The customer deploy one NMS Server, it connect the USG6350 and the S5720 through the site-to-site IPSec tunnel.
The topolofy just like below:
Now the customer have added the S5720 into the NMS Server, but it can't add the USG6350.
The USG6350 version is V500R001C30SPC600, there is no patch.
First we checked the configuration of SNMP,it used the SNMPV2,the parameter match with the NMS server.
Second we checked the routing table, the NMS Server routing from the interface Gi1/0/5.
The Gi1/0/5 belong to the untrust zone, so we checked the security policy, it have configured the security policy between the local and untrust.
Then we checked the IPSec configuration, the tunnel have been established, we can used the source IP ping the NMS server.
The NMS add the USG6350 used IP which is the interface Gi1/0/1 IP address.
The S5720 also connect to the USG6350 through the interface Gi1/0/1, it can add to the NMS server.
So we compare the interface Gi1/0/1 with Gi1/0/5 configuration, the Gi0/0/5 not configure the "service-manage snmp permit".
After we configure this command on the Gi1/0/5, the NMS Server can add the USG6350.
The customer used the source IP which is from the interface Gi1/0/1 to add into the NMS server and the S5720 also connect to the USG6350 through the Gi1/0/1.
So they have configured the "service-manage snmp permit" on the Gi1/0/1 and the S5720 can add into the NMS Server.
Because the S5720 NMS data have been encapsulated to the IPSec tunnel so they did not enable the "service-manage snmp permit" on the Gi1/0/5.
But the USG6350 NMS data not encapsulated on the Gi1/0/1, it encapsulated on the interface Gi1/0/5, SO it need to configure the "service-manage snmp permit" on the Gi1/0/5 too.
When you configure the SNMP on the USG6350,you should configure the "service-manage snmp permit" on the outbound interface.