Re: SNMP TLS snmpget error
I have one basic doubt. Why do we mention the their_identity in snmpget TLS request as the peers certificate info will be unknown?? our_identity will be sufficient right ? I'm trying to setup agent also locally. Using the DTLS turtorial i have done the following 1) *In Server(Agent)* i have generated self signed certificate and configured this fingerprint as serverCert in snmpd.conf file. Also configured the user as Agent-83 *[snmp] serverCert 28:0F:20:2E:BC:CE:5A:E8:B6:79:1F:67:3B:5D:17:DA:61:A8:6D:9Brwuser -s tsm Agent-83* 2) *From Client(Manager), i *give snmpget request from client sudo snmpget -Dtsm,tls,openssl,cert -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 -T their_identity=28:0F:20:2E:BC:CE:5A:E8:B6:79:1F:67:3B:5D:17:DA:61:A8:6D:9B tlstcp:10.253.6.83 sysContact.0 In client i can see the following error tls:config: our identity CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 tls:config: their identity 28:0F:20:2E:BC:CE:5A:E8:B6:79:1F:67:3B:5D:17:DA:61:A8:6D:9B cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 163889776 cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 163889776 cert:find:params: hint = CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 cert:find:found: using cert tutorial-joecool.crt / cd7445c9a3a3550a6c3703b24938b10199958e43 for identity(1) (uses=identity+remote_peer (3)) cert:find:found: using cert tutorial-joecool.crt / cd7445c9a3a3550a6c3703b24938b10199958e43 for identity(1) (uses=identity+remote_peer (3)) cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 163827608 cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 163827608 cert:find:params: hint = 28:0F:20:2E:BC:CE:5A:E8:B6:79:1F:67:3B:5D:17:DA:61:A8:6D:9B cert:find:params: looking for remote_peer(2) in FILE(0x1), hint 163827608 cert:find:params: hint = 28:0F:20:2E:BC:CE:5A:E8:B6:79:1F:67:3B:5D:17:DA:61:A8:6D:9B tlstcp: connecting to tlstcp 10.253.6.83:10161 tls_x509:verify: Cert: /C=US/ST=CA/L=Davis/O=Net-SNMP/OU=Development/CN=Agent-83/emailAddress=rootuser@rootuser-OptiPlex-745 tls_x509:verify: fp: 280f202ebcce5ae8b6791f673b5d17da61a86d9b cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 163853656 cert:find:params: hint = 280f202ebcce5ae8b6791f673b5d17da61a86d9b tls_x509:verify: no matching fp found tls verification failure: ok=0 ctx=0xbf83eea8 depth=0 err=18:self signed certificate *tlstcp: failed to ssl_connectsnmpget: Unknown host (tlstcp:10.253.6.83)* In server i can see the following error *tlstcp: netsnmp_tlstcp_accept calledTLSTCP: Failed SSL_accept OpenSSL Related Errors: TLS error: SSL_accept: rc=0, sslerror = 1 (SSL_ERROR_SSL) TLS Error: tlsv1 alert unknown ca* Awaiting response. Thanks Sandhya On Tue, Aug 5, 2014 at 2:25 PM, sandhya reddy sr8...@gmail.com wrote: Hi all, By default, on Windows OS *net start net-snmp agent* command will start the agent on udp port 161. What is the procedure to run agent with tlstcp:10161 on Windows machine. Also is there any specific link to follow the commands in Windows for TLSTCP? Please help me. Thanks, sandhya On Fri, Aug 1, 2014 at 4:20 PM, sandhya reddy sr8...@gmail.com wrote: I've included the debug options when i run snmpd daemon from which also i can see errors. root@rootuser-Veriton-Series:/home/rootuser/projects/net-snmp-5.6.2.1# s*nmpd -f -Le -Dtsm,dtls,tls,openssl,cert tlstcp:10161* registered debug token tsm, 1 registered debug token dtls, 1 registered debug token tls, 1 registered debug token openssl, 1 registered debug token cert, 1 tlstcp: registering TLS constructor dtlsudp: registering DTLS constructor tsm: registering ourselves tsm: returned 0 cert:util:init: init cert:index:add: dir /usr/local/share/snmp/tls/private at index 2 cert:index:add: dir /usr/local/share/snmp/tls/ca-certs at index 0 cert:index:add: dir /home/rootuser/.snmp/tls/certs at index 4 cert:index:add: dir /home/rootuser/.snmp/tls/private at index 5 cert:index:add: dir /usr/local/share/snmp/tls/certs at index 1 cert:index:add: dir /home/rootuser/.snmp/tls/ca-certs at index 3 cert:index:dir: Scanning directory /usr/local/share/snmp/tls/ca-certs cert:index:lookup: /usr/local/share/snmp/tls/ca-certs (0) /var/net-snmp/cert_indexes/0 cert:index:parse: The index for /usr/local/share/snmp/tls/ca-certs looks good cert:index:dir: Scanning directory /usr/local/share/snmp/tls/certs cert:index:lookup: /usr/local/share/snmp/tls/certs (1) /var/net-snmp/cert_indexes/1 cert:index:parse: The index for /usr/local/share/snmp/tls/certs looks good cert:index:parse: added 3 certs from index cert:index:dir: Scanning directory /usr/local/share/snmp/tls/private cert:index:lookup: /usr/local/share/snmp/tls/private (2) /var/net-snmp/cert_indexes/2 cert:index:parse: The index for /usr/local/share/snmp/tls/private looks good cert:key:struct:new: new key 0x0x94ba308 for snmp.key
Re: SNMP TLS snmpget error
