Login failed through SNMPv1/v2c - bad community name.

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
  • (Edited)
We're constantly getting log messages like these: 04/10/2016 22:15:42.37 Login failed through SNMPv1/v2c - bad community name, checked through similar problems discussed here, couldn't find a solution :) Do you have any ideas?

Here is OS version and snmp config:


Switch : 800323-00-03 1052G-04016 Rev 3.0 BootROM: 2.0.1.0 IMG: 16.1.1.4
PSU-1 : PSSF751301A-10 800382-00-03 1052A-44016
PSU-2 :

Image : ExtremeXOS version 16.1.1.4 by release-manager
on Fri Jun 12 17:47:56 EDT 2015
BootROM : 2.0.1.0
Diagnostics : 6.3

configure snmp sysName "X460-24p"
configure snmp sysLocation ""
configure snmp sysContact "support@extremenetworks.com, +1 888 257 3000"
configure snmp ifmib ifAlias size default
enable snmp traps port-up-down port 1
enable snmp traps port-up-down port 2
enable snmp traps port-up-down port 3
enable snmp traps port-up-down port 4
enable snmp traps port-up-down port 5
enable snmp traps port-up-down port 6
enable snmp traps port-up-down port 7
enable snmp traps port-up-down port 8
enable snmp traps port-up-down port 9
enable snmp traps port-up-down port 10
enable snmp traps port-up-down port 11
enable snmp traps port-up-down port 12
enable snmp traps port-up-down port 13
enable snmp traps port-up-down port 14
enable snmp traps port-up-down port 15
enable snmp traps port-up-down port 16
enable snmp traps port-up-down port 17
enable snmp traps port-up-down port 18
enable snmp traps port-up-down port 19
enable snmp traps port-up-down port 20
enable snmp traps port-up-down port 21
enable snmp traps port-up-down port 22
enable snmp traps port-up-down port 23
enable snmp traps port-up-down port 24
enable snmp traps port-up-down port 25
enable snmp traps port-up-down port 26
enable snmp traps port-up-down port 27
enable snmp traps port-up-down port 28
enable snmp traps port-up-down port 29
enable snmp traps port-up-down port 30
enable snmp traps port-up-down port 31
enable snmp traps port-up-down port 32
enable snmp traps port-up-down port 33
enable snmp traps port-up-down port 34
disable snmp traps fdb mac-tracking
disable snmp traps bfd
configure snmp traps batch-delay bfd 1000
enable snmp traps identity-management
configure lldp snmp-notification-interval 5
^[[A^[[A# Module snmpMaster configuration.
configure snmpv3 engine-id 03:00:04:96:51:f2:8e
configure snmp compatibility get-bulk reply-too-big-action too-big-error
configure snmp compatibility ip-fragmentation disallow
configure snmpv3 add user "admin" engine-id 80:00:07:7c:03:00:04:96:51:f2:8e authentication md5 auth-encrypted localized-key 23:f0:23:ad:23:ed:23:03:70:2d:31:32:23:f7:54:56:3f:23:e4:23:12:23:20:23:f1 privacy privacy-encrypted localized-key 23:f0:23:ad:23:ed:23:03:70:2d:31:32:23:f7:54:56:3f:23:e4:23:12:23:20:23:f1
configure snmpv3 add user "initial" engine-id 80:00:07:7c:03:00:04:96:51:f2:8e
configure snmpv3 add user "initialmd5" engine-id 80:00:07:7c:03:00:04:96:51:f2:8e authentication md5 auth-encrypted localized-key 23:9d:23:de:23:cb:23:14:26:31:78:23:dc:23:03:23:b6:23:04:23:88:23:ae:23:9b:23:ed:23:25
configure snmpv3 add user "initialsha" engine-id 80:00:07:7c:03:00:04:96:51:f2:8e authentication sha auth-encrypted localized-key 23:8e:23:93:23:b2:3c:23:d9:5a:61:4f:23:76:24:23:f5:23:ee:7b:35:23:e4:29:23:aa:23:f7:48:4c
