PA-3060 Whats Up Gold (WUG) Integration: Auto Link Creation Fails

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-3060 Whats Up Gold (WUG) Integration: Auto Link Creation Fails

L1 Bithead

I have a PA-3060 connected to a Cisco 3850 S-E via a 4-member aggregated dot1q trunk (ae1) link.  The MGT interface connects to a different 3850 S-E on its own Mgmt VLAN, in the same subnet as the Whats Up Gold Server (WUG).  The MGT interface has HTTP, SSH, Ping and SNMP Services enabled, with the correct permitted IP address list.

 

The WUG Server can discover the PA-3060, and can freely walk the MIB via the "Include OID=.1 mask=0x80" MIB View Rule as described in a different article.  However, it is unable to create an automatic link on the Topology Map between the Palo Alto and the Cisco 3850.  We have tried SNMPv2 and 3, both present the same symptom.  I have also tried turning on LLDP at both ends, still no joy.

 

I have been informed by the NMS Engineer that this setup has worked before but cannot provide the working configurations. He is convinced it is something I have configured incorrectly on the Firewall.

 

Any suggestions?

 

Thanks

 

Dean

1 accepted solution

Accepted Solutions

Firstly sorry for the delay in getting back to the post.  We have carried out a thorough investigation and we beleive we have got to the bottom of the problem.

 

It transpires that even though the links to the Palo Alto were not discovered, it was not the Palo Alto that was causing the problem.  We left the PA on SNMPv3 PRIV and downgraded the Cisco switches to SNMPv2c.  Upon doing this the auto-link discovery on What's Up Gold (WUG) was able to create the links between the PA and Cisco 3850 Switches.  We have opened a case with Cisco TAC as we believe that SNMPv3 is not passing the correct OID information back to WUG.  We are waiting for some time to work with them to resolve this issue.

 

In summary, in order to get the auto-link discovery on What's Up Gold to work between the PA-3060 and the two Cisco 3850's here is the final configuration and software versions deployed:

 

PA-3060

PAN OS: 7.1.5

SNMPv3 View: .1, include, 0x80 mask

 

Cisco 3850-24S-S (link to PA MGT interface)

IOS: cat3k_caa-universalk9 03.06.06E

SNMPv2c

 

Cisco 38050-12XS (link to PA ae0 on a port channel)

IOS: cat3k_caa-universalk9 03.07.04E

SNMPv2c

 

Thank you for your support.

 

Kind Regards

 

Dean

View solution in original post

5 REPLIES 5

L7 Applicator

Looking at the Whatsup Gold docs they use either arp via SNMP (not supported by PAN) or LLDP to discover the links.

 

Note that for LLDP to work it has to be on both sides of the link so it would need to be configured on the switch too.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Pulukas,

 

Firstly, thank you for your response.

 

LLDP is configured on both Cisco and PA, with both ends having full visibility of their respective peers.  I will have another chat with the NMS Engineer.

 

Regards

 

Dean

Pulukus,

 

We have enabled LLDP accross all devices in one network segment that WUG manages on our development environment.  I am waiting on feedback from our NMS engineer as to whether this has fixed the problem with the PA-3060.  I will let you know the outcome whichever way it goes, but this may be next week as we have a couple of other priorities.  Thanks again for your support.

 

Dean

Firstly sorry for the delay in getting back to the post.  We have carried out a thorough investigation and we beleive we have got to the bottom of the problem.

 

It transpires that even though the links to the Palo Alto were not discovered, it was not the Palo Alto that was causing the problem.  We left the PA on SNMPv3 PRIV and downgraded the Cisco switches to SNMPv2c.  Upon doing this the auto-link discovery on What's Up Gold (WUG) was able to create the links between the PA and Cisco 3850 Switches.  We have opened a case with Cisco TAC as we believe that SNMPv3 is not passing the correct OID information back to WUG.  We are waiting for some time to work with them to resolve this issue.

 

In summary, in order to get the auto-link discovery on What's Up Gold to work between the PA-3060 and the two Cisco 3850's here is the final configuration and software versions deployed:

 

PA-3060

PAN OS: 7.1.5

SNMPv3 View: .1, include, 0x80 mask

 

Cisco 3850-24S-S (link to PA MGT interface)

IOS: cat3k_caa-universalk9 03.06.06E

SNMPv2c

 

Cisco 38050-12XS (link to PA ae0 on a port channel)

IOS: cat3k_caa-universalk9 03.07.04E

SNMPv2c

 

Thank you for your support.

 

Kind Regards

 

Dean

Thanks for updating the final solution.  This was a strange one.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 6875 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!