Hi all, By default, on Windows OS *net start net-snmp agent* command will start the agent on udp port 161. What is the procedure to run agent with tlstcp:10161 on Windows machine. Also is there any specific link to follow the commands in Windows for TLSTCP? Please help me. Thanks, sandhya On Fri, Aug 1, 2014 at 4:20 PM, sandhya reddy sr8...@gmail.com wrote: I've included the debug options when i run snmpd daemon from which also i can see errors. root@rootuser-Veriton-Series:/home/rootuser/projects/net-snmp-5.6.2.1# s*nmpd -f -Le -Dtsm,dtls,tls,openssl,cert tlstcp:10161* registered debug token tsm, 1 registered debug token dtls, 1 registered debug token tls, 1 registered debug token openssl, 1 registered debug token cert, 1 tlstcp: registering TLS constructor dtlsudp: registering DTLS constructor tsm: registering ourselves tsm: returned 0 cert:util:init: init cert:index:add: dir /usr/local/share/snmp/tls/private at index 2 cert:index:add: dir /usr/local/share/snmp/tls/ca-certs at index 0 cert:index:add: dir /home/rootuser/.snmp/tls/certs at index 4 cert:index:add: dir /home/rootuser/.snmp/tls/private at index 5 cert:index:add: dir /usr/local/share/snmp/tls/certs at index 1 cert:index:add: dir /home/rootuser/.snmp/tls/ca-certs at index 3 cert:index:dir: Scanning directory /usr/local/share/snmp/tls/ca-certs cert:index:lookup: /usr/local/share/snmp/tls/ca-certs (0) /var/net-snmp/cert_indexes/0 cert:index:parse: The index for /usr/local/share/snmp/tls/ca-certs looks good cert:index:dir: Scanning directory /usr/local/share/snmp/tls/certs cert:index:lookup: /usr/local/share/snmp/tls/certs (1) /var/net-snmp/cert_indexes/1 cert:index:parse: The index for /usr/local/share/snmp/tls/certs looks good cert:index:parse: added 3 certs from index cert:index:dir: Scanning directory /usr/local/share/snmp/tls/private cert:index:lookup: /usr/local/share/snmp/tls/private (2) /var/net-snmp/cert_indexes/2 cert:index:parse: The index for /usr/local/share/snmp/tls/private looks good cert:key:struct:new: new key 0x0x94ba308 for snmp.key cert:key:struct:new: new key 0x0x94ba358 for tutorial-joecool.key cert:key:struct:new: new key 0x0x94ba3b8 for tutorial-agent.key cert:key:struct:new: new key 0x0x94ba410 for Agent-89.key cert:index:parse: added 4 certs from index cert:partner: Agent-89.crt match found! cert:partner: tutorial-agent.crt match found! cert:partner: tutorial-joecool.crt match found! cert:key:read: Checking file Agent-89.key cert:key:read: Checking file tutorial-agent.key cert:key:read: Checking file tutorial-joecool.key cert:dump: Certificates - cert:dump: cert Agent-89.crt in /usr/local/share/snmp/tls/certs cert:dump:type 1 flags 0x3 (identity+remote_peer) cert:dump: cert tutorial-agent.crt in /usr/local/share/snmp/tls/certs cert:dump:type 1 flags 0x3 (identity+remote_peer) cert:dump: cert tutorial-joecool.crt in /usr/local/share/snmp/tls/certs cert:dump:type 1 flags 0x3 (identity+remote_peer) cert:dump: key Agent-89.key in /usr/local/share/snmp/tls/private cert:dump:type 4 flags 0x1 (identity) cert:dump: key snmp.key in /usr/local/share/snmp/tls/private cert:dump:type 4 flags 0x1 (identity) cert:dump: key tutorial-agent.key in /usr/local/share/snmp/tls/private cert:dump:type 4 flags 0x1 (identity) cert:dump: key tutorial-joecool.key in /usr/local/share/snmp/tls/private cert:dump:type 4 flags 0x1 (identity) cert:dump: End -- Warning: no access control information configured. (Config search path: /usr/local/etc/snmp:/usr/local/share/snmp:/usr/local/lib/snmp:/root/.snmp) It's unlikely this agent can serve any useful purpose in this state. Run snmpconf -g basic_setup to help you configure the snmpd.conf file for this agent. tlstcp: listening on tlstcp port 0.0.0.0:10161 * OpenSSL Related Errors: error: #33579106 (file b_sock.c, line 804) Textual Error: port='0.0.0.0:10161 http://0.0.0.0:10161' error: #537301109 (file b_sock.c, line 806) End of OpenSSL Errors TLSTCP: Falied to do first accept on the TLS accept BIO* NET-SNMP version 5.6.2.1 On Fri, Aug 1, 2014 at 10:30 AM, sandhya reddy sr8...@gmail.com wrote: Hi Bill Followig is the detailed error statement: trace: netsnmp_tdomain_transport_full(): snmp_transport.c, 478: tdomain: tdomain_transport_full(snmp, tlstcp:10.253.6.83, 0, udp, [NIL]) trace: find_tdomain(): snmp_transport.c, 430: tdomain: Found domain tlstcp from specifier tlstcp trace: netsnmp_lookup_default_target(): snmp_service.c, 400: defaults: netsnmp_lookup_default_target(snmp, tlstcp) - :10161 trace: netsnmp_tdomain_transport_full(): snmp_transport.c, 601: tdomain: trying domain tlstcp address 10.253.6.83 default address :10161 trace: netsnmp_sess_config_and_open_transport(): snmp_api.c, 1523: snmp_sess: opening transport: 0 trace: netsnmp_sess_config_transport():
Re: SNMP TLS snmpget error
I've included the debug options when i run snmpd daemon from which also i can see errors. root@rootuser-Veriton-Series:/home/rootuser/projects/net-snmp-5.6.2.1# s*nmpd -f -Le -Dtsm,dtls,tls,openssl,cert tlstcp:10161* registered debug token tsm, 1 registered debug token dtls, 1 registered debug token tls, 1 registered debug token openssl, 1 registered debug token cert, 1 tlstcp: registering TLS constructor dtlsudp: registering DTLS constructor tsm: registering ourselves tsm: returned 0 cert:util:init: init cert:index:add: dir /usr/local/share/snmp/tls/private at index 2 cert:index:add: dir /usr/local/share/snmp/tls/ca-certs at index 0 cert:index:add: dir /home/rootuser/.snmp/tls/certs at index 4 cert:index:add: dir /home/rootuser/.snmp/tls/private at index 5 cert:index:add: dir /usr/local/share/snmp/tls/certs at index 1 cert:index:add: dir /home/rootuser/.snmp/tls/ca-certs at index 