'memory.fragmented.percentage'=0.00%;;;0;100 'memory.connections.percentage'=0.00%;;;0;100 'memory.icmp.percentage'=1.00%;;;0;100 'memory.data_tracking.percentage'=0.00%;;;0;100 'memory.dynamic.percentage'=4.00%;;;0;100 This part seems to be OK

I checks all other modes :

list-interface do not works

command perl centreon_plugins.pl --plugin=network::stormshield::api::plugin --hostname='fqdn' --api-username=admin --api-password='mypass' --verbose --statefile-dir=/tmp --insecure --port=31443 --list-interfaces

reply UNKNOWN: Not an ARRAY reference at /tmp/stormApi/centreon-plugins-MON-15453-add-stormshield-api/network/stormshield/api/mode/listinterfaces.pm line 53.

As a suggestion, you should add somewhere information about firmware version running on the box, ie : new --mode=version or show this info in --mode=health

thanks !

[garnier-quentin]

Thanks it's fixed! I have added the option --add-system-info in mode uptime

[guillaumechardin]

1. When this bug will be merged in main release of centreon plugin ?
2. how to integrate this version on a running poller ?

[garnier-quentin]

It's merged

[guillaumechardin]

Do you have any idea when the next release of rpm will be pushed out ?

[lucie-dubrunfaut]

Hello :)

This issue seems particularly old and seems had been resolved by the branch merged by Quentin, so let me close it.