Hi Anders. Thank you for answering.
Is the engineID actually ever *negotiated*? I had the understanding this was unilaterally configured, either statically or automatically. Is my understanding of this mechanism incorrect? My reasoning for using informs in the first place was that the receiver engineID is authoritative with v3 informs. (As opposed to traps, where the sender engineID is authoritative.) I also noted that Junos does not send an engineID. Do the relevant RFCs say anything about inform 'probes', such as these used by Junos? Dag B On 2/28/19 4:27 PM, Anders Wallin wrote: > Hi Dag, > > try to not set the engineID in the snmptrapd.conf and let snmptrapd > and Junos negotiate the engineID > > createUser -e 0x80001234 authpriv2 SHA xyzzy188 AES xazzza18 > -> > createUser authpriv2 SHA xyzzy188 AES xazzza18 > > Looking at the pcap file snmptrapd sends the engineid = 80001f88....., > but Junos does not set it at all engineID= <MISSING> > > Regards > Anders Wallin > > > On Thu, Feb 28, 2019 at 2:02 PM Dag B <d...@bakke.com > <mailto:d...@bakke.com>> wrote: > > Hi. > > I am trying to convince snmptrapd to receive snmp v3 informs from > Junos > (Juniper Networks' BSD-variant on switches and firewalls). The > idea was > to use informs rather than traps, so I could : > - have encryption in place. > - avoid having to update the snmptrapd config for every new device > sending v3 traps > > When Junos starts its snmp process, it will send a few probes to > snmptrapd to decide if the receiver is receptive to informs. If > not, it > stops sending informs. > > So far, I have not succeeded. snmptrapd appears unhappy, then > Junos gets > unhappy, takes the ball and goes home. > I would like to know if my config and my understanding of the > observations are correct. > > Config, observations and sample packet capture follows: > > > > > Config: > ------------- > > snmptrapd.conf: > ------------------------ > createUser -e 0x80001234 authpriv2 SHA xyzzy188 AES xazzza18 > authUser log,execute authpriv2 > > running snmptrapd like this: > ---------------------------------- > snmptrapd -f -C -c /tmp/snmptrapd.conf -Le -Dusm,engine > > > junos config: > ----------------- > set snmp v3 usm local-engine user authpriv authentication-sha > authentication-password xyzzy188 > set snmp v3 usm local-engine user authpriv privacy-aes128 > privacy-password xazzza18 > set snmp v3 usm remote-engine 0x80001234 user authpriv2 > authentication-sha authentication-password xyzzy188 > set snmp v3 usm remote-engine 0x80001234 user authpriv2 > privacy-aes128 > privacy-password xazzza18 > set snmp v3 vacm security-to-group security-model usm security-name > authpriv group myv3group > set snmp v3 vacm security-to-group security-model usm security-name > authpriv2 group notifygroup > set snmp v3 vacm access group myv3group default-context-prefix > security-model usm security-level authentication read-view myv3view > set snmp v3 vacm access group myv3group default-context-prefix > security-model usm security-level privacy read-view myv3view > set snmp v3 vacm access group notifygroup default-context-prefix > security-model usm security-level authentication notify-view myv3view > set snmp v3 vacm access group notifygroup default-context-prefix > security-model usm security-level privacy notify-view myv3view > set snmp v3 target-address snmptrapd-server address 192.168.200.1 > set snmp v3 target-address snmptrapd-server tag-list macnotify > set snmp v3 target-address snmptrapd-server target-parameters > targparms > set snmp v3 target-parameters targparms parameters > message-processing-model v3 > set snmp v3 target-parameters targparms parameters security-model usm > set snmp v3 target-parameters targparms parameters security-level > privacy > set snmp v3 target-parameters targparms parameters security-name > authpriv2 > set snmp v3 notify myv3notify type inform > set snmp v3 notify myv3notify tag macnotify > set snmp engine-id local 0x80006666 > set snmp