3 cert:index:dir: Scanning directory /usr/local/share/snmp/tls/ca-certs cert:index:lookup: /usr/local/share/snmp/tls/ca-certs (0) /var/net-snmp/cert_indexes/0 cert:index:parse: The index for /usr/local/share/snmp/tls/ca-certs looks good cert:index:dir: Scanning directory /usr/local/share/snmp/tls/certs cert:index:lookup: /usr/local/share/snmp/tls/certs (1) /var/net-snmp/cert_indexes/1 cert:index:parse: The index for /usr/local/share/snmp/tls/certs looks good cert:index:parse: added 3 certs from index cert:index:dir: Scanning directory /usr/local/share/snmp/tls/private cert:index:lookup: /usr/local/share/snmp/tls/private (2) /var/net-snmp/cert_indexes/2 cert:index:parse: The index for /usr/local/share/snmp/tls/private looks good cert:key:struct:new: new key 0x0x94ba308 for snmp.key cert:key:struct:new: new key 0x0x94ba358 for tutorial-joecool.key cert:key:struct:new: new key 0x0x94ba3b8 for tutorial-agent.key cert:key:struct:new: new key 0x0x94ba410 for Agent-89.key cert:index:parse: added 4 certs from index cert:partner: Agent-89.crt match found! cert:partner: tutorial-agent.crt match found! cert:partner: tutorial-joecool.crt match found! cert:key:read: Checking file Agent-89.key cert:key:read: Checking file tutorial-agent.key cert:key:read: Checking file tutorial-joecool.key cert:dump: Certificates - cert:dump: cert Agent-89.crt in /usr/local/share/snmp/tls/certs cert:dump:type 1 flags 0x3 (identity+remote_peer) cert:dump: cert tutorial-agent.crt in /usr/local/share/snmp/tls/certs cert:dump:type 1 flags 0x3 (identity+remote_peer) cert:dump: cert tutorial-joecool.crt in /usr/local/share/snmp/tls/certs cert:dump:type 1 flags 0x3 (identity+remote_peer) cert:dump: key Agent-89.key in /usr/local/share/snmp/tls/private cert:dump:type 4 flags 0x1 (identity) cert:dump: key snmp.key in /usr/local/share/snmp/tls/private cert:dump:type 4 flags 0x1 (identity) cert:dump: key tutorial-agent.key in /usr/local/share/snmp/tls/private cert:dump:type 4 flags 0x1 (identity) cert:dump: key tutorial-joecool.key in /usr/local/share/snmp/tls/private cert:dump:type 4 flags 0x1 (identity) cert:dump: End -- Warning: no access control information configured. (Config search path: /usr/local/etc/snmp:/usr/local/share/snmp:/usr/local/lib/snmp:/root/.snmp) It's unlikely this agent can serve any useful purpose in this state. Run snmpconf -g basic_setup to help you configure the snmpd.conf file for this agent. tlstcp: listening on tlstcp port 0.0.0.0:10161 * OpenSSL Related Errors: error: #33579106 (file b_sock.c, line 804) Textual Error: port='0.0.0.0:10161 http://0.0.0.0:10161' error: #537301109 (file b_sock.c, line 806) End of OpenSSL Errors TLSTCP: Falied to do first accept on the TLS accept BIO* NET-SNMP version 5.6.2.1 On Fri, Aug 1, 2014 at 10:30 AM, sandhya reddy sr8...@gmail.com wrote: Hi Bill Followig is the detailed error statement: trace: netsnmp_tdomain_transport_full(): snmp_transport.c, 478: tdomain: tdomain_transport_full(snmp, tlstcp:10.253.6.83, 0, udp, [NIL]) trace: find_tdomain(): snmp_transport.c, 430: tdomain: Found domain tlstcp from specifier tlstcp trace: netsnmp_lookup_default_target(): snmp_service.c, 400: defaults: netsnmp_lookup_default_target(snmp, tlstcp) - :10161 trace: netsnmp_tdomain_transport_full(): snmp_transport.c, 601: tdomain: trying domain tlstcp address 10.253.6.83 default address :10161 trace: netsnmp_sess_config_and_open_transport(): snmp_api.c, 1523: snmp_sess: opening transport: 0 trace: netsnmp_sess_config_transport(): snmp_api.c, 1464: snmp_sess: configuring transport tls:config: their identity Agent-83 tls:config: our identity tutorial-joecool trace: sslctx_client_setup(): transports/snmpTLSBaseDomain.c, 516: sslctx_client: looking for local id: tutorial-joecool cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 161398264 cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 161398264 cert:find:params: hint =
Re: SNMP TLS snmpget error
Hi Bill, I've understood bit better from your explanation. I'll follow that link. Conceptually, i understand the following. Please let me know whether I’m correct. 1) a) Net-SNMP tool can act as both SNMP manager and SNMP Agent. Or b) Net-SNMP tool acts as Manager only and test.net-snmp.org acts as Agent only? Which of a and b are correct. 2) test.net-snmp.org acts as agent and it has it's own certificate tutorial-agent. We have to use this cert if we retrieve info from test.net-snmp.org agent 3) tutorial-agent is a self signed certificate and tutorial-CA is a CA signed certificate for agent. 4) I have tried giving the command you gave. I get an error. $ snmpget -T our_identity=tutorial-joecool -T their_identity=tutorial-agent \ -t 10 tls:test.net-snmp.org sysUpTime.0 *Error: * *No log handling enabled - using stderr loggingtlstcp: failed to connect to test.net-snmp.org:10161 http://test.net-snmp.org:10161 OpenSSL Related Errors: error: #33562734 (file bss_conn.c, line 269) Textual Error: host=test.net-snmp.org:10161 http://test.net-snmp.org:10161 error: #537342055 (file bss_conn.c, line 273) End of OpenSSL Errors snmpget: Unknown host (tls:test.net-snmp.org http://test.net-snmp.org) (Connection timed out)* Tried the above command with tlstcp:test.net-snmp.org also. But still the same error. I have also sniffed the traces. I can see SYN going out and retransmissions of SYN but don't get any response. 