Question

XMC - cannot poll device snmpv3

  • 22 June 2020
  • 4 replies
  • 191 views

Hello everyone,

Maybe someone can point me in the right direction.

Configured an snmpv3 profile in XMC and a X450-g2 switch as described below.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-set-up-SNMPv3-on-EXOS

On the switch there are no entries in the log indicating a rejected request and snmp stats counters are increasing every time XMC is discovering the device.

SNMP stats:     InPkts 236     OutPkts   153     Errors 0       AuthErrors 0
                Gets   79      GetNexts  19      Sets   0       Drops      0       
SNMP traps:     Sent   0       AuthTraps Enabled
SNMP Inform:    Sent   0       Retries   0       Failed 0  

XMC version: 8.4.4.26

XOS version:  22.7.1.2 22.7.1.2-patch1-17

 

Questions:

  • do I have to upload the MIB to XMC - if yes. how
  • how can I find out what’s missing?

Thanks, Klaus


4 replies

Userlevel 6

Hello,

 

Try this: 

 

Out-of-the-box, the Summits have SNMP disabled.  To enable, execute the following:

enable snmp access snmpv3

 

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-get-XOS-SNMPv3-settings-to-work-with-default-Netsight-SNMPv3-Credentials/?q=how+to+configure+snmpv3+exos&l=en_US&fs=Search&pn=1

 

If you open up the legacy “Console” application there is a tool called “MIB tools” that I use to try to figure out what’s wrong. 

 

If on 8.4 click on the 3 bar menu in the upper right → Legacy → Console

Once the java application opens right click the device → MIB tools.

 

Depends on what’s wrong you’ll get a different error message when the device is contacted when the menu opens.

 

Timeout likely means SNMPv3 isn’t enabled, is not fully configured, or there’s a problem with the datapath.

 

Authorization error means there is a problem likely with the user authentication password or configuration

 

Encryption error means there’s a problem with the privacy configuration/password.

 

If it shows up green that means the device is up and SNMP contact is normal.

 

One thing to note, when you load up Console/MIB tools the SNMP traffic is sourced from your device and not the server itself, so if you do have SNMP contact issues keep that in mind.

 

Thanks

-Ryan

Hi Ryan,

 

I was able to get snmpv2 working but it seems as if the switch needs a reboot.

I will try snmpv3 after the reboot.

Would you have a sample snmpv3 configuration you could share with me?

 

Thanks, Klaus

Userlevel 6

Hello,

 

Here is an example SNMPv3 configuration in the lab. 

Here is what I believe are the relevant configurations: 

configure snmpv3 add user "snmpuser" engine-id 80:00:07:7c:03:00:04:96:9a:a5:68 authentication md5 auth-encrypted localized-key 23:24:43:67:44:41:5a:49:6c:64:68:67:55:56:44:64:4d:36:76:51:35:30:30:4a:6f:69:31:31:74:73:31:74:75:47:78:34:51:6d:30:59:64:66:77:71:34:6a:43:4b:78:52:48:4a:41:3d privacy privacy-encrypted localized-key 23:24:7a:4a:5a:57:48:70:65:38:58:31:39:58:4c:4e:70:6f:64:56:47:61:73:52:51:54:45:6c:4b:54:73:6d:78:56:2b:36:33:7a:75:36:79:51:42:6b:4c:55:79:44:4d:36:59:35:55:3d
 

configure snmpv3 add group "snmpgroup" user "snmpuser" sec-model usm
 

 

configure snmpv3 add access "snmpgroup" sec-model usm sec-level priv read-view "defaultAdminView" write-view "defaultAdminView" notify-view "defaultAdminView"
 

 

enable snmp access snmpv3
 

 

 

Here is an output of the snmp detail on the box. Please be aware that the majority of this configuration is actually pre-built snmp profiles on the box that really aren’t relevant, but you can maybe use them to see what’s different on your system: 

