Hi Bill, The configuration on the files is fine, snmpd loads it incorrectly. I created a simplified configuration to explain it. I created two users (Netscaler and Netscaler2) and only user Netscaler is used in a trap:
sysobjectid 1.3.6.1.4.1.5951.6 exactEngineID 0x80001f88809c0a3f394b485c5600000000 rouser Netscaler authPriv -V SNMP-View rocommunity public 10.91.31.244 view SNMP-View included 1.3.6.1 rouser Netscaler2 authPriv -V SNMP-View trapsess -v 3 -u Netscaler -l authPriv 10.91.31.244:162 In the persistent snmpd.conf we added two createUser lines that snmpd replaced with two usmUser ones (as it should): usmUser 1 3 0x80001f88809c0a3f394b485c5600000000 0x4e65747363616c657200 0x4e65747363616c657200 NULL .1.3.6.1.6.3.10.1.1.3 0x426373815984b75c5166630521bca5efe960beb6 .1.3.6.1.6.3.10.1.2.4 0x292bb2f0da4fa36bd313263b059f0e50 0x usmUser 1 3 0x80001f88809c0a3f394b485c5600000000 0x4e65747363616c65723200 0x4e65747363616c65723200 NULL .1.3.6.1.6.3.10.1.1.3 0x426373815984b75c5166630521bca5efe960beb6 .1.3.6.1.6.3.10.1.2.4 0x426373815984b75c5166630521bca5ef 0x engineBoots 12 oldEngineID 0x80001f88809c0a3f394b485c5600000000 The protocols (AES/SHA1), usernames and passwords are correct in this file. However, snmp queries only work for user Netscaler2, not for user Netscaler that is configured in the trap. Using gdb I can see why. The user Netscaler has the wrong protocols loaded but user Netscaler2 has the correct: bash-3.2# gdb /usr/sbin/snmpd -p `cat /var/run/snmpd.pid` --batch --command=/root/print_users.gdb engineID: 0x801c844c0: 0x881f0080 0x3f0a9c80 name: 0x801c6fac0: "Netscaler" secName: 0x801c6fad0: "Netscaler" authProtocol: .1.3.6.1.6.3.10.1.1.2 << This means MD5 privProtocol: .1.3.6.1.6.3.10.1.2.2 << This means DES authKey: 0x426373815984b75c 0x5166630521bca5ef 0xe960beb600000000 privKey: 0x292bb2f0da4fa36b 0xd313263b059f0e50 engineID: 0x801c84540: 0x3f0a9c80881f0080 0x000000565c484b39 name: 0x801c6fae0: "Netscaler2" secName: 0x801c6faf0: "Netscaler2" authProtocol: .1.3.6.1.6.3.10.1.1.3 << This means SHA1 privProtocol: .1.3.6.1.6.3.10.1.2.4 << This means AES authKey: 0x426373815984b75c 0x5166630521bca5ef 0xe960beb600000000 privKey: 0x426373815984b75c 0x5166630521bca5ef This doesn’t happen the first time a user is configured (i.e. when snmpd loads with the createUser lines). But it will happen after the first snmpd restart. If I remove user Netscaler from the trap it works correctly. I am attaching the actual configuration files and the gdb script. Thanks, Petros. From: Krishna Vivek Vitta Sent: Τετάρτη, 1 Μαΐου 2019 1:16 μμ To: Bill Fenner <fen...@gmail.com<mailto:fen...@gmail.com>> Cc: net-snmp-users@lists.sourceforge.net<mailto:net-snmp-users@lists.sourceforge.net>; Petros Tsampoukas <petros.tsampou...@citrix.com<mailto:petros.tsampou...@citrix.com>> Subject: RE: Help required for "snmpwalk: Authentication failure " +Petros to explain the problem in detail. Thank you Krishna Vivek From: Bill Fenner <fen...@gmail.com<mailto:fen...@gmail.com>> Sent: 29 April 2019 22:01 To: Krishna Vivek Vitta <krishna.vivekvi...@citrix.com<mailto:krishna.vivekvi...@citrix.com>> Cc: net-snmp-users@lists.sourceforge.net<mailto:net-snmp-users@lists.sourceforge.net> Subject: Re: Help required for "snmpwalk: Authentication failure " Hi Krishna, net-snmp 5.5 is 10 years old this year. 5.8 is the current release. That said, it might be possible to help you if you share the actual snmpd.conf files. You mention "add snmptrap dest_server=10.91.31.244 user_name=test dest_port=162 version=v3", but that is not how to configure net-snmp, so I don't know what to think about how that changes the actual configuration. Bill On Wed, Apr 24, 2019 at 7:19 AM Krishna Vivek Vitta <krishna.vivekvi...@citrix.com<mailto:krishna.vivekvi...