5) The request gets generated from random port. Is that fine or should it go from port 10161. And should we start any service like snmpd on port 10161. I assume snmpd is for snmp requests and snmptrapd is for traps. These are for receiving requests and traps. Only for receiving we need to start this service is what i understand Looking forward for your response ASAP. Thanks, sandhya On Fri, Jul 25, 2014 at 8:54 PM, Bill Fenner fen...@gmail.com wrote: I followed the step by step directions from http://www.net-snmp.org/wiki/index.php/TUT:Using_TLS and got: $ snmpget -T our_identity=tutorial-joecool \ -T their_identity=tutorial-agent \ -t 10 tls:test.net-snmp.org sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1162098689) 134 days, 12:03:06.89 $ snmpget -T our_identity=tutorial-joecool \ -T trust_cert=tutorial-CA \ -t 10 tls:test.net-snmp.org sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1162099339) 134 days, 12:03:13.39 $ snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 \ -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B \ tls:test.net-snmp.org sysContact.0 SNMPv2-MIB::sysContact.0 = STRING: Net-SNMP Coders net-snmp-coders@lists.sourceforge.net While you say you have the private key, you have the private key for joecool, not for agent. You have to generate a key for your own local agent, and that is the identity you'll need to use in the their_identity argument. You use the net-snmp-cert command to manage/generate certs. Bill On Fri, Jul 25, 2014 at 7:32 AM, sandhya reddy sr8...@gmail.com wrote: Hi Bill, Glad to see your response. I have retrieved the entire certificate tar-ball http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-.snmp.tar.gz and uncompressed it. Initially, i tried to send the snmpget request to test.net-snmp.org using the certificates from the tutorial but it also failed giving error Error finding client keys. Unable to create SSL context. Unknown host. Tutorial also gives the private keys. I have checked this in private folder of snmp If i try to send to the one in the tutirial test.net-snmp.org it should work right ? This is why i switched to the next setup. In this, i tried to setup Net-SNMP on two PCs using the same certs and keys in tutorial. When u pointed out regarding certs i realized that i'm doing it wrong. i should create the cert in both Manager and Agent and use these two when sending out snmpget request from Manger right? How do you create the certificates. Is there any link that follow steps to create certificates for Net-SNMP? Once again i thank you for giving response. I've been waiting for some response. Thanks, sandhya On Thu, Jul 24, 2014 at 5:44 PM, Bill Fenner fen...@gmail.com wrote: Did you configure the certificates properly? In particular, did you configure the server with the private key? Since you're using the fingerprints from the tutorial, but using your local server instead of test.net-snmp.org, where did you get the private key? It's not part of the published set of keys. Bill On Wed, Jul 23, 2014 at 7:08 AM, sandhya reddy sr8...@gmail.com wrote: Hi Coders and Users, I've setup NET-SNMP 5.6.2.1 and configured tsm model. I've done this setup on two Ubuntu 14.04 PCs I'm trying to send out snmpget request over tlstcp:10161 The folowing are the
Re: SNMP TLS snmpget error
Hi Bill, I guess that SYN not getting any response is due to *firewall issue* at our side 1) Now i've tried to setup one PC as Net-SNMP Agent and other as manager. 2) On the PC which is an Agent i have started snmpd service on port 10161 using snmpd tlstcp:10161 command. This port is in LISTEN state. 3) I have generated certificate in Agent using net-snmp-cert command with name as Agent-89. I give this name in snmpget request their_identity parameter. Do i have to give the agent certificate name also when sending snmpget request from manager? If so why? Command: snmpget -T our_identity=tutorial-joecool -T their_identity=Agent-83 -t 10 tlstcp:IP sysUpTime.0 Inspite of these i get the error. t *lstcp:Failed to SSl connect* *snmpget: Unknown host(Transport endpoint is not connected)* I've tried on another PC and got different error *No log handling enabled - using stderr loggingtlstcp: failed to connect to 10.253.6.83:10161 http://10.253.6.83:10161 OpenSSL Related Errors: error: #33562734 (file bss_conn.c, line 269) Textual Error: host=10.253.6.83:10161 http://10.253.6.83:10161 error: #537342055 (file bss_conn.c, line 273) End of OpenSSL Errors snmpget: Unknown host (tlstcp:10.253.6.83) (Connection timed out)* Please help me with this setup. Firewall issue i can't resolve as of now. Please help me setting up agent and manager locally On Thu, Jul 31, 2014 at 2:10 PM, sandhya reddy sr8...@gmail.com wrote: Hi Bill, I've understood bit better from your explanation. I'll follow that link. Conceptually, i understand the following. Please let me know whether I’m correct. 1) a) Net-SNMP tool can act as both SNMP manager and SNMP Agent. Or b) Net-SNMP tool acts as Manager only and test.net-snmp.org acts as Agent only? Which of a and b are correct. 