SNMP Error #2003

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hello togehter,

i have an extreme switch an would like to use snmp.
my snmp config looks like this:


problem is:
my snmp test tool says: Error #2003
What can i do now?
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of David Coglianese

David Coglianese, Embassador

  • 5,944 Points 5k badge 2x thumb
What model switch do you have?

What code version are you running?

I don't see any community strings in that screen shot. Can you run [show configuration SNMP] and share that output?
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
model: x250e-48t

Conf SNMP
#
# Module snmpMaster configuration.
#
configure snmpv3 add group "v1v2cNotifyGroup" user "v1v2cNotifyUser1" sec-model snmpv2c
disable snmpv3 community "public"
configure snmpv3 add community "v1v2cNotifyComm1" name "public" user "v1v2cNotifyUser1"
configure snmpv3 add target-addr "v1v2cNotifyTAddr1" param "v1v2cNotifyParam1" ipaddress xxx.xxx.xxx.xxx
70 transport-port <port> from xxx.xxx.xxx.xxx tag-list "defaultNotify"
configure snmpv3 add target-params "v1v2cNotifyParam1" user "v1v2cNotifyUser1" mp-model snmpv2c sec-
model snmpv2c sec-level noauth
configure snmpv3 add notify "defaultnotify" tag "defaultnotify"
disable snmpv3 default-group
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
how i get the code version?
Photo of David Coglianese

David Coglianese, Embassador

  • 5,944 Points 5k badge 2x thumb
Show version image
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
15.2.3.2
Photo of David Coglianese

David Coglianese, Embassador

  • 5,944 Points 5k badge 2x thumb
I see V3 disabled and I don't see any custom SNMP community strings for V2.

I assume you have the tool configured for the default community strings.

Is there a user guide for the tool you are using? It would be good to clerified why the tool is giving you that error.

You can see the default configuration with
Show configuration SNMP detail.
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi,

Based on my quick research, the error 2003 could be related to the connectivity issues or limited access to the SNMP on the switch or wrong community setting etc.,

Looking at the configuration, I see that the default snmpv3 groups and communities are disabled.

disable snmpv3 community "public"
disable snmpv3 default-group

Is this the complete configuration that you have on the device that you have shared with us? If that is the case, please try to enable these 2 and check if that helps!

enable snmpv3 community public
enable snmpv3 default-group.

Also, please share the "show log match snmp" output from the switch at the time of the error on the SNMP tester.

Hope this helps!
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,120 Points 20k badge 2x thumb
I don't see a SNMP user in the your config that refers to the group  - first command in the below picture

Here two links on to how to setup SNMPv3...

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-set-up-SNMPv3-on-EXOS
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-SNMPv3-informs-in-EXOS

I've put together my own table (as the KB wasn't very clear to me) to show which "variables" interact which each other - so here a picture - so the the same colour must have the same name to work with the other commands.



I'd delete the SNMP config and start from scratch.
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
Please look at the result of "show conf snmp detail"