@citrix.com>> wrote: Any update on the behaviour ? Thank you Krishna Vivek From: Krishna Vivek Vitta Sent: 23 April 2019 11:43 To: net-snmp-users@lists.sourceforge.net<mailto:net-snmp-users@lists.sourceforge.net> Subject: Help required for "snmpwalk: Authentication failure " Hi expert, We have a case where snmpwalk fails after snmpv3 user is added to trap destination. Net-SNMP version being used is 5.5 on FreeBSD setup We start with a configured user for SNMPv3. We used SHA1 and AES for the auth and privacy protocols: add snmpuser name=test auth_password=testtest privacy_password=testtest auth_protocol=SHA1 privacy_protocol=AES view_name=SNMP-View security_level=authPriv add snmpview name=SNMP-View subtree=1.3.6.1 type=Include The above steps: Adds a createUser directive in /var/mps/netsnmp/snmpd.conf and restarts snmpd 1. SNMPD replaces the createUser directive with a usmUser directive in persistent conf All this is normal. The configuration in the persistent snmpd.conf is correct. This is our test entry: bash-3.2# fgrep 0x4e65747363616c657200 /var/mps/netsnmp/snmpd.conf usmUser 1 3 0x80001f88809c0a3f394b485c5600000000 0x4e65747363616c657200 0x4e65747363616c657200 NULL .1.3.6.1.6.3.10.1.1.3 0x06be7a79a8108ccde730455187973c0719b3e460 .1.3.6.1.6.3.10.1.2.4 0x06be7a79a8108ccde730455187973c07 "" bash-3.2# gdb /usr/sbin/snmpd -p `cat /var/run/snmpd.pid` --batch --command=/root/print_users.gdb | awk '/test/,/privKey:/' name: 0x801c6fac0: "test" secName: 0x801c6fad0: "test" authProtocol: .1.3.6.1.6.3.10.1.1.3 << This means SHA1 privProtocol: .1.3.6.1.6.3.10.1.2.4 << This means AES authKey: 0x6be7a79a8108ccd 0xe730455187973c07 0x19b3e46000000000 privKey: 0x6be7a79a8108ccd 0xe730455187973c07 And of course the queries work: vyos@vyos:~$ snmpwalk - -v3 -l authPriv -u Netscaler -a SHA -A 'testtest' -x AES -X 'testtest' 10.91.16.71:161<http://secure-web.cisco.com/1DeWAQy3PpOvyZKTQKl0y9vktN-KUg8jeA8jEq2ZgffI-qSxpcTBB_0HSvLxxp_13uwvBEvQG8UWcOuYctOjMmK--OCCmSkH6cCvXaZh-qMkU97wqGLkJ7PHUvBVZj0hHl4lQwSlHSYOuKbetU-6WzrC7YqkJDubz4NNSC9hIom88WZHQMPriwTuQLyhP11YehxZS__2b2gSbl066_YF16bdWtb0uFenZdyf7D096Td_PC2yJtemzmMx2cFqDfEyLeMAB77cL5CXV7NKZMSZTbQ/http%3A%2F%2F10.91.16.71%3A161> 1.3.6.1.2.1.1.1 SNMPv2-MIB::sysDescr.0 = STRING: FreeBSD nssdx-mgmt 8.4-NETSCALER-12.0 FreeBSD 8.4-NETSCALER-12.0 #0: Wed Sep 12 06:47:55 PDT 2018 root@sjcpbld84-64:/usr/obj/home/build/rs_120_59_5_RTM/usr.src/sys/NSSVM[https://issues.citrite.net/images/icons/mail_small.gif]<mailto:root@sjcpbld84-64:/usr/obj/home/build/rs_120_59_5_RTM/usr.src/sys/NSSVM>amd64 Then I add an snmptrap destination that uses this user: add snmptrap dest_server=10.91.31.244 user_name=test dest_port=162 version=v3 And the queries fail with authentication failure: vyos@vyos:~$ snmpwalk - -v3 -l authPriv -u Netscaler -a SHA -A 'testtest' -x AES -X 'testtest' 10.91.16.71:161<http://secure-web.cisco.com/1DeWAQy3PpOvyZKTQKl0y9vktN-KUg8jeA8jEq2ZgffI-qSxpcTBB_0HSvLxxp_13uwvBEvQG8UWcOuYctOjMmK--OCCmSkH6cCvXaZh-qMkU97wqGLkJ7PHUvBVZj0hHl4lQwSlHSYOuKbetU-6WzrC7YqkJDubz4NNSC9hIom88WZHQMPriwTuQLyhP11YehxZS__2b2gSbl066_YF16bdWtb0uFenZdyf7D096Td_PC2yJtemzmMx2cFqDfEyLeMAB77cL5CXV7NKZMSZTbQ/http%3A%2F%2F10.91.16.71%3A161> 1.3.6.1.2.1.1.1 snmpwalk: Authentication failure (incorrect password, community or key) This time although the configuration is the same, snmpd internally has set the wrong protocols: bash-3.2# fgrep 0x4e65747363616c657200 /var/mps/netsnmp/snmpd.conf usmUser 1 3 0x80001f88809c0a3f394b485c5600000000 0x4e65747363616c657200 0x4e65747363616c657200 NULL .1.3.6.1.6.3.10.1.1.3 0x06be7a79a8108ccde730455187973c0719b3e460 .1.3.6.1.6.3.10.1.2.40x06be7a79a8108ccde730455187973c07 0x bash-3.2# gdb /usr/sbin/snmpd -p `cat /var/run/snmpd.pid` --batch --command=/root/print_users.gdb | awk '/Netscaler/,/privKey:/' name: 0x801c6fac0: "test" secName: 0x801c6fad0: "test" authProtocol: .1.3.6.1.6.3.10.1.1.2 << This means MD5 privProtocol: .1.3.6.1.6.3.10.1.2.2 << This means DES authKey: 0x6be7a79a8108ccd 0xe730455187973c07 0x19b3e46000000000 privKey: 0x6be7a79a8108ccd 0xe730455187973c07 Kindly provide assistance in resolving the case. Thank you Krishna Vivek _______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net<mailto:Net-snmp-users@lists.sourceforge.net> Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