2) test.net-snmp.org acts as agent and it has it's own certificate tutorial-agent. We have to use this cert if we retrieve info from test.net-snmp.org agent 3) tutorial-agent is a self signed certificate and tutorial-CA is a CA signed certificate for agent. 4) I have tried giving the command you gave. I get an error. $ snmpget -T our_identity=tutorial-joecool -T their_identity=tutorial-agent \ -t 10 tls:test.net-snmp.org sysUpTime.0 *Error: * *No log handling enabled - using stderr loggingtlstcp: failed to connect to test.net-snmp.org:10161 http://test.net-snmp.org:10161 OpenSSL Related Errors: error: #33562734 (file bss_conn.c, line 269) Textual Error: host=test.net-snmp.org:10161 http://test.net-snmp.org:10161 error: #537342055 (file bss_conn.c, line 273) End of OpenSSL Errors snmpget: Unknown host (tls:test.net-snmp.org http://test.net-snmp.org) (Connection timed out)* Tried the above command with tlstcp:test.net-snmp.org also. But still the same error. I have also sniffed the traces. I can see SYN going out and retransmissions of SYN but don't get any response. 5) The request gets generated from random port. Is that fine or should it go from port 10161. And should we start any service like snmpd on port 10161. I assume snmpd is for snmp requests and snmptrapd is for traps. These are for receiving requests and traps. Only for receiving we need to start this service is what i understand Looking forward for your response ASAP. Thanks, sandhya On Fri, Jul 25, 2014 at 8:54 PM, Bill Fenner fen...@gmail.com wrote: I followed the step by step directions from http://www.net-snmp.org/wiki/index.php/TUT:Using_TLS and got: $ snmpget -T our_identity=tutorial-joecool \ -T their_identity=tutorial-agent \ -t 10 tls:test.net-snmp.org sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1162098689) 134 days, 12:03:06.89 $ snmpget -T our_identity=tutorial-joecool \ -T trust_cert=tutorial-CA \ -t 10 tls:test.net-snmp.org sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1162099339) 134 days, 12:03:13.39 $ snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 \ -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B \ tls:test.net-snmp.org sysContact.0 SNMPv2-MIB::sysContact.0 = STRING: Net-SNMP Coders net-snmp-coders@lists.sourceforge.net While you say you have the private key, you have the private key for joecool, not for agent. You have to generate a key for your own local agent, and that is the identity you'll need to use in the their_identity argument. You use the net-snmp-cert command to manage/generate certs. Bill On Fri, Jul 25, 2014 at 7:32 AM, sandhya reddy sr8...@gmail.com wrote: Hi Bill, Glad to see your response. I have retrieved the entire certificate tar-ball http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-.snmp.tar.gz and uncompressed it. Initially, i tried to send the snmpget request to test.net-snmp.org using the certificates from the
Re: SNMP TLS snmpget error
Is there any way that we set the source port also when sending request?? Thanks, Sandhya On Thu, Jul 31, 2014 at 6:30 PM, sandhya reddy sr8...@gmail.com wrote: Hi Bill, I guess that SYN not getting any response is due to *firewall issue* at our side 1) Now i've tried to setup one PC as Net-SNMP Agent and other as manager. 2) On the PC which is an Agent i have started snmpd service on port 10161 using snmpd tlstcp:10161 command. This port is in LISTEN state. 3) I have generated certificate in Agent using net-snmp-cert command with name as Agent-89. I give this name in snmpget request their_identity parameter. Do i have to give the agent certificate name also when sending snmpget request from manager? If so why? Command: snmpget -T our_identity=tutorial-joecool -T their_identity=Agent-83 -t 10 tlstcp:IP sysUpTime.0 Inspite of these i get the error. t *lstcp:Failed to SSl connect * *snmpget: Unknown host(Transport endpoint is not connected)* I've tried on another PC and got different error *No log handling enabled - using stderr logging tlstcp: failed to connect to 10.253.6.83:10161 http://10.253.6.83:10161 OpenSSL Related Errors: error: #33562734 (file bss_conn.c, line 269) Textual Error: host=10.253.6.83:10161 http://10.253.6.83:10161 error: #537342055 (file bss_conn.c, line 273) End of OpenSSL Errors snmpget: Unknown host (tlstcp:10.253.6.83) (Connection timed out)* Please help me with this setup. Firewall issue i can't resolve as of now. Please help me setting up agent and manager locally On Thu, Jul 31, 2014 at 2:10 PM, sandhya reddy sr8...@gmail.com wrote: Hi Bill, I've understood bit better from your explanation. I'll follow that link. Conceptually, i understand the following. Please let me know whether I’m correct. 1) a) Net-SNMP tool can act as both SNMP manager and SNMP Agent. Or b) Net-SNMP tool acts as Manager only and test.net-snmp.org acts as Agent only? Which of a and b are correct. 2) test.net-snmp.org acts as agent and it has it's own certificate tutorial-agent. We have to use this cert if we retrieve info from test.net-snmp.org agent 3) tutorial-agent is a self signed certificate and tutorial-CA is a CA signed certificate for agent. 