SNMPv3 not working on Extreme x480

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
Try as I may I cannot satisfy the switch on its SNMPv3 config. It is really holding me up. Here is the config:


configure snmpv3 add user nms authentication sha mypassword privacy aes 256 mypassword
configure snmpv3 add group orion user nms sec-model usm
configure snmpv3 add access orion sec-model usm sec-level priv read-view defaultUserView notify-view defaultNotifyView
disable snmpv3 default-group
disable snmpv3 default-user


I am trying to add this into solarwinds orion, but I keep getting "test failed"
I cannot snmpwalk it either.

What am I doing wrong?

Photo of Evan R

Evan R

  • 236 Points 100 badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
configure snmpv3 add user tokle auth md5 asdfghjkl123 priv des asdfghjkl123

configure snmpv3 add group writeGroup user tokle sec-model usm

configure snmpv3 add access readGroup sec-model usm sec-level priv read-view defaultAdminView notify-view defaultNotifyView

configure snmpv3 add access writeGroup sec-model usm sec-level priv read-view defaultAdminView write-view defaultAdminView notify-view defaultNotifyView

disable snmp access snmp-v1v2c

disable snmpv3 default-group

disable snmpv3 default-user


I have used above configuration on my switch and I can add it using SNMPV3.

Photo of Evan R

Evan R

  • 236 Points 100 badge 2x thumb
Hello Sumit and thank you for the reply. Below is my config:

X480-24x(SS).2 # sh configuration "snmp"
#
# Module snmpMaster configuration.
#
configure snmpv3 add user nms authentication md5 auth-encrypted hex <redacted> privacy aes 128 privacy-encrypted hex <redacted>
configure snmpv3 add group orion user nms sec-model usm
configure snmpv3 add access orion sec-model usm sec-level priv read-view defaultAdminView notify-view defaultNotifyView
disable snmp access snmp-v1v2c
disable snmpv3 default-group
disable snmpv3 default-user

When I try to walk it

$ snmpwalk -v3 -u nms -l AuthPriv -a MD5 -A <redacted> -x AES -X <redacted> 10.4.1.198
SNMPv2-SMI::mib-2 = No more variables left in this MIB View (It is past the end of the MIB tree)

Any thoughts?




Photo of Evan R

Evan R

  • 236 Points 100 badge 2x thumb
BUMP

I've added my configuration to mirror yours just changing the username, and still I cannot snmpwalk

# Module snmpMaster configuration.
#
configure snmpv3 add user nms authentication sha <redacted> privacy aes 256 <redacted>
configure snmpv3 add group writeGroup user nms sec-model usm
configure snmpv3 add access orion sec-model usm sec-level priv read-view defaultAdminView notify-view defaultNotifyView
configure snmpv3 add access readGroup sec-model usm sec-level priv read-view defaultAdminView notify-view defaultNotifyView
configure snmpv3 add access writeGroup sec-model usm sec-level priv read-view defaultAdminView write-view defaultAdminView notify-view defaultNotifyView
disable snmp access snmp-v1v2c
disable snmpv3 default-group
disable snmpv3 default-user


snmpwalk -v3 -u nms -l AuthPriv -a SHA -A <redacted> -x AES -X <redacted> 10.4.1.198
Timeout: No Response from 10.4.1.198



Photo of Evan R

Evan R

  • 236 Points 100 badge 2x thumb
I've come to a modicum of success. DES works fine, but why not AES?
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
SSL module has to be installed to use AES/3DES SNMPv3 users. Have you installed the SSL module on your switch? if not then please installed the ssl. please refer the EXOS concept guide to enable the SSL module.
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
* X440-48t.8 # configure snmpv3 add user sumittokle authentication md5 asdfghjkl123 privacy aes asdfghjkl1234
Warning: SSL module has to be installed to use AES/3DES SNMPv3 users.
* X440-48t.9 #


When I execute the above command, I got above warning messages. When I look at the concept guide, I see below information on page number 89,

Before using the AES, 3DES users, you must install the SSH module and restart the snmpMasterprocess. Refer to Installing a Modular Software Packageon page 1528 for information on installing the
SSH module.

(Edited)
Photo of Evan R

Evan R

  • 236 Points 100 badge 2x thumb
Strange I do not get that warning. ...but I am on an x480 15.3.2.11. I generated an SSL cert, and all is well with AES. I have but one more question - I have added

configure snmpv3 add mib-view orion subtree 1.3.6 type included
configure snmpv3 add access orion sec-model usm sec-level priv read-view orion

but I do not see any interfaces once the device is polled.


Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
Below is the output on port 48 using the snmp v2,(Always use snmpget to get the information from switch)

snmpget –v 2c -c mpbn-ro 10.78.12.3 1.3.6.1.4.1.1916.1.4.14.1.1.1048

               SNMPv2-SMI::enterprises.1916.1.4.14.1.1.1048 = Counter64: 446804


-------------------------------------------------------------------------------------------------


I have seen many issue on EXOS 15.3.2. It's better to upgrade the switch to the stable version.