configure snmpv3 add user "initialmd5Priv" engine-id 80:00:07:7c:03:00:04:96:51:f2:8e authentication md5 auth-encrypted localized-key 23:a5:23:a4:23:8c:30:65:23:dd:21:23:cb:23:00:23:16:23:a3:3a:23:b8:72:23:85:23:b3 privacy privacy-encrypted localized-key 23:a5:23:a4:23:8c:30:65:23:dd:21:23:cb:23:00:23:16:23:a3:3a:23:b8:72:23:85:23:b3
configure snmpv3 add user "initialshaPriv" engine-id 80:00:07:7c:03:00:04:96:51:f2:8e authentication sha auth-encrypted localized-key 23:1a:48:23:d2:68:23:b4:23:a2:23:d8:23:fd:46:5e:23:9b:23:f3:23:02:23:0e:23:ce:23:24:73:33:40:23:fd privacy privacy-encrypted localized-key 23:1a:48:23:d2:68:23:b4:23:a2:23:d8:23:fd:46:5e:23:9b:23:f3:23:02:23:0e:23:ce:23:24:73:33:40:23:fd
configure snmpv3 add group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv1
configure snmpv3 add group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv1
configure snmpv3 add group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv2c
configure snmpv3 add group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv2c
configure snmpv3 add group "admin" user "admin" sec-model usm
configure snmpv3 add group "initial" user "initial" sec-model usm
configure snmpv3 add group "initial" user "initialmd5" sec-model usm
configure snmpv3 add group "initial" user "initialsha" sec-model usm
configure snmpv3 add group "initial" user "initialmd5Priv" sec-model usm
configure snmpv3 add group "initial" user "initialshaPriv" sec-model usm
configure snmpv3 add access "admin" sec-model usm sec-level priv read-view "defaultAdminView" write-view "defaultAdminView" notify-view "defaultNotifyView"
configure snmpv3 add access "initial" sec-model usm sec-level noauth read-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "initial" sec-model usm sec-level authnopriv read-view "defaultUserView" write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_ro" sec-model snmpv1 sec-level noauth read-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_ro" sec-model snmpv2c sec-level noauth read-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_rw" sec-model snmpv1 sec-level noauth read-view "defaultUserView" write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_rw" sec-model snmpv2c sec-level noauth read-view "defaultUserView" write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2cNotifyGroup" sec-model snmpv1 sec-level noauth notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2cNotifyGroup" sec-model snmpv2c sec-level noauth notify-view "defaultNotifyView"
configure snmpv3 add mib-view "defaultUserView" subtree 1.0/80 type included
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.16 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.18 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.4 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.6 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.9 type excluded
configure snmpv3 add mib-view "defaultAdminView" subtree 1.0/80 type included
configure snmpv3 add mib-view "defaultNotifyView" subtree 1.0/80 type included
configure snmpv3 add community "private" name "private" user "v1v2c_rw"
configure snmpv3 add community "public" name "public" user "v1v2c_ro"
configure snmpv3 add notify "defaultNotify" tag "defaultNotify"
enable snmp access
enable snmp access snmp-v1v2c
enable snmp access snmpv3
enable snmpv3 default-group
enable snmpv3 default-user
enable snmp traps
enable snmp access vr "VR-Default"
enable snmp access vr "VR-Mgmt"
configure snmp notification-log global-entry-limit 16000
configure snmp notification-log global-age-out 1440