4) I have tried giving the command you gave. I get an error. $ snmpget -T our_identity=tutorial-joecool -T their_identity=tutorial-agent \ -t 10 tls:test.net-snmp.org sysUpTime.0 *Error: * *No log handling enabled - using stderr loggingtlstcp: failed to connect to test.net-snmp.org:10161 http://test.net-snmp.org:10161 OpenSSL Related Errors: error: #33562734 (file bss_conn.c, line 269) Textual Error: host=test.net-snmp.org:10161 http://test.net-snmp.org:10161 error: #537342055 (file bss_conn.c, line 273) End of OpenSSL Errors snmpget: Unknown host (tls:test.net-snmp.org http://test.net-snmp.org) (Connection timed out)* Tried the above command with tlstcp:test.net-snmp.org also. But still the same error. I have also sniffed the traces. I can see SYN going out and retransmissions of SYN but don't get any response. 5) The request gets generated from random port. Is that fine or should it go from port 10161. And should we start any service like snmpd on port 10161. I assume snmpd is for snmp requests and snmptrapd is for traps. These are for receiving requests and traps. Only for receiving we need to start this service is what i understand Looking forward for your response ASAP. Thanks, sandhya On Fri, Jul 25, 2014 at 8:54 PM, Bill Fenner fen...@gmail.com wrote: I followed the step by step directions from http://www.net-snmp.org/wiki/index.php/TUT:Using_TLS and got: $ snmpget -T our_identity=tutorial-joecool \ -T their_identity=tutorial-agent \ -t 10 tls:test.net-snmp.org sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1162098689) 134 days, 12:03:06.89 $ snmpget -T our_identity=tutorial-joecool \ -T trust_cert=tutorial-CA \ -t 10 tls:test.net-snmp.org sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1162099339) 134 days, 12:03:13.39 $ snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 \ -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B \ tls:test.net-snmp.org sysContact.0 SNMPv2-MIB::sysContact.0 = STRING: Net-SNMP Coders net-snmp-coders@lists.sourceforge.net While you say you have the private key, you have the private key for joecool, not for agent. You have to generate a key for your own local agent, and that is the identity you'll need to use in the their_identity argument. You use the net-snmp-cert command to manage/generate certs. Bill On Fri, Jul 25, 2014 at 7:32 AM, sandhya reddy sr8...@gmail.com wrote: Hi Bill, Glad to see your response. I have retrieved the entire certificate tar-ball
Re: SNMP TLS snmpget error
Hi Bill Followig is the detailed error statement: trace: netsnmp_tdomain_transport_full(): snmp_transport.c, 478: tdomain: tdomain_transport_full(snmp, tlstcp:10.253.6.83, 0, udp, [NIL]) trace: find_tdomain(): snmp_transport.c, 430: tdomain: Found domain tlstcp from specifier tlstcp trace: netsnmp_lookup_default_target(): snmp_service.c, 400: defaults: netsnmp_lookup_default_target(snmp, tlstcp) - :10161 trace: netsnmp_tdomain_transport_full(): snmp_transport.c, 601: tdomain: trying domain tlstcp address 10.253.6.83 default address :10161 trace: netsnmp_sess_config_and_open_transport(): snmp_api.c, 1523: snmp_sess: opening transport: 0 trace: netsnmp_sess_config_transport(): snmp_api.c, 1464: snmp_sess: configuring transport tls:config: their identity Agent-83 tls:config: our identity tutorial-joecool trace: sslctx_client_setup(): transports/snmpTLSBaseDomain.c, 516: sslctx_client: looking for local id: tutorial-joecool cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 161398264 cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 161398264 cert:find:params: hint = tutorial-joecool cert:find:params: looking for identity(1) in FILE(0x1), hint 161398264 cert:find:params: hint = tutorial-joecool 9:cert:subset:found: 1 matches cert:find:found: using cert tutorial-joecool.crt / 9b49604cc747f4481d319e1923ace1d783fc5b6c for identity(1) (uses=identity+remote_peer (3)) cert:find:found: using cert tutorial-joecool.crt / 9b49604cc747f4481d319e1923ace1d783fc5b6c for identity(1) (uses=identity+remote_peer (3)) trace: sslctx_client_setup(): transports/snmpTLSBaseDomain.c, 531: sslctx_client: using public key: tutorial-joecool.crt trace: sslctx_client_setup(): transports/snmpTLSBaseDomain.c, 533: sslctx_client: using private key: tutorial-joecool.key cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 161503528 cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 161503528 cert:find:params: hint = Agent-83 cert:find:params: looking for remote_peer(2) in FILE(0x1), hint 161503528 cert:find:params: hint = Agent-83 9:cert:subset:found: 0 matches trace: netsnmp_tlstcp_open(): transports/snmpTLSTCPDomain.c, 709: tlstcp: connecting to tlstcp 10.253.6.83:10161 tlstcp: failed to ssl_connect trace: netsnmp_sess_config_and_open_transport(): snmp_api.c, 1540: *snmp_sess: couldn't interpret peername* snmpget: Unknown host (tlstcp:10.253.6.83) Thanks sandhya On Fri, Aug 1, 2014 at 10:01 AM, sandhya reddy sr8...@gmail.com wrote: Is there any way that we set the source port also when sending request?? Thanks, Sandhya On Thu, Jul 31, 2014 at 6:30 PM, sandhya reddy sr8...@gmail.com wrote: Hi Bill, I guess that SYN not getting any response is due to *firewall issue* at our side 1) Now i've tried to setup one PC as Net-SNMP Agent and other as manager. 2) On the PC which is an Agent i have started snmpd service on port 10161 using snmpd tlstcp:10161 command. This port is in LISTEN state. 