SNMP Subnet scan failing to profile few devices. Why this happens and how can this be fixed?
When we do On-Demand Subnet scan from ClearPass, few devices fails to profile through SNMP. However when we do SNMP walk we are able to get response from those endpoints. Why this happens and how can this be fixed?
ClearPass sends a SNMPv3 engine ID discovery request that device responds to. If device responds then we consider that SNMP is enabled on the device and then go with the probe depending on whatever SNMP configuration is done in Configuration > Profile settings > SNMP configuration. This is done to improve the response time for a subnet scan.
However if SNMPv3 is disabled on the device or if it doesn't support SNMPv3 [like legacy devices], CPPM wont probe for SNMP and considers that device doesn't have SNMP enabled. If we look in the packet capture we can see SNMPv3 negotiation request even though we haven't specified SNMPv3 in Profile settings.
This negotiation causes the SNMP profiling to fail.
Just adding SNMPV3 configuration on the devices which supports SNMPv3, so that it responds to the initial negotiation request from ClearPass. No need to configure SNMPV3 on CPPM.
For the devices which doesn't support SNMPv3, fix is available in CPPM version 6.6.4 .