(Edited)
Photo of Evan R

Evan R

  • 236 Points 100 badge 2x thumb
I hate to bother you again, but I have still been unable to get this to work. It is not feasible to me to be able to upgrade all the switches in our network at this time so I am hoping you have some insights for me. Here is where I am at:

PRODUCTION SWITCH ( 15.3.3.5 patch1-2 ) [NOT WORKING]


configure snmpv3 add user orion authentication sha password privacy aes 128 password
configure snmpv3 add group nms user orion sec-model usm
configure snmpv3 add access nms sec-model usm sec-level priv read-view nms notify-view defaultNotifyView configure snmpv3 add mib-view nms subtree 1.3.6.1.2.1.1/f8 type included configure snmp access-profile "permit-snmp" readonly

LAB SWITCH Primary ver: 15.5.1.6 [WORKING]

configure snmpv3 add user "orion" authentication sha password privacy aes 128 password
configure snmpv3 add group "nms" user "orion" sec-model usm
configure snmpv3 add access "nms" sec-model usm sec-level priv read-view "nms" notify-view "defaultNotifyView" configure snmpv3 add mib-view "nms" subtree 1.3.6.1.2.1.1/f8 type included
configure snmp access-profile "permit-snmp" readonly

when I try to walk the production switch, this is what happens:


C:\Users\Administrator>snmpwalk -v3 -u orion -l AuthPriv -a SHA -A password -x AES -X password 10.80.255.20
snmpwalk: Timeout (plaintext scopedPDU header type 00: s/b 30)

Pastebin for readability: http://pastebin.com/raw.php?i=BJ7yEUJL

(Edited)
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
I would suggest to create the new post for every different issue which you face.

I have found this article that explain the exact problem we have
 http://www.mail-archive.com/net-snmp-users@lists.sourceforge.net/msg29952.html
 
 From my linux machine, doing an snmpwalk, I have the same issue, with this error as a result
snmpwalk: Timeout (plaintext scopedPDU header type 00: s/b 30)

Slot-1 10-TR-C1-10.1 # show snmpv3 counters

        snmpUnknownSecurityModels       : 0
        snmpInvalidMessages             : 0
        snmpUnknownPDUHandlers          : 0
        usmStatsUnsupportedSecLevels    : 0
        usmStatsNotInTimeWindows        : 121
        usmStatsUnknownUserNames        : 0
        usmStatsUnknownEngineIDs        : 23
        usmStatsWrongDigests            : 0
        usmStatsDecryptionErrors        : 0
Slot-1 10-TR-C1-10.2 # show snmpv3 engine-info

        SNMP Engine-ID          : 80:00:07:7c:03:02:04:96:52:52:f4 'H'
        SNMP Engine Boots       : -825294831
        SNMP Engine Time        : 87631
        SNMP Max. Message Size  : 8192
Slot-1 10-TR-C1-10.3 #

Solution: When I do some more investigation, I could see the following configuration on my switch:

Slot-1 10-TR-C1-10.2 # show snmpv3 engine-info
        SNMP Engine-ID          : 80:00:07:7c:03:02:04:96:52:52:f4 'H'
        SNMP Engine Boots       : -825294831
        SNMP Engine Time        : 87631
        SNMP Max. Message Size  : 8192

If you see the engine-boots values as maximum (-825294831), set it to less than the maximum value. It also might be related to engine-timer (difference). Please configure the non-working switch within the configurable value, verify the engine-timer and monitor the switch.

R1.1 # configure snmpv3 engine-boots 1
     Number from 1 to 2147483647



Photo of Evan R

Evan R

  • 236 Points 100 badge 2x thumb
Thank you. This fixed the problem. Your continued support is most appreciated.
(Edited)
Photo of Ravi0087

Ravi0087

  • 304 Points 250 badge 2x thumb
# show snmpv3 counters
        snmpUnknownSecurityModels       : 0
        snmpInvalidMessages             : 0
        snmpUnknownPDUHandlers          : 0
        usmStatsUnsupportedSecLevels    : 0
        usmStatsNotInTimeWindows        : 1
        usmStatsUnknownUserNames        : 0
        usmStatsUnknownEngineIDs        : 1
        usmStatsWrongDigests            : 0
        usmStatsDecryptionErrors        : 0


Giving me authentication error:

 <Warn:SNMP.Master.AuthFail> Login failed through SNMPv3 - not in life time 

# show management 
.................
.................
SNMP stats:     InPkts 144     OutPkts   147     Errors 0       AuthErrors 4
                Gets   21      GetNexts  117     Sets   0       Drops      0      
SNMP traps:     Sent   7       AuthTraps Enabled
SNMP inform:    Sent   0       Retries   0       Failed 0
Photo of Ravi0087

Ravi0087

  • 304 Points 250 badge 2x thumb
 SNMP Engine-ID          : 80:00:07:7c:03:00:XX:XX:XX:XX:XX 'H'        SNMP Engine Boots       : 10
        SNMP Engine Time        : 4200
        SNMP Max. Message Size  : 8192