3) I have generated certificate in Agent using net-snmp-cert command with name as Agent-89. I give this name in snmpget request their_identity parameter. Do i have to give the agent certificate name also when sending snmpget request from manager? If so why? Command: snmpget -T our_identity=tutorial-joecool -T their_identity=Agent-83 -t 10 tlstcp:IP sysUpTime.0 Inspite of these i get the error. t *lstcp:Failed to SSl connect * *snmpget: Unknown host(Transport endpoint is not connected)* I've tried on another PC and got different error *No log handling enabled - using stderr logging tlstcp: failed to connect to 10.253.6.83:10161 http://10.253.6.83:10161 OpenSSL Related Errors: error: #33562734 (file bss_conn.c, line 269) Textual Error: host=10.253.6.83:10161 http://10.253.6.83:10161 error: #537342055 (file bss_conn.c, line 273) End of OpenSSL Errors snmpget: Unknown host (tlstcp:10.253.6.83) (Connection timed out)* Please help me with this setup. Firewall issue i can't resolve as of now. Please help me setting up agent and manager locally On Thu, Jul 31, 2014 at 2:10 PM, sandhya reddy sr8...@gmail.com wrote: Hi Bill, I've understood bit better from your explanation. I'll follow that link. Conceptually, i understand the following. Please let me know whether I’m correct. 1) a) Net-SNMP tool can act as both SNMP manager and SNMP Agent. Or b) Net-SNMP tool acts as Manager only and test.net-snmp.org acts as Agent only? Which of a and b are correct. 2) test.net-snmp.org acts as agent and it has it's own certificate tutorial-agent. We have to use this cert if we retrieve info from test.net-snmp.org agent 3) tutorial-agent is a self signed certificate and tutorial-CA is a CA signed certificate for agent. 4) I have tried giving the command you gave. I get an error. $ snmpget -T our_identity=tutorial-joecool -T their_identity=tutorial-agent \ -t 10 tls:test.net-snmp.org
Re: SNMP TLS snmpget error
Hi Bill, Glad to see your response. I have retrieved the entire certificate tar-ball http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-.snmp.tar.gz and uncompressed it. Initially, i tried to send the snmpget request to test.net-snmp.org using the certificates from the tutorial but it also failed giving error Error finding client keys. Unable to create SSL context. Unknown host. Tutorial also gives the private keys. I have checked this in private folder of snmp If i try to send to the one in the tutirial test.net-snmp.org it should work right ? This is why i switched to the next setup. In this, i tried to setup Net-SNMP on two PCs using the same certs and keys in tutorial. When u pointed out regarding certs i realized that i'm doing it wrong. i should create the cert in both Manager and Agent and use these two when sending out snmpget request from Manger right? How do you create the certificates. Is there any link that follow steps to create certificates for Net-SNMP? Once again i thank you for giving response. I've been waiting for some response. Thanks, sandhya On Thu, Jul 24, 2014 at 5:44 PM, Bill Fenner fen...@gmail.com wrote: Did you configure the certificates properly? In particular, did you configure the server with the private key? Since you're using the fingerprints from the tutorial, but using your local server instead of test.net-snmp.org, where did you get the private key? It's not part of the published set of keys. Bill On Wed, Jul 23, 2014 at 7:08 AM, sandhya reddy sr8...@gmail.com wrote: Hi Coders and Users, I've setup NET-SNMP 5.6.2.1 and configured tsm model. I've done this setup on two Ubuntu 14.04 PCs I'm trying to send out snmpget request over tlstcp:10161 The folowing are the steps i follow 1) Start snmpd using the command : snmpd tlstcp:10161 2) snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B tlstcp:IPAddress:10161 sysContact.0 I get an error Failed to create SSL context. I'm debugging using wireshark sniffs and observe the following: In the process of sending out snmpget request, TCP connection is getting established (i see SYN, SYN/ACK and ACK)and i see PUSH data to the agent(which might be Client hello the next step from SNMP manager) for which agent is trying to tear down the TCP connection with FIN/ACK Please give me some inputs as to what is wrong that is'm doing. Please help me to get snmpget request working Thanks, Sandhya -- Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders -- Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: SNMP TLS snmpget error
I followed the step by step directions from http://www.net-snmp.org/wiki/index.php/TUT:Using_TLS and got: $ snmpget -T our_identity=tutorial-joecool \ -T their_identity=tutorial-agent \ -t 10 tls:test.net-snmp.org sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1162098689) 134 days, 12:03:06.89 $ snmpget -T our_identity=tutorial-joecool \ -T trust_cert=tutorial-CA \ -t 10 tls:test.net-snmp.org sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1162099339) 134 days, 12:03:13.39 $ snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 \ -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B \ tls:test.net-snmp.org sysContact.0 SNMPv2-MIB::sysContact.0 = STRING: Net-SNMP Coders net-snmp-coders@lists.sourceforge.net While you say you have the private key, you have the private key for joecool, not for agent. You have to generate a key for your own local agent, and that is the identity you'll need to use in the their_identity argument. You use the net-snmp-cert command to manage/generate certs. Bill On Fri, Jul 25, 2014 at 7:32 AM, sandhya reddy sr8...