#
# Module snmpMaster configuration.
#
configure snmpv3 engine-id 03:02:04:96:37:44:77
configure snmp compatibility get-bulk reply-too-big-action too-big-error
configure snmp compatibility ip-fragmentation disallow
configure snmpv3 add user "admin" engine-id 80:00:07:7c:03:02:04:96:37:44:77 authentication md5 auth
-encrypted localized-key XXX
configure snmpv3 add user "initial" engine-id 80:00:07:7c:03:02:04:96:37:44:77
configure snmpv3 add user "initialmd5" engine-id 80:00:07:7c:03:02:04:96:37:44:77 authentication md5
 auth-encrypted localized-key XXX
configure snmpv3 add user "initialsha" engine-id 80:00:07:7c:03:02:04:96:37:44:77 authentication sha
 auth-encrypted localized-key XXX
configure snmpv3 add user "initialmd5Priv" engine-id 80:00:07:7c:03:02:04:96:37:44:77 authentication
 md5 auth-encrypted localized-key XXXX
configure snmpv3 add user "initialshaPriv" engine-id 80:00:07:7c:03:02:04:96:37:44:77 authentication
 sha auth-encrypted localized-key XXX privacy privacy-encrypted localized-key XXX
configure snmpv3 add group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv1
configure snmpv3 add group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv1
configure snmpv3 add group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv2c
configure snmpv3 add group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv2c
configure snmpv3 add group "v1v2cNotifyGroup" user "v1v2cNotifyUser1" sec-model snmpv2c
configure snmpv3 add group "admin" user "admin" sec-model usm
configure snmpv3 add group "initial" user "initial" sec-model usm
configure snmpv3 add group "initial" user "initialmd5" sec-model usm
configure snmpv3 add group "initial" user "initialsha" sec-model usm
configure snmpv3 add group "initial" user "initialmd5Priv" sec-model usm
configure snmpv3 add group "initial" user "initialshaPriv" sec-model usm
configure snmpv3 add access "admin" sec-model usm sec-level priv read-view "defaultAdminView" write-
view "defaultAdminView" notify-view "defaultNotifyView"
configure snmpv3 add access "initial" sec-model usm sec-level noauth read-view "defaultUserView" not
ify-view "defaultNotifyView"
configure snmpv3 add access "initial" sec-model usm sec-level authnopriv read-view "defaultUserView"
 write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_ro" sec-model snmpv1 sec-level noauth read-view "defaultUserView"
 notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_ro" sec-model snmpv2c sec-level noauth read-view "defaultUserView
" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_rw" sec-model snmpv1 sec-level noauth read-view "defaultUserView"
 write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_rw" sec-model snmpv2c sec-level noauth read-view "defaultUserView
" write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2cNotifyGroup" sec-model snmpv1 sec-level noauth notify-view "defaul
tNotifyView"
configure snmpv3 add access "v1v2cNotifyGroup" sec-model snmpv2c sec-level noauth notify-view "defau
ltNotifyView"
configure snmpv3 add mib-view "defaultUserView" subtree 1.0/80 type included
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.16 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.18 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.4 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.6 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.9 type excluded
configure snmpv3 add mib-view "defaultAdminView" subtree 1.0/80 type included
configure snmpv3 add mib-view "defaultNotifyView" subtree 1.0/80 type included
configure snmpv3 add community "private" name "private" user "v1v2c_rw"
configure snmpv3 add community "public" name "public" user "v1v2c_ro"
disable snmpv3 community "public"
configure snmpv3 add community "v1v2cNotifyComm1" name "public" user "v1v2cNotifyUser1"
configure snmpv3 add target-addr "v1v2cNotifyTAddr1" param "v1v2cNotifyParam1" ipaddress XXX
70 transport-port 10550 from XXX tag-list "defaultNotify"
configure snmpv3 target-addr "v1v2cNotifyTAddr1" timeout 15
configure snmpv3 target-addr "v1v2cNotifyTAddr1" retry 3
configure snmpv3 add target-params "v1v2cNotifyParam1" user "v1v2cNotifyUser1" mp-model snmpv2c sec-
model snmpv2c sec-level noauth
configure snmpv3 add notify "defaultNotify" tag "defaultNotify"
configure snmpv3 add notify "defaultnotify" tag "defaultnotify"
enable snmp access
enable snmp access snmp-v1v2c
enable snmp access snmpv3
disable snmpv3 default-group
enable snmpv3 default-user
enable snmp traps
configure snmp access-profile none
enable snmp access vr "VR-Default"
enable snmp access vr "VR-Mgmt"

And this is the output of a switch which works fine with snmp.
i only use and test it with snmp v1


