Problems/issues with SNMP

[jpetter]

We started using using SNMP, and RRDtool to monitor connections, accepted & dropped packets, along with some other items a couple of months ago. All seemed to be going along fine, until I noticed that data for certain firewalls was not updating.

Looking more closely, I discovered that this data was getting kicked out because the values returned were negative numbers. Initially, I just added some logic to my scripts so that if a negative number was found, it was converted to a positive and then updated to the database. That worked great - the scripts collected the data, and updated to the RRDtool database, and the graphs produced were nice.

The more I thought about it though, the less sense it made or makes. I searched high and low and couldn't really find anyplace where the implementation of SNMP was discussed in any detail. The way I understand the process is this: take the OID fwAccepted, which is the number of accepted packets. It is defined as a 32 bit integer, so I *assume* it is a 32 bit counter that wraps around when it hits the ceiling...incrementing by one with each accepted packet. How this could become negative then confuses me...it doesn't make sense, and makes me tend to question the data. Here are three successive polls taken five minutes a part.
br-fw-1: 2006-11-06 17:00:01
1162850401: 1005716,3577865,3815,325535997,329894009,175657210 7,6291456,10485760,3075324
br-fw-1: 2006-11-06 17:05:00
1162850700: 7490753,3581120,3082,-3964693308,334639166,1756601163,6291456,10485760,2 575300
br-fw-1: 2006-11-06 17:10:00
1162851000: 15562433,3584556,3562,-3960198035,-3955825643,1756632914,6291456,10485760,2951312

Notice the fourth and fifth items (accepted/dropped) as they switch from positive to negative, and look at the magnitude change.

Does anyone know what could cause that? I thought maybe it was because I was using SNMP version 1 in my snmpget/snmpwalk statements, but I couldn't connect using SNMP v2c. Looking deeper into why, I couldn't even find out where the agent was configured, where it was defined as either v1, 2c or 3.

If anyone could shed some light on how this works, and how I may be able to correct this, I would greatly appreciate it.

Thanks,
Jeff

[northlandboy]

Run fw ctl pstat on the modules - you'll see negative numbers there sometimes too. I suspect it is an issue with Check Point's counters - not an SNMP thing.

[mcarey]

Quote:

Originally Posted by jpetter

We started using using SNMP, and RRDtool to monitor connections, accepted & dropped packets, along with some other items a couple of months ago. All seemed to be going along fine, until I noticed that data for certain firewalls was not updating.

Looking more closely, I discovered that this data was getting kicked out because the values returned were negative numbers. Initially, I just added some logic to my scripts so that if a negative number was found, it was converted to a positive and then updated to the database. That worked great - the scripts collected the data, and updated to the RRDtool database, and the graphs produced were nice.

The more I thought about it though, the less sense it made or makes. I searched high and low and couldn't really find anyplace where the implementation of SNMP was discussed in any detail. The way I understand the process is this: take the OID fwAccepted, which is the number of accepted packets. It is defined as a 32 bit integer, so I *assume* it is a 32 bit counter that wraps around when it hits the ceiling...incrementing by one with each accepted packet. How this could become negative then confuses me...it doesn't make sense, and makes me tend to question the data. Here are three successive polls taken five minutes a part.
br-fw-1: 2006-11-06 17:00:01
1162850401: 1005716,3577865,3815,325535997,329894009,175657210 7,6291456,10485760,3075324
br-fw-1: 2006-11-06 17:05:00
1162850700: 7490753,3581120,3082,-3964693308,334639166,1756601163,6291456,10485760,2 575300
br-fw-1: 2006-11-06 17:10:00
1162851000: 15562433,3584556,3562,-3960198035,-3955825643,1756632914,6291456,10485760,2951312

Notice the fourth and fifth items (accepted/dropped) as they switch from positive to negative, and look at the magnitude change.

Does anyone know what could cause that? I thought maybe it was because I was using SNMP version 1 in my snmpget/snmpwalk statements, but I couldn't connect using SNMP v2c. Looking deeper into why, I couldn't even find out where the agent was configured, where it was defined as either v1, 2c or 3.

If anyone could shed some light on how this works, and how I may be able to correct this, I would greatly appreciate it.

Thanks,
Jeff

Jeff,

This is a bug in Checkpoints software. It took awhile for them to admit it, but they eventually wrote me a new cpsnmpd file to load and now it works fine. PM me if you want me to email you the file.