@gmail.com wrote: Hi Bill, Glad to see your response. I have retrieved the entire certificate tar-ball http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-.snmp.tar.gz and uncompressed it. Initially, i tried to send the snmpget request to test.net-snmp.org using the certificates from the tutorial but it also failed giving error Error finding client keys. Unable to create SSL context. Unknown host. Tutorial also gives the private keys. I have checked this in private folder of snmp If i try to send to the one in the tutirial test.net-snmp.org it should work right ? This is why i switched to the next setup. In this, i tried to setup Net-SNMP on two PCs using the same certs and keys in tutorial. When u pointed out regarding certs i realized that i'm doing it wrong. i should create the cert in both Manager and Agent and use these two when sending out snmpget request from Manger right? How do you create the certificates. Is there any link that follow steps to create certificates for Net-SNMP? Once again i thank you for giving response. I've been waiting for some response. Thanks, sandhya On Thu, Jul 24, 2014 at 5:44 PM, Bill Fenner fen...@gmail.com wrote: Did you configure the certificates properly? In particular, did you configure the server with the private key? Since you're using the fingerprints from the tutorial, but using your local server instead of test.net-snmp.org, where did you get the private key? It's not part of the published set of keys. Bill On Wed, Jul 23, 2014 at 7:08 AM, sandhya reddy sr8...@gmail.com wrote: Hi Coders and Users, I've setup NET-SNMP 5.6.2.1 and configured tsm model. I've done this setup on two Ubuntu 14.04 PCs I'm trying to send out snmpget request over tlstcp:10161 The folowing are the steps i follow 1) Start snmpd using the command : snmpd tlstcp:10161 2) snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B tlstcp:IPAddress:10161 sysContact.0 I get an error Failed to create SSL context. I'm debugging using wireshark sniffs and observe the following: In the process of sending out snmpget request, TCP connection is getting established (i see SYN, SYN/ACK and ACK)and i see PUSH data to the agent(which might be Client hello the next step from SNMP manager) for which agent is trying to tear down the TCP connection with FIN/ACK Please give me some inputs as to what is wrong that is'm doing. Please help me to get snmpget request working Thanks, Sandhya -- Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders -- Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: SNMP TLS snmpget error
Hi , Is there any one who is using SNMPv3 with TLS. Please respond. I don't find anyone showing interest. Thanks Sandhya On Wed, Jul 23, 2014 at 4:38 PM, sandhya reddy sr8...@gmail.com wrote: Hi Coders and Users, I've setup NET-SNMP 5.6.2.1 and configured tsm model. I've done this setup on two Ubuntu 14.04 PCs I'm trying to send out snmpget request over tlstcp:10161 The folowing are the steps i follow 1) Start snmpd using the command : snmpd tlstcp:10161 2) snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B tlstcp:IPAddress:10161 sysContact.0 I get an error Failed to create SSL context. I'm debugging using wireshark sniffs and observe the following: In the process of sending out snmpget request, TCP connection is getting established (i see SYN, SYN/ACK and ACK)and i see PUSH data to the agent(which might be Client hello the next step from SNMP manager) for which agent is trying to tear down the TCP connection with FIN/ACK Please give me some inputs as to what is wrong that is'm doing. Please help me to get snmpget request working Thanks, Sandhya -- Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: SNMP TLS snmpget error
Did you configure the certificates properly? In particular, did you configure the server with the private key? Since you're using the fingerprints from the tutorial, but using your local server instead of test.net-snmp.org, where did you get the private key? It's not part of the published set of keys. Bill On Wed, Jul 23, 2014 at 7:08 AM, sandhya reddy sr8...@gmail.com wrote: Hi Coders and Users, I've setup NET-SNMP 5.6.2.1 and configured tsm model. I've done this setup on two Ubuntu 14.04 PCs I'm trying to send out snmpget request over tlstcp:10161 The folowing are the steps i follow 1) Start snmpd using the command : snmpd tlstcp:10161 2) snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B tlstcp:IPAddress:10161 sysContact.0 I get an error Failed to create SSL context. I'm debugging using wireshark sniffs and observe the following: In the process of sending out snmpget request, TCP connection is getting established (i see SYN, SYN/ACK and ACK)and i see PUSH data to the agent(which might be Client hello the next step from SNMP manager) for which agent is trying to tear down the TCP connection with FIN/ACK Please give me some inputs as to what is wrong that is'm doing. Please help me to get snmpget request working Thanks, Sandhya -- Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders -- Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
