I have a PA-3060 connected to a Cisco 3850 S-E via a 4-member aggregated dot1q trunk (ae1) link. The MGT interface connects to a different 3850 S-E on its own Mgmt VLAN, in the same subnet as the Whats Up Gold Server (WUG). The MGT interface has HTTP, SSH, Ping and SNMP Services enabled, with the correct permitted IP address list.
The WUG Server can discover the PA-3060, and can freely walk the MIB via the "Include OID=.1 mask=0x80" MIB View Rule as described in a different article. However, it is unable to create an automatic link on the Topology Map between the Palo Alto and the Cisco 3850. We have tried SNMPv2 and 3, both present the same symptom. I have also tried turning on LLDP at both ends, still no joy.
I have been informed by the NMS Engineer that this setup has worked before but cannot provide the working configurations. He is convinced it is something I have configured incorrectly on the Firewall.
Solved! Go to Solution.
Looking at the Whatsup Gold docs they use either arp via SNMP (not supported by PAN) or LLDP to discover the links.
Note that for LLDP to work it has to be on both sides of the link so it would need to be configured on the switch too.
Firstly, thank you for your response.
LLDP is configured on both Cisco and PA, with both ends having full visibility of their respective peers. I will have another chat with the NMS Engineer.
We have enabled LLDP accross all devices in one network segment that WUG manages on our development environment. I am waiting on feedback from our NMS engineer as to whether this has fixed the problem with the PA-3060. I will let you know the outcome whichever way it goes, but this may be next week as we have a couple of other priorities. Thanks again for your support.
Firstly sorry for the delay in getting back to the post. We have carried out a thorough investigation and we beleive we have got to the bottom of the problem.
It transpires that even though the links to the Palo Alto were not discovered, it was not the Palo Alto that was causing the problem. We left the PA on SNMPv3 PRIV and downgraded the Cisco switches to SNMPv2c. Upon doing this the auto-link discovery on What's Up Gold (WUG) was able to create the links between the PA and Cisco 3850 Switches. We have opened a case with Cisco TAC as we believe that SNMPv3 is not passing the correct OID information back to WUG. We are waiting for some time to work with them to resolve this issue.
In summary, in order to get the auto-link discovery on What's Up Gold to work between the PA-3060 and the two Cisco 3850's here is the final configuration and software versions deployed:
PAN OS: 7.1.5
SNMPv3 View: .1, include, 0x80 mask
Cisco 3850-24S-S (link to PA MGT interface)
IOS: cat3k_caa-universalk9 03.06.06E
Cisco 38050-12XS (link to PA ae0 on a port channel)
IOS: cat3k_caa-universalk9 03.07.04E
Thank you for your support.
Thanks for updating the final solution. This was a strange one.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!