view myv3view oid iso include > set ethernet-switching-options mac-notification > > > Observations: > -------------------- > With this setup, I managed to get three probe failures in 'show snmp > inform-statistics' after a switch reboot. > > root@ex2200c-lab2> show snmp inform-statistics > Inform Request Statistics: > Target name: snmptrapd-server Address: 192.168.200.1 > Sent: 0, Pending: 0 > Discarded: 1, Timeouts: 0, Probe failures: 3 > > > snmptrapd says: > --------------------- > registered debug token usm, 1 > registered debug token engine, 1 > usmUser: created a new user authpriv2 at 80 00 12 34 > NET-SNMP version 5.8 > usm: USM processing begun... > usm: Unknown Engine ID. > usm: USM processing has begun (offset 56) > usm: getting user > usm: USM processing completed. > [three more times, 4 packets in total] > > > Not sure if the list allows for attachments? Packet capture attached, > but I have added the decoded SNMP packet for the first two frames > below. > > As far as I can tell, the probes sent from the Junos end are all > unencrypted. And not using the configured user or engine ID. > Is this a correct interpretation of the packet capture? Not expecting > the list to validate my Junos config, by the way. > > There is also the "Data not conforming to RFC3411". Any comment on > that? > > > Thanks, > > > Dag B > > > Decoded packets: > ------------------------- > Simple Network Management Protocol > msgVersion: snmpv3 (3) > msgGlobalData > msgID: 1610700309 > msgMaxSize: 65507 > msgFlags: 04 > .... .1.. = Reportable: Set > .... ..0. = Encrypted: Not set > .... ...0 = Authenticated: Not set > msgSecurityModel: USM (3) > msgAuthoritativeEngineID: <MISSING> > msgAuthoritativeEngineBoots: 0 > msgAuthoritativeEngineTime: 0 > msgUserName: > msgAuthenticationParameters: <MISSING> > msgPrivacyParameters: <MISSING> > msgData: plaintext (0) > plaintext > contextEngineID: <MISSING> > contextName: > data: get-request (0) > get-request > request-id: 1679169514 > error-status: noError (0) > error-index: 0 > variable-bindings: 0 items > > > Simple Network Management Protocol > msgVersion: snmpv3 (3) > msgGlobalData > msgID: 1610700309 > msgMaxSize: 1472 > msgFlags: 00 > .... .0.. = Reportable: Not set > .... ..0. = Encrypted: Not set > .... ...0 = Authenticated: Not set > msgSecurityModel: USM (3) > msgAuthoritativeEngineID: 80001f88807d6dfe468a7d595c00000000 > 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) > Engine Enterprise ID: net-snmp (8072) > Engine ID Format: Reserved/Enterprise-specific (128): > Net-SNMP > Random > Data not conforming to RFC3411 > [Expert Info (Warning/Protocol): Data not conforming to > RFC3411] > [Data not conforming to RFC3411] > [Severity level: Warning] > [Group: Protocol] > msgAuthoritativeEngineBoots: 1 > msgAuthoritativeEngineTime: 1870 > msgUserName: > msgAuthenticationParameters: <MISSING> > msgPrivacyParameters: <MISSING> > msgData: plaintext (0) > plaintext > contextEngineID: 80001f88807d6dfe468a7d595c00000000 > 1... .... = Engine ID Conformance: RFC3411 (SNMPv3) > Engine Enterprise ID: net-snmp (8072) > Engine ID Format: Reserved/Enterprise-specific > (128): > Net-SNMP Random > Data not conforming to RFC3411 > [Expert Info (Warning/Protocol): Data not > conforming to RFC3411] > [Data not conforming to RFC3411] > [Severity level: Warning] > [Group: Protocol] > contextName: > data: report (8) > report > request-id: 1679169514 > error-status: noError (0) > error-index: 0 > variable-bindings: 1 item > 1.3.6.1.6.3.15.1.1.4.0: 3 > Object Name: 1.3.6.1.6.3.15.1.1.4.0 > (iso.3.6.1.6.3.15.1.1.4.0) > Value (Counter32): 3 > > _______________________________________________ > Net-snmp-users mailing list > Net-snmp-users@lists.sourceforge.net > <mailto:Net-snmp-users@lists.sourceforge.net> > Please see the following page to unsubscribe or change other options: > https://lists.sourceforge.net/lists/listinfo/net-snmp-users > _______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
