Closed MickG72 closed 3 years ago
This is how it's supposed to work:
So it looks like step two does not work on these Palo Altos. Can you run
netdisco-do discover -DI -d <your ip>
and check if your output produces something like
$ netdisco-do discover -DI -d 10.12.60.62
... (lots of output snipped)
[6899] 2019-10-13 23:10:46 debug [10.12.60.62] device - aliased as 10.12.136.134
[6899] 2019-10-13 23:10:46 debug [10.12.60.62] device - aliased as 10.12.61.6
[6899] 2019-10-13 23:10:46 debug [10.12.60.62] device - aliased as 10.12.60.126
[6899] 2019-10-13 23:10:46 debug [10.12.60.62] device - aliased as 10.12.215.225
[6899] 2019-10-13 23:10:46 debug [10.12.60.62] device - aliased as 10.12.60.62
[6899] 2019-10-13 23:10:46 debug [10.12.60.62] device - removed 5 aliases
[6899] 2019-10-13 23:10:46 debug [10.12.60.62] aliases - added 5 new aliases
...
If not, post the output here and maybe we can see what goes wrong.
Hi,
I have run the debug as requested:
netdisco@netdisco:~$ netdisco-do discover -DI -d 10.50.31.245
[45213] 2019-10-13 23:25:57 info App::Netdisco version 2.044002 loaded.
[45213] 2019-10-13 23:25:58 info discover: [10.50.31.245] started at Mon Oct 14 10:25:58 2019
[45213] 2019-10-13 23:25:58 debug discover: running with timeout 600s
[45213] 2019-10-13 23:25:58 debug => running workers for phase: check
[45213] 2019-10-13 23:25:58 debug -> run worker check/base/0
[45213] 2019-10-13 23:25:58 debug Discover is able to run.
[45213] 2019-10-13 23:25:58 debug => running workers for phase: early
[45213] 2019-10-13 23:25:58 debug -> run worker early/properties/100
[45213] 2019-10-13 23:25:58 debug snmp reader cache warm: [10.50.31.245]
[45213] 2019-10-13 23:25:58 debug [10.50.31.245:161] try_connect with ver: 2, class: SNMP::Info::Layer3::PaloAlto, comm:
Hmm looks like all the IP-MIB objects come up empty. You can verify this by running
netdisco-do show -e new_ip_index -d <ip>
netdisco-do show -e old_ip_index -d <ip>
This just produces undef/empty and not some tables, right? Also in this PAN OS MIB support list, IP-MIB is not mentioned at all.
Maybe the information can be found in one of the PAN-specific MIBS mentioned there? In that case the SNMP::Info module could be extended to work with this stuff. Unfortunately I don't have access to such devices, but you can try to walk the device or grep the MIBs for "ip", "ipaddress" and similar, maybe you can find something. Or somebody else might read this and have some input.
Also there has been talk earlier to also use the serial as additional mean to de-duplicate devices, in this case it would probably do the trick. I don't quite remember though if that was only an idea or if we already have a partial implementation somewhere.
As a temporary workaround, you can try sticking the additional addresses into discover_no, so at least you won't get all the duplicate devices.
You are right: netdisco@netdisco:~$ netdisco-do show -e new_ip_index -d 10.50.31.245 [50309] 2019-10-14 00:05:32 info App::Netdisco version 2.044002 loaded. [50309] 2019-10-14 00:05:34 info show: [10.50.31.245]/new_ip_index started at Mon Oct 14 11:05:34 2019 undef [50309] 2019-10-14 00:05:36 info show: finished at Mon Oct 14 11:05:36 2019 [50309] 2019-10-14 00:05:36 info show: status done: Showed new_ip_index response from 10.50.31.245 netdisco@netdisco:~$ netdisco-do show -e old_ip_index -d 10.50.31.245 [50495] 2019-10-14 00:06:05 info App::Netdisco version 2.044002 loaded. [50495] 2019-10-14 00:06:06 info show: [10.50.31.245]/old_ip_index started at Mon Oct 14 11:06:06 2019 undef [50495] 2019-10-14 00:06:08 info show: finished at Mon Oct 14 11:06:08 2019 [50495] 2019-10-14 00:06:08 info show: status done: Showed old_ip_index response from 10.50.31.245
Matching them via serial numbers would be a great thing. Or to somehow connect the two devices together ?
Thanks
Ok thanks for checking, as suspected.
Actually now that I think about it, the serial method would only solve half the problem, the device_ip aliases are still critical for the neighbor topology.
I have not used the manual topology and pseudo devices and device_identity setting much, but my hunch is that in the current Netdisco it is not possible to have a normally detected device and then add some aliases manually that will persist. But I'd let this issue sit here for a bit, I might be wrong and others will correct me :)
i had a look at this last week but for some reason didn't post my comment.
according to their docs they do support mib-ii, which has ipAddrTable, however i didn't find support for it in snmp::info nor any indication it was tried in the debug output (most likely since there have been a billion newer rfcs & mibs to replace this).
Maybe the information can be found in one of the PAN-specific MIBS mentioned there?
had a look but nothing really stood out.
i wonder why no other palo alto user noticed this, seems like a pretty obvious problem.
@MickG72 if at all possible an snmprec output would help us out, the process is described here: https://github.com/netdisco/snmp-info/wiki/Simulating-Agents#22-snmpsim--snmprec-version
there could be privacy issues with this however, i'll update the wiki first & then this post with the issues and possible options.
update: wiki entry about getting data to us in a private fashion https://github.com/netdisco/snmp-info/wiki/Simulating-Agents#exclamation-privacy-and-sensitive-data-warning-exclamation
Hi @MickG72 there are now two features in Netdisco which should help:
I hope this helps and resolves the headache! Open a ticket if not.
Hi All,
I have a 50+ palo alto devices , and they all have multiple ip addresses. When discovery is run, netdisco finds both addresses and adds them into netdisco has separate devices. Looking at the devices in inventory, they both have the same serial number, just different IP's I have deleted one of duplicates, but it re-appears in the next scan.
Not sure what details you require, to help resolved this ?