#
# Module snmpMaster configuration.
#
configure snmpv3 engine-id 03:02:04:96:36:f9:3c
configure snmp compatibility get-bulk reply-too-big-action too-big-error
configure snmp compatibility ip-fragmentation disallow
configure snmpv3 add user "admin" engine-id 80:00:07:7c:03:02:04:96:36:f9:3c authentication md5 auth
-encrypted localized-key XXX privac
y privacy-encrypted localized-key XXX
configure snmpv3 add user "initial" engine-id 80:00:07:7c:03:02:04:96:36:f9:3c
configure snmpv3 add user "initialmd5" engine-id 80:00:07:7c:03:02:04:96:36:f9:3c authentication md5
 auth-encrypted localized-key XXX
configure snmpv3 add user "initialsha" engine-id 80:00:07:7c:03:02:04:96:36:f9:3c authentication sha
 auth-encrypted localized-key XXX
configure snmpv3 add user "initialmd5Priv" engine-id 80:00:07:7c:03:02:04:96:36:f9:3c authentication
 md5 auth-encrypted localized-key XXX privacy privacy-encrypted localized-key XXX
configure snmpv3 add user "initialshaPriv" engine-id 80:00:07:7c:03:02:04:96:36:f9:3c authentication
 sha auth-encrypted localized-key XXX
configure snmpv3 add group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv1
configure snmpv3 add group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv1
configure snmpv3 add group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv2c
configure snmpv3 add group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv2c
configure snmpv3 add group "v1v2cNotifyGroup" user "v1v2cNotifyUser1" sec-model snmpv2c
configure snmpv3 add group "admin" user "admin" sec-model usm
configure snmpv3 add group "initial" user "initial" sec-model usm
configure snmpv3 add group "initial" user "initialmd5" sec-model usm
configure snmpv3 add group "initial" user "initialsha" sec-model usm
configure snmpv3 add group "initial" user "initialmd5Priv" sec-model usm
configure snmpv3 add group "initial" user "initialshaPriv" sec-model usm
configure snmpv3 add access "admin" sec-model usm sec-level priv read-view "defaultAdminView" write-
view "defaultAdminView" notify-view "defaultNotifyView"
configure snmpv3 add access "initial" sec-model usm sec-level noauth read-view "defaultUserView" not
ify-view "defaultNotifyView"
configure snmpv3 add access "initial" sec-model usm sec-level authnopriv read-view "defaultUserView"
 write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_ro" sec-model snmpv1 sec-level noauth read-view "defaultUserView"
 notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_ro" sec-model snmpv2c sec-level noauth read-view "defaultUserView
" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_rw" sec-model snmpv1 sec-level noauth read-view "defaultUserView"
 write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_rw" sec-model snmpv2c sec-level noauth read-view "defaultUserView
" write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2cNotifyGroup" sec-model snmpv1 sec-level noauth notify-view "defaul
tNotifyView"
configure snmpv3 add access "v1v2cNotifyGroup" sec-model snmpv2c sec-level noauth notify-view "defau
ltNotifyView"
configure snmpv3 add mib-view "defaultUserView" subtree 1.0/80 type included
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.16 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.18 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.4 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.6 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.9 type excluded
configure snmpv3 add mib-view "defaultAdminView" subtree 1.0/80 type included
configure snmpv3 add mib-view "defaultNotifyView" subtree 1.0/80 type included
configure snmpv3 add community "private" name "private" user "v1v2c_rw"
configure snmpv3 add community "public" name "public" user "v1v2c_ro"
configure snmpv3 add community "v1v2cNotifyComm1" name "ST.-1062731350.10550" user "v1v2cNotifyUser1
"
configure snmpv3 add target-addr "v1v2cNotifyTAddr1" param "v1v2cNotifyParam1" ipaddress XXX
70 transport-port 10550 from XXX tag-list "defaultNotify"
configure snmpv3 target-addr "v1v2cNotifyTAddr1" timeout 15
configure snmpv3 target-addr "v1v2cNotifyTAddr1" retry 3
configure snmpv3 add target-params "v1v2cNotifyParam1" user "v1v2cNotifyUser1" mp-model snmpv2c sec-
model snmpv2c sec-level noauth
configure snmpv3 add notify "defaultNotify" tag "defaultNotify"
enable snmp access
enable snmp access snmp-v1v2c
disable snmp access snmpv3
enable snmpv3 default-group
enable snmpv3 default-user
enable snmp traps
configure snmp access-profile none
enable snmp access vr "VR-Default"
enable snmp access vr "VR-Mgmt"
(Edited)
Photo of Ariyakudi Srinivas, Muthuraman

Ariyakudi Srinivas, Muthuraman, Employee

  • 964 Points 500 badge 2x thumb
Hi,

The switch does seem to have the necessary configuration for the user's "public" and "private", 

configure snmpv3 add community "private" name "private" user "v1v2c_rw"
configure snmpv3 add community "public" name "public" user "v1v2c_ro"

Now, as long as there is no network related issue, we should have no problem with the SNMP being functional.

Just to test, the counters across the switch can be cleared with the command "clear counters" and try to test the connectivity and verify if the SNMP is functional from the output of "show management".
The part of the output of interest is as below to check if there are any errors, drops.

SNMP stats:     InPkts 0       OutPkts   0       Errors 0       AuthErrors 0
                Gets   0       GetNexts  0       Sets   0       Drops      0
SNMP traps:     Sent   0       AuthTraps Enabled
SNMP inform:    Sent   0       Retries   0       Failed 0
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
i cleared the counters.
after a new snmp test it looks like this:

Photo of Ariyakudi Srinivas, Muthuraman

Ariyakudi Srinivas, Muthuraman, Employee

  • 964 Points 500 badge 2x thumb
Hi,

Please provide the output of "show log match snmp" from the switch.
Let's confirm if there are any community mismatch issue with the switch.
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
HI,

The output of snmp counters indicate that there are authentication errors.