Admin Edit: Removed serial numbers and duplicate config information
Photo of Paulius Preibys

Paulius Preibys

  • 180 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 5,998 Points 5k badge 2x thumb
Hi Paulius,

From the configuration i could see that only the "private" and "public" community is available in the switch, If a device tries to poll the switch with a different community name the message what you have mentioned would be seen in the logs.

A little brief on the error message

<Warn:SNMP.Master.AuthFail> Login failed through SNMPv1/v2c - bad community name (x.x.x.x)

The warning message should have the source IP address (x.x.x.x) of the device which is sending the SNMP packets (poll the device), Check if it is a legitimate device which is supposed to poll the switch via SNMP if yes then check what is the community string it is configured with. As said before the switch only has "private" and "public".

I hope this helps....
Photo of Paulius Preibys

Paulius Preibys

  • 180 Points 100 badge 2x thumb
Thanks for quick response! I'll check the things mentioned
Photo of Drew C.

Drew C., Community Manager

  • 39,092 Points 20k badge 2x thumb
Any luck Paulius?
Photo of Paulius Preibys

Paulius Preibys

  • 180 Points 100 badge 2x thumb
Sorry for the delay, but no, it has one more community configured, which is the correct community, probably admin deleted it when editing. So far I've had no luck in solving this. Could this error show up if readwrite community was needed but it is configured as readonly?
Thanks
Photo of Paulius Preibys

Paulius Preibys

  • 180 Points 100 badge 2x thumb
And yes, the device is legitimate, thanks for your help
Photo of Paulius Preibys

Paulius Preibys

  • 180 Points 100 badge 2x thumb
I've also now deleted the default public and private communities
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 5,998 Points 5k badge 2x thumb
Hi Paulius,

Did you got a chance to check what is the community used in the polling device? 
You would need to create the same community in the switch and yes if the device is trying to change any config in the switch and if the community have read-only access then also the reported error messages would come up.
Photo of Kawawa

Kawawa, GTAC

  • 3,272 Points 3k badge 2x thumb
Hi Paulius,

When you add SNMPv3 public and private communities, the default v1v2c communities are modified accordingly.  Therefore, if you NMS is polling the switch with v1v2c, but you've got v3 configured, that wont work.

Remove the following configurations
configure snmpv3 add community "private" name "private" user "v1v2c_rw"
configure snmpv3 add community "public" name "public" user "v1v2c_ro"
and add the following:
configure snmp add community readonly public
configure snmp add community readwrite private

I hope this helps
Photo of Paulius Preibys

Paulius Preibys

  • 180 Points 100 badge 2x thumb
Hello, and thanks for your replies :)

Yes, the communities configured match both on the switch and the monitoring server and we use snmp on this device for monitoring purposes only, but just to be sure, I've configured a readwrite community, and I still get the before mentioned log messages. The community was configured as snmp v2 comunity:

configure snmp add community readwrite xxxx.

Just to be sure, does the address in these messages ( Slot-2: Login failed through SNMPv1/v2c - bad community name (x.x.x.x)) need to be configured on the switch as trusted?

Big thanks for your replies!
(Edited)
Photo of Kawawa

Kawawa, GTAC

  • 3,272 Points 3k badge 2x thumb
Please attach the following output from the switch:
show snmpv3 community
show management
and Attach a screenshot from the IP source listed in the error and show us what SNMP configuration is on it
Photo of Paulius Preibys

Paulius Preibys

  • 180 Points 100 badge 2x thumb
Hello, I'm currently unable to provide the config from IP source listed in the error message, but I do know that it has snmp v2 and the same (as on switches) community name configured.
What I haven't mentioned before is that we get these errors on all of our extreme switches. Some are running ExtremeXOS version 15.3.4.6 and some ExtremeXOS version 16.1.1.4.
Here is the output from our switch:
* Slot-2 Stack.2 # show snmpv3 community

Community Index : xxx
Community Name : xxx
Security Name : v1v2c_rw
Context EngineID : 80:00:07:7c:03:02:04:96:52:58:54
Context Name :
Transport Tag :
Storage Type : NonVolatile
Row Status : Active

Total num. of entries in snmpCommunityTable : 1

* Slot-2 Stack.3 # show management
CLI idle timeout : Enabled (20 minutes)
CLI max number of login attempts : 3
CLI max number of sessions : 8
CLI paging : Enabled (this session only)
CLI space-completion : Disabled (this session only)
CLI configuration logging : Disabled
CLI scripting : Disabled (this session only)
CLI scripting error mode : Ignore-Error (this session only)
CLI persistent mode : Persistent (this session only)
CLI prompting : Disabled (this session only)
Telnet access : Enabled (tcp port 23 vr all)
: Access Profile : not set
SSH Access : ssh module not loaded.
Web access : Enabled (tcp port 80)
: Access Profile : not set
Total Read Only Communities : 0
Total Read Write Communities : 1
RMON : Disabled
SNMP access : Enabled
: Access Profile : not set
SNMP Compatibility Options :
IP Fragmentation : Disallow
SNMP Traps : Enabled
SNMP v1/v2c TrapReceivers : None

SNMP stats: InPkts 9650355 OutPkts 8317650 Errors 52783 AuthErrors 13327 05
Gets 8146452 GetNexts 108156 Sets 0 Drops 0
SNMP traps: Sent 0 AuthTraps Enabled
SNMP inform: Sent 0 Retries 0 Failed 0

