The file you are showing is /tmp/snmptrapd.conf, but I don’t see you referring to that file when you start snmpdtrapd (using -c), so I believe it will be looking in its standard location on your platform for the config file.
Keep in mind that the createUser directives usually appear in the secure config file (/var/lib/snmp/snmptrapd.conf and /var/lib/snmp/snmpd.conf on my Debian 10 host using the stock Debian snmptrapd package, version 5.7.3), where they get converted to usmUser directives with encoded auth and priv passwords. Note, this conversion happens on shutdown of snmpd or snmptrapd, so add createUser directives to the file while the corresponding daemon is running, then restart the daemon. On the receiving host, I would put the following in the /var/lib/snmp/snmptrapd.conf file, and then restart snmptrapd: createUser user1 SHA authpass AES privpass No need to set the engineID here, since createUser defaults to using the local engineID, which is authoritative for INFORM. I don’t set the engineID anywhere, I let the software generate them. After restart, in the secure snmptrapd.conf file there is an oldEngineID directive (why old? no clue), which is what is used on the createUser directive on the INFORM sending host: oldEngineID 0x80001f88801933bc3f482ba75d00000000 On the INFORM sending host, I would put the following line in the secure snmpd.conf file (/var/lib/snmp/snmpd.conf for my distro), and then restart snmpd: createUser -e 0x80001f88801933bc3f482ba75d00000000 user1 SHA authpass AES privpass The user is created with the engineID of the receiving host, which is authoritative in the case of INFORM. (DES is deprecated and unsafe, so use AES. Newer net-snmp distributions have additional algorithms which are even better). If you have configured snmptrapd first and restarted it, then when snmpd is restarted with the new usmUser directive in its secure snmpd.conf file (created during shutdown), you should receive coldStart traps at the snmptrapd host. You can use the “-f -Lo” options to run snmptrapd in the foreground with logging to stdout to see what’s happening. You can also use snmptrap to send v3 INFORMs to your other host to test the configuration and understand how the sender and receiver configs need to match up. The default Debian distribution of net-snmp is rather old (5.7.3), so some of the directives and files may have changed for newer versions, and locations may be different for your version/distro of net-snmp. Hope that helps, Brian From: Feroz <feroz.afs...@gmail.com> Sent: Wednesday, January 13, 2021 2:39 AM To: Atkins, Brian <brian.atk...@netapp.com> Cc: net-snmp-users@lists.sourceforge.net Subject: Re: snmptrapd for V3 informs NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe. hi Brain, Thanks a lot for your response.. here is what I tried but that doesnt seems to be working... I tried adding token "engineID <Engine ID>" in snmptrapd.conf and used the same engineID while in createUser directive, even that didnt worked. Is there a different method to get engineID for snmptrapd ?? I want to forward snmp v3 INFORM from VM-1 to VM-2, here is my configuration on VM-1 and VM-2. I'm generating INFORM on VM1, destination being loopback address. I get "usm: Failed to find engine data." and snmptrad always core-dumps. with this topology snmv3 TRAP works without any issues, it's just v3 informs that are creating trouble. Even v2 INFORM works. VM1: root@Ubuntu3323:~# cat /tmp/snmptrapd.conf authCommunity log,net public snmpTrapdAddr udp:162,udp6:162 forward default 2.2.2.2:162<http://2.2.2.2:162/> createUser feroz SHA feroz123 DES feroz123 authUser log,net feroz priv root@Ubuntu3323# Start snmptrapd on VM1 root@Ubuntu3323:# /usr/sbin/snmptrapd -f -C -c /tmp/snmptrapd.conf -Lo -d -Dusm,snmptrapd,sess_async_send & Generate link-up notification on VM1. root@Ubuntu3323:# snmpinform -Ci -v 3 -a SHA -A feroz123 -x DES -X feroz123 -l authPriv -u feroz localhost 0 IF-MIB::linkUp VM2 : root@Ubuntu3322:# cat /tmp/snmptrapd.conf createUser feroz SHA feroz123 DES feroz123 authUser log feroz priv root@Ubuntu3322:# Start snmptrapd as follows on VM2 root@Ubuntu3322:~# /usr/sbin/snmptrapd -f -C -c /tmp/snmptrapd.conf -d -Lo -Dusm,snmptrapd On Wed, Jan 6, 2021 at 9:21 PM Atkins, Brian <brian.atk...@netapp.com<mailto:brian.atk...@netapp.com>> wrote: I don’t have one handy, but keep in mind that the engineID used to encode the usmUser credentials, for both snmptrapd and the agent, is the one for snmptrapd itself, not the agent sending the INFORM: With SNMPv3 informs, the authoritative engine ID is the engine that receives the inform, unlike SNMPv3 traps, where the agent's engine ID is authoritative. So when you create the usmUser for the SNMP agent, you use the snmptrapd engineID. Since the usmUser must exist in the agent configuration before it can send the INFORM, engineID discovery is useless for INFORMs (unlike queries like GET, GET-NEXT). Hope this helps, Brian From: Feroz <feroz.afs...@gmail.com<mailto:feroz.afs...@gmail.com>> Sent: Wednesday, January 6, 2021 10:11 AM To: net-snmp-users@lists.sourceforge.net<mailto:net-snmp-users@lists.sourceforge.net> Subject: snmptrapd for V3 informs NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe. Anyone tried forwarding V3 informs with snmptrapd? Can some one share the snmptrapd.conf file? -Feroz -- Regards, Feroz Ahmed
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