It looks like a community mismatch. Please ensure you are using the same community name in the tool and the switch.
Also, please enable the default user and group in SNMP and let us know if that helps!
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
01/23/2017 07:55:41.59 <Warn:SNMP.Master.DropReqAccessDeny> Slot-1: SNMP access from source <ip> is denied by rule PolSNMPAccess. Dropping this Request.

(Edited)
Photo of Ariyakudi Srinivas, Muthuraman

Ariyakudi Srinivas, Muthuraman, Employee

  • 964 Points 500 badge 2x thumb
Hi,

The log provides means the SNMP access from the specified source is denied by Policy Manager or access-list rule. Dropping this SNMP Request.

There does not seem to be any access-profile configured is what i see from the provided screenshot of the "show management". 
And the drop could be due to any ACL that has been configured and applied at the switch. 
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
sry, but what i have to do now?
i am new in the extreme world :/
Photo of Ariyakudi Srinivas, Muthuraman

Ariyakudi Srinivas, Muthuraman, Employee

  • 964 Points 500 badge 2x thumb
Hi,

Please check if there are any ACL's applied in the switch to deny traffic from a particular source or subnet. 

- output of "show configuration acl" will give you the information of the configured ACL.

If the switch has been configured with any access-list, please check the particular access-list that has the IP address of the NMS in it, and understand as to why the SNMP request from that source is getting dropped, say if it is expected. The output of "show policy <acl_name>" will give you the configuration of the policy file.

Also let us know what is the NMS that you are using.
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
Output of show config acl


configure access-list zone SYSTEM application NetLogin application-priority 4
configure access-list zone SYSTEM application HealthCheckLAG application-priority 5
configure access-list zone SYSTEM application IdentityManager application-priority 6
configure access-list zone SYSTEM application VMTracking application-priority 7
configure access-list zone SYSTEM application PolicyManager application-priority 8
configure access-list zone SYSTEM application Snmp application-priority 11
configure access-list zone SYSTEM application Telnet application-priority 12
configure access-list zone SYSTEM application Http application-priority 13
configure access-list zone SYSTEM application Ssh2 application-priority 14
Photo of Ariyakudi Srinivas, Muthuraman

Ariyakudi Srinivas, Muthuraman, Employee

  • 964 Points 500 badge 2x thumb
Hi,

The IP address from the log message and the IP configured at the NMS, are they the same?

Also, the log message states that the request is dropped as it was hitting the policy "PolSNMPAccess", but the output of acl configuration you have shared does not seem to have the acl configured in it.

Are we sure the output of "show configuration acl" is from the same switch where the previously provided log message was provided from? 
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
yes, i am very sure that it is always the same switch
(Edited)
Photo of Ariyakudi Srinivas, Muthuraman

Ariyakudi Srinivas, Muthuraman, Employee

  • 964 Points 500 badge 2x thumb
Hi,

From the switch configuration, i don't see any access list configured but the log speaks otherwise.

Please open a case with GTAC to have this further troubleshot. 
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
one question, before i will open a case.
maybe this helps:




left: switch with snmp problem
right: perfect switch

- on both switchs are the same three communitys
but with the difference:

left: public has no value in column read view, but has a value in read view of the thrid community

right: public has a value in column read view, but has not a value in read view of the third community


can this be the problem?
anf if yes: how can i set this settings like the left switch?
Photo of Ariyakudi Srinivas, Muthuraman

Ariyakudi Srinivas, Muthuraman, Employee

  • 964 Points 500 badge 2x thumb
Hi,

I tried a few combination to arrive at the configuration as the switch you have with SNMP issue but could not.

But you can use the below command to remove and add the community "public" and check at the screenplay.

Remove: configure snmp add community readonly public
Add: configure snmp add community readonly public

If you want, you can remove and add it to the switch and check.
But my attempt to get the community public with no string at "Read View" was not successful.
Photo of Ghost108

Ghost108

  • 230 Points 100 badge 2x thumb
you mean:

Remove: configure snmp DELETE community readonly public
Add: configure snmp add community readonly public
My result of the delete command:



My result of the add command:



i don't unterstand, why one version of public is always available oO
(Edited)