Thank you for your advice.
Photo of Paulius Preibys

Paulius Preibys

  • 180 Points 100 badge 2x thumb
Maybe this is whats missing? :)
configure snmp add trapreceiver Server_IP_Address community Community_Name
Thanks, Paulius

Or maybe this:
configure snmpv3 add mib-view defaultUserView subtree 1 type included
Found it here:
https://gtacknowledge.extremenetworks...
Some of our switches are stacked.
Thanks
(Edited)
Photo of Paulius Preibys

Paulius Preibys

  • 180 Points 100 badge 2x thumb
none of these are relevant, because our monitoring system works by polling (snmpget) and the mibview is already configured
Photo of Kawawa

Kawawa, GTAC

  • 3,272 Points 3k badge 2x thumb
If your communities and versions are correct, and cases are consistent between your NMS and Stack, On your show management output which SNMP counters are currently incrementing?  Three outputs should give an idea.

Also, when you check the show snmpv3 counters which counters are incrementing?

Because this is a public forum, maybe you should log a case with the TAC so that all the information requested in nay of the comments above could be passed on for a full pciture of what's currently configured and how.
Photo of Paulius Preibys

Paulius Preibys

  • 180 Points 100 badge 2x thumb
In show management output snmp counter that increase are: InPkts; OutPkts; Gets
and there is a slower increase in AuthErrors as well.

Show snmpv3 counters all show 0:
snmpUnknownSecurityModels : 0
snmpInvalidMessages : 0
snmpUnknownPDUHandlers : 0
usmStatsUnsupportedSecLevels : 0
usmStatsNotInTimeWindows : 0
usmStatsUnknownUserNames : 0
usmStatsUnknownEngineIDs : 0
usmStatsWrongDigests : 0
usmStatsDecryptionErrors : 0
Photo of Ted

Ted

  • 1,174 Points 1k badge 2x thumb
We have the same issue with our Blackdiamonds.  This has been happening since I arrived 6 years ago.  Looking at "show snmpv3 counters - the usmStatsUnknownEngineIDs  increments non-stop.  I'm using snmpv3 and snmpv2.  None of our edge switches have this issue.
Photo of Ted

Ted

  • 1,174 Points 1k badge 2x thumb

coserv_core-02.6 # show snmpv3 counters

        snmpUnknownSecurityModels       : 0
        snmpInvalidMessages             : 0
        snmpUnknownPDUHandlers          : 0
        usmStatsUnsupportedSecLevels    : 0
        usmStatsNotInTimeWindows        : 0
        usmStatsUnknownUserNames        : 0
        usmStatsUnknownEngineIDs        : 7510
        usmStatsWrongDigests            : 0
        usmStatsDecryptionErrors        : 0

Photo of Kawawa

Kawawa, GTAC

  • 3,272 Points 3k badge 2x thumb
My understanding is that the NMS and host exchange Engine IDs when the first Get-Req is sent from the NMS and the host responds with the Report.  Now, if the engine ID in any subsequent requests that come from the NMS don't match the configured engine-ID on the host, the UnknowEngineID counter will increment.

I would suggest taking a packet capture and checking what Engine ID is coming in the snmpv3 packet from the NMS
Photo of Ted

Ted

  • 1,174 Points 1k badge 2x thumb
I'll try this.  Just FYI my Solarwinds NMS is configured for SNMPv2c.  Our NETSIGHT is set for snmpv3 but the bad community errors are coming from my Solarwinds box.
Photo of Ted

Ted

  • 1,174 Points 1k badge 2x thumb

I'll check both engine-ID's and will report.

Thank you

Photo of Ted

Ted

  • 1,174 Points 1k badge 2x thumb
I'm still having the same issue here.  I've got an TAC case going too, but troubleshooting other issues.
Photo of Ted

Ted

  • 1,174 Points 1k badge 2x thumb
coserv_core-01.4 # show snmpv3 counters
        snmpUnknownSecurityModels       : 0
        snmpInvalidMessages             : 0
        snmpUnknownPDUHandlers          : 0
        usmStatsUnsupportedSecLevels    : 0
        usmStatsNotInTimeWindows        : 0
        usmStatsUnknownUserNames        : 0
        usmStatsUnknownEngineIDs        : 366
        usmStatsWrongDigests            : 0
        usmStatsDecryptionErrors        : 0