snmptrapd and snmpv3 informs from Junos

Thu, 28 Feb 2019 05:03:35 -0800 

Hi.
I am trying to convince snmptrapd to receive snmp v3 informs from Junos (Juniper Networks' BSD-variant on switches and firewalls). The idea was to use informs rather than traps, so I could : 
- have encryption in place.
- avoid having to update the snmptrapd config for every new device sending v3 traps 


When Junos starts its snmp process, it will send a few probes to 
snmptrapd to decide if the receiver is receptive to informs. If not, it 
stops sending informs.



So far, I have not succeeded. snmptrapd appears unhappy, then Junos gets 
unhappy, takes the ball and goes home.
I would like to know if my config and my understanding of the 
observations are correct.


Config, observations and sample packet capture follows:




Config:
-------------

snmptrapd.conf:
------------------------
createUser -e 0x80001234 authpriv2 SHA xyzzy188 AES xazzza18
authUser log,execute authpriv2

running snmptrapd like this:
----------------------------------
snmptrapd -f -C -c /tmp/snmptrapd.conf -Le -Dusm,engine


junos config:
-----------------

set snmp v3 usm local-engine user authpriv authentication-sha 
authentication-password xyzzy188
set snmp v3 usm local-engine user authpriv privacy-aes128 
privacy-password xazzza18
set snmp v3 usm remote-engine 0x80001234 user authpriv2 
authentication-sha authentication-password xyzzy188
set snmp v3 usm remote-engine 0x80001234 user authpriv2 privacy-aes128 
privacy-password xazzza18
set snmp v3 vacm security-to-group security-model usm security-name 
authpriv group myv3group
set snmp v3 vacm security-to-group security-model usm security-name 
authpriv2 group notifygroup
set snmp v3 vacm access group myv3group default-context-prefix 
security-model usm security-level authentication read-view myv3view
set snmp v3 vacm access group myv3group default-context-prefix 
security-model usm security-level privacy read-view myv3view
set snmp v3 vacm access group notifygroup default-context-prefix 
security-model usm security-level authentication notify-view myv3view
set snmp v3 vacm access group notifygroup default-context-prefix 
security-model usm security-level privacy notify-view myv3view

set snmp v3 target-address snmptrapd-server address 192.168.200.1
set snmp v3 target-address snmptrapd-server tag-list macnotify
set snmp v3 target-address snmptrapd-server target-parameters targparms

set snmp v3 target-parameters targparms parameters 
message-processing-model v3

set snmp v3 target-parameters targparms parameters security-model usm
set snmp v3 target-parameters targparms parameters security-level privacy
set snmp v3 target-parameters targparms parameters security-name authpriv2
set snmp v3 notify myv3notify type inform
set snmp v3 notify myv3notify tag macnotify
set snmp engine-id local 0x80006666
set snmp view myv3view oid iso include
set ethernet-switching-options mac-notification


Observations:
--------------------

With this setup, I managed to get three probe failures in 'show snmp 
inform-statistics' after a switch reboot.


root@ex2200c-lab2> show snmp inform-statistics
Inform Request Statistics:
  Target name: snmptrapd-server Address: 192.168.200.1
    Sent: 0, Pending: 0
    Discarded: 1, Timeouts: 0, Probe failures: 3


snmptrapd says:
---------------------
registered debug token usm, 1
registered debug token engine, 1
usmUser: created a new user authpriv2 at 80 00 12 34
NET-SNMP version 5.8
usm: USM processing begun...
usm: Unknown Engine ID.
usm: USM processing has begun (offset 56)
usm: getting user
usm: USM processing completed.
[three more times, 4 packets in total]



Not sure if the list allows for attachments? Packet capture attached, 
but I have added the decoded SNMP packet for the first two frames below.



As far as I can tell, the probes sent from the Junos end are all 
unencrypted. And not using the configured user or engine ID.
Is this a correct interpretation of the packet capture? Not expecting 
the list to validate my Junos config, by the way.


There is also the "Data not conforming to RFC3411". Any comment on that?


Thanks,


Dag B


Decoded packets:
-------------------------
Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1610700309
        msgMaxSize: 65507
        msgFlags: 04
            .... .1.. = Reportable: Set
            .... ..0. = Encrypted: Not set
            .... ...0 = Authenticated: Not set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: <MISSING>
    msgAuthoritativeEngineBoots: 0
    msgAuthoritativeEngineTime: 0
    msgUserName:
    msgAuthenticationParameters: <MISSING>
    msgPrivacyParameters: <MISSING>
    msgData: plaintext (0)
        plaintext
            contextEngineID: <MISSING>
            contextName:
            data: get-request (0)
                get-request
                    request-id: 1679169514
                    error-status: noError (0)
                    error-index: 0
                    variable-bindings: 0 items


Simple Network Management Protocol
    msgVersion: snmpv3 (3)
    msgGlobalData
        msgID: 1610700309
        msgMaxSize: 1472
        msgFlags: 00
            .... .0.. = Reportable: Not set
            .... ..0. = Encrypted: Not set
            .... ...0 = Authenticated: Not set
        msgSecurityModel: USM (3)
    msgAuthoritativeEngineID: 80001f88807d6dfe468a7d595c00000000
        1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
        Engine Enterprise ID: net-snmp (8072)

        Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP 
Random

        Data not conforming to RFC3411

            [Expert Info (Warning/Protocol): Data not conforming to 
RFC3411]

                [Data not conforming to RFC3411]
                [Severity level: Warning]
                [Group: Protocol]
    msgAuthoritativeEngineBoots: 1
    msgAuthoritativeEngineTime: 1870
    msgUserName:
    msgAuthenticationParameters: <MISSING>
    msgPrivacyParameters: <MISSING>
    msgData: plaintext (0)
        plaintext
            contextEngineID: 80001f88807d6dfe468a7d595c00000000
                1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
                Engine Enterprise ID: net-snmp (8072)

                Engine ID Format: Reserved/Enterprise-specific (128): 
Net-SNMP Random

                Data not conforming to RFC3411

                    [Expert Info (Warning/Protocol): Data not 
conforming to RFC3411]

                        [Data not conforming to RFC3411]
                        [Severity level: Warning]
                        [Group: Protocol]
            contextName:
            data: report (8)
                report
                    request-id: 1679169514
                    error-status: noError (0)
                    error-index: 0
                    variable-bindings: 1 item
                        1.3.6.1.6.3.15.1.1.4.0: 3

                            Object Name: 1.3.6.1.6.3.15.1.1.4.0 
(iso.3.6.1.6.3.15.1.1.4.0)

                            Value (Counter32): 3




Attachment:
junos-15.1-20181002.0-snmp-capture.pcapng

Description: application/pcapng


_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users






















					Reply via email to