X440G2-12p-10G4.4 # show config snmp detail
#
# Module snmpMaster configuration.
#
configure snmpv3 engine-id 03:00:04:96:9a:a5:68
configure snmpv3 add user "snmpuser" engine-id 80:00:07:7c:03:00:04:96:9a:a5:68 authentication md5 auth-encrypted localized-key 23:24:43:67:44:41:5a:49:6c:64:68:67:55:56:44:64:4d:36:76:51:35:30:30:4a:6f:69:31:31:74:73:31:74:75:4778:34:51:6d:30:59:64:66:77:71:34:6a:43:4b:78:52:48:4a:41:3d privacy privacy-encrypted localized-key 23:24:7a:4a:5a:57:48:70:65:38:58:31:39:58:4c:4e:70:6f:64:56:47:61:73:52:51:54:45:6c:4b:54:73:6d:78:56:2b:36:33:7a:75:36:79:51:42:b:4c:55:79:44:4d:36:59:35:55:3d
configure snmpv3 add group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv1
configure snmpv3 add group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv1
configure snmpv3 add group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv2c
configure snmpv3 add group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv2c
configure snmpv3 add group "v1v2cNotifyGroup" user "v1v2cNotifyUser1" sec-model snmpv2c
configure snmpv3 add group "snmpgroup" user "snmpuser" sec-model usm
configure snmpv3 add access "admin" sec-model usm sec-level priv read-view "defaultAdminView" write-view "defaultAdminView" notify-view "defaultNotifyView"
configure snmpv3 add access "initial" sec-model usm sec-level noauth read-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "initial" sec-model usm sec-level authnopriv read-view "defaultUserView" write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_ro" sec-model snmpv1 sec-level noauth read-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_ro" sec-model snmpv2c sec-level noauth read-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_rw" sec-model snmpv1 sec-level noauth read-view "defaultUserView" write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2c_rw" sec-model snmpv2c sec-level noauth read-view "defaultUserView" write-view "defaultUserView" notify-view "defaultNotifyView"
configure snmpv3 add access "snmpgroup" sec-model usm sec-level priv read-view "defaultAdminView" write-view "defaultAdminView" notify-view "defaultAdminView"
configure snmpv3 add access "v1v2cNotifyGroup" sec-model snmpv1 sec-level noauth notify-view "defaultNotifyView"
configure snmpv3 add access "v1v2cNotifyGroup" sec-model snmpv2c sec-level noauth notify-view "defaultNotifyView"
configure snmpv3 add mib-view "defaultUserView" subtree 1.0/00 type included
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.16 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.18 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.4 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.6 type excluded
configure snmpv3 add mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.9 type excluded
configure snmpv3 add mib-view "defaultAdminView" subtree 1.0/00 type included
configure snmpv3 add mib-view "defaultAdminView" subtree 1.3.6.1.4.1.1916.1.36 type excluded
configure snmpv3 add mib-view "defaultAdminView" subtree 1.3.6.1.4.1.52.4.1.3.7 type excluded
configure snmpv3 add mib-view "defaultNotifyView" subtree 1.0/00 type included
configure snmpv3 add community "private" name "private" user "v1v2c_rw"
configure snmpv3 add community "public" name "public" user "v1v2c_ro"
configure snmpv3 add community "v1v2cNotifyComm1" name "ST.3232235986.162" user "v1v2cNotifyUser1"
configure snmpv3 add target-addr "TVv3snmpuser" param "TV1v3snmpuser" ipaddress 192.168.1.201 transport-port 162 tag-list "TVInformTag"
configure snmpv3 target-addr "TVv3snmpuser" timeout 15
configure snmpv3 target-addr "TVv3snmpuser" retry 3
configure snmpv3 add target-addr "TVv3snmpuser!" param "TV1v3snmpuser" ipaddress 192.168.1.201 transport-port 162 tag-list "TVInformTag"
configure snmpv3 target-addr "TVv3snmpuser!" timeout 15
configure snmpv3 target-addr "TVv3snmpuser!" retry 3
configure snmpv3 add target-addr "v1v2cNotifyTAddr1" param "v1v2cNotifyParam1" ipaddress 192.168.1.201 transport-port 162 tag-list "defaultNotify"
configure snmpv3 target-addr "v1v2cNotifyTAddr1" timeout 15
configure snmpv3 target-addr "v1v2cNotifyTAddr1" retry 3
configure snmpv3 add target-params "TV1v3snmpuser" user "snmpuser" mp-model snmpv3 sec-model usm sec-level priv
configure snmpv3 add target-params "v1v2cNotifyParam1" user "v1v2cNotifyUser1" mp-model snmpv2c sec-model snmpv2c sec-level noauth
configure snmpv3 add notify "TVInformTag" tag "TVInformTag" type inform
configure snmpv3 add notify "defaultNotify" tag "defaultNotify"
enable snmp access
enable snmp access snmp-v1v2c
enable snmp access snmpv3
enable snmpv3 default-group
enable snmp traps
enable snmp access vr "VR-Default"
enable snmp access vr "VR-Mgmt"
configure snmp notification-log global-entry-limit 16000
configure snmp notification-log global-age-out 1440
 

 

Thanks

-Ryan

 

Hello Ryan,


Access via snmpv3 is working now.

 

Thank you very much,

Klaus

Reply