Hi Dag, try to not set the engineID in the snmptrapd.conf and let snmptrapd and Junos negotiate the engineID
createUser -e 0x80001234 authpriv2 SHA xyzzy188 AES xazzza18 -> createUser authpriv2 SHA xyzzy188 AES xazzza18 Looking at the pcap file snmptrapd sends the engineid = 80001f88....., but Junos does not set it at all engineID= <MISSING> Regards Anders Wallin On Thu, Feb 28, 2019 at 2:02 PM Dag B <d...@bakke.com> wrote: > Hi. > > I am trying to convince snmptrapd to receive snmp v3 informs from Junos > (Juniper Networks' BSD-variant on switches and firewalls). The idea was > to use informs rather than traps, so I could : > - have encryption in place. > - avoid having to update the snmptrapd config for every new device > sending v3 traps > > When Junos starts its snmp process, it will send a few probes to > snmptrapd to decide if the receiver is receptive to informs. If not, it > stops sending informs. > > So far, I have not succeeded. snmptrapd appears unhappy, then Junos gets > unhappy, takes the ball and goes home. > I would like to know if my config and my understanding of the > observations are correct. > > Config, observations and sample packet capture follows: > > > > > Config: > ------------- > > snmptrapd.conf: > ------------------------ > createUser -e 0x80001234 authpriv2 SHA xyzzy188 AES xazzza18 > authUser log,execute authpriv2 > > running snmptrapd like this: > ---------------------------------- > snmptrapd -f -C -c /tmp/snmptrapd.conf -Le -Dusm,engine > > > junos config: > ----------------- > set snmp v3 usm local-engine user authpriv authentication-sha > authentication-password xyzzy188 > set snmp v3 usm local-engine user authpriv privacy-aes128 > privacy-password xazzza18 > set snmp v3 usm remote-engine 0x80001234 user authpriv2 > authentication-sha authentication-password xyzzy188 > set snmp v3 usm remote-engine 0x80001234 user authpriv2 privacy-aes128 > privacy-password xazzza18 > set snmp v3 vacm security-to-group security-model usm security-name > authpriv group myv3group > set snmp v3 vacm security-to-group security-model usm security-name > authpriv2 group notifygroup > set snmp v3 vacm access group myv3group default-context-prefix > security-model usm security-level authentication read-view myv3view > set snmp v3 vacm access group myv3group default-context-prefix > security-model usm security-level privacy read-view myv3view > set snmp v3 vacm access group notifygroup default-context-prefix > security-model usm security-level authentication notify-view myv3view > set snmp v3 vacm access group notifygroup default-context-prefix > security-model usm security-level privacy notify-view myv3view > set snmp v3 target-address snmptrapd-server address 192.168.200.1 > set snmp v3 target-address snmptrapd-server tag-list macnotify > set snmp v3 target-address snmptrapd-server target-parameters targparms > set snmp v3 target-parameters targparms parameters > message-processing-model v3 > set snmp v3 target-parameters targparms parameters security-model usm > set snmp v3 target-parameters targparms parameters security-level privacy > set snmp v3 target-parameters targparms parameters security-name authpriv2 > set snmp v3 notify myv3notify type inform > set snmp v3 notify myv3notify tag macnotify > set snmp engine-id local 0x80006666 > set snmp view myv3view oid iso include > set ethernet-switching-options mac-notification > > > Observations: > -------------------- > With this setup, I managed to get three probe failures in 'show snmp > inform-statistics' after a switch reboot. > > root@ex2200c-lab2> show snmp inform-statistics > Inform Request Statistics: > Target name: snmptrapd-server Address: 192.168.200.1 > Sent: 0, Pending: 0 > Discarded: 1, Timeouts: 0, Probe failures: 3 > > > snmptrapd says: > --------------------- > registered debug token usm, 1 > registered debug token engine, 1 > usmUser: created a new user authpriv2 at 80 00 12 34 > NET-SNMP version 5.8 > usm: USM processing begun... > usm: Unknown Engine ID. > usm: USM processing has begun (offset 56) > usm: getting user > usm: USM processing completed. > [three more times, 4 packets in total] > > > Not sure if the list allows for attachments? Packet capture attached, > but I have added the decoded SNMP packet for the first two frames below. > > As far as I can tell, the probes sent from the Junos end are all > unencrypted. And not using the configured user or engine ID. > Is this a correct interpretation of the packet capture? Not expecting > the list to validate my Junos config, by the way. > > There is also the "Data not conforming to RFC3411". Any comment on that? > > > Thanks, > > > Dag B > > > Decoded packets: > ------------------------- > Simple Network Management Protocol > msgVersion: snmpv3 (3) > msgGlobalData > msgID: 1610700309 > msgMaxSize: 65507 > msgFlags: 04 > .... .1.. = Reportable: Set > .... ..0. = Encrypted: Not set > .... ...0 = Authenticated: Not set > msgSecurityModel: USM (3) > msgAuthoritativeEngineID: <MISSING> > msgAuthoritativeEngineBoots: 0 > msgAuthoritativeEngineTime: 0 > msgUserName: > msgAuthenticationParameters: <MISSING> > msgPrivacyParameters: <MISSING> > msgData: plaintext (0) > plaintext > contextEngineID: <MISSING> > contextName: > data: get-request (0) > get-request > request-id: 1679169514 > error-status: noError (0) > error-index: 0 > variable-bindings: 0 items > > > Simple Network Management Protocol > msgVersion: snmpv3 (3) > msgGlobalData > msgID: 1610700309 > msgMaxSize: 1472 > msgFlags: 00 > .... .0.. = Reportable: Not set > .... ..0. = Encrypted: Not set > .... ...0 = Authenticated: Not set > msgSecurityModel: USM (3) > msgAuthoritativeEngineID: 80001f88807d6dfe468a7d595c00000000 > 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) > Engine Enterprise ID: net-snmp (8072) > Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP > Random > Data not conforming to RFC3411 > [Expert Info (Warning/Protocol): Data not conforming to > RFC3411] > [Data not conforming to RFC3411] > [Severity level: Warning] > [Group: Protocol] > msgAuthoritativeEngineBoots: 1 > msgAuthoritativeEngineTime: 1870 > msgUserName: > msgAuthenticationParameters: <MISSING> > msgPrivacyParameters: <MISSING> > msgData: plaintext (0) > plaintext > contextEngineID: 80001f88807d6dfe468a7d595c00000000 > 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) > Engine Enterprise ID: net-snmp (8072) > Engine ID Format: Reserved/Enterprise-specific (128): > Net-SNMP Random > Data not conforming to RFC3411 > [Expert Info (Warning/Protocol): Data not > conforming to RFC3411] > [Data not conforming to RFC3411] > [Severity level: Warning] > [Group: Protocol] > contextName: > data: report (8) > report > request-id: 1679169514 > error-status: noError (0) > error-index: 0 > variable-bindings: 1 item > 1.3.6.1.6.3.15.1.1.4.0: 3 > Object Name: 1.3.6.1.6.3.15.1.1.4.0 > (iso.3.6.1.6.3.15.1.1.4.0) > Value (Counter32): 3 > > _______________________________________________ > Net-snmp-users mailing list > Net-snmp-users@lists.sourceforge.net > Please see the following page to unsubscribe or change other options: > https://lists.sourceforge.net/lists/listinfo/net-snmp-users >
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
