Hi Petros, Thanks for the detailed example. There is enough information here to get much further in the debugging.
I can report that loading this config file (the concatenation of the snmpd.conf and usmUser lines you provided) into net-snmp 5.8 gives the desired result of both users being usable (including after restarting snmpd a few times) //etc/snmp @fenner-billo-trunk.sjc% snmpget -v 3 -u Netscaler -l authPriv -e 0x80001f88809c0a3f394b485c5600000000 -a SHA -3k 0x426373815984b75c5166630521bca5efe960beb6 -x aes -3K 0x292bb2f0da4fa36bd313263b059f0e50 localhost sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: Linux fenner-billo-trunk.sjc.aristanetworks.com 4.9.76-11556666.AroraKernel49.fc18.x86_64 #1 SMP Thu Mar 7 10:52:37 PST 2019 i686 //etc/snmp @fenner-billo-trunk.sjc% snmpget -v 3 -u Netscaler2 -l authPriv -e 0x80001f88809c0a3f394b485c5600000000 -a SHA -3k 0x426373815984b75c5166630521bca5efe960beb6 -x aes -3K 0x426373815984b75c5166630521bca5efe960beb6 localhost sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: Linux fenner-billo-trunk.sjc.aristanetworks.com 4.9.76-11556666.AroraKernel49.fc18.x86_64 #1 SMP Thu Mar 7 10:52:37 PST 2019 i686 And my userList->name is Netscaler and userList->authProtocol is 1.3.6.1.6.3.10.1.1.3. I know it's not very satisfying to find that I can't replicate your results, especially in a different environment. I may get some time in the future to try against your ancient version, or maybe someone else can now that you've supplied such great details. Bill On Wed, May 1, 2019 at 7:40 AM Petros Tsampoukas < petros.tsampou...@citrix.com> wrote: > Hi Bill, > > > > The configuration on the files is fine, snmpd loads it incorrectly. I > created a simplified configuration to explain it better. I created two > users (Netscaler and Netscaler2) and only user Netscaler is used in a trap: > > > > sysobjectid 1.3.6.1.4.1.5951.6 > > exactEngineID 0x80001f88809c0a3f394b485c5600000000 > > rouser Netscaler authPriv -V SNMP-View > > rocommunity public 10.91.31.244 > > view SNMP-View included 1.3.6.1 > > rouser Netscaler2 authPriv -V SNMP-View > > trapsess -v 3 -u Netscaler -l authPriv 10.91.31.244:162 > > > > In the persistent snmpd.conf we added two createUser lines that snmpd > replaced with two usmUser ones (as it should): > > > > usmUser 1 3 0x80001f88809c0a3f394b485c5600000000 0x4e65747363616c657200 > 0x4e65747363616c657200 NULL .1.3.6.1.6.3.10.1.1.3 > 0x426373815984b75c5166630521bca5efe960beb6 > .1.3.6.1.6.3.10.1.2.4 0x292bb2f0da4fa36bd313263b059f0e50 0x > > usmUser 1 3 0x80001f88809c0a3f394b485c5600000000 0x4e65747363616c65723200 > 0x4e65747363616c65723200 NULL .1.3.6.1.6.3.10.1.1.3 > 0x426373815984b75c5166630521bca5efe960beb6 > .1.3.6.1.6.3.10.1.2.4 0x426373815984b75c5166630521bca5ef 0x > > engineBoots 12 > > oldEngineID 0x80001f88809c0a3f394b485c5600000000 > > > > The protocols (AES/SHA1), usernames and passwords are correct in this > file. However, snmp queries only work for user Netscaler2, not for user > Netscaler that is configured in the trap. > > > > Using gdb I can see why. The user Netscaler has the wrong protocols loaded > but user Netscaler2 has the correct: > > > > bash-3.2# gdb /usr/sbin/snmpd -p `cat /var/run/snmpd.pid` --batch > --command=/root/print_users.gdb > > engineID: 0x801c844c0: 0x881f0080 0x3f0a9c80 > > name: 0x801c6fac0: "Netscaler" > > secName: 0x801c6fad0: "Netscaler" > > authProtocol: .1.3.6.1.6.3.10.1.1.2* << This means MD5* > > privProtocol: .1.3.6.1.6.3.10.1.2.2* << This means DES* > > authKey: 0x426373815984b75c 0x5166630521bca5ef 0xe960beb600000000 > > privKey: 0x292bb2f0da4fa36b 0xd313263b059f0e50 > > engineID: 0x801c84540: 0x3f0a9c80881f0080 0x000000565c484b39 > > name: 0x801c6fae0: "Netscaler2" > > secName: 0x801c6faf0: "Netscaler2" > > authProtocol: .1.3.6.1.6.3.10.1.1.3* << This means SHA1* > > privProtocol: .1.3.6.1.6.3.10.1.2.4* << This means AES* > > authKey: 0x426373815984b75c 0x5166630521bca5ef 0xe960beb600000000 > > privKey: 0x426373815984b75c 0x5166630521bca5ef > > > > This doesn’t happen the first time a user is configured (i.e. when snmpd > loads with the createUser lines). But it will happen after the first snmpd > restart. If I remove user Netscaler from the trap it works correctly. > > > > I am attaching the actual configuration files and the gdb script. > > > > Thanks, > > Petros. > > > > *From:* Krishna Vivek Vitta > *Sent:* Τετάρτη, 1 Μαΐου 2019 1:16 μμ > *To:* Bill Fenner <fen...@gmail.com> > *Cc:* net-snmp-users@lists.sourceforge.net; Petros Tsampoukas < > petros.tsampou...@citrix.com> > *Subject:* RE: Help required for "snmpwalk: Authentication failure " > > > > +Petros to explain the problem in detail. > > > > > > Thank you > > Krishna Vivek > > > > *From:* Bill Fenner <fen...@gmail.com> > *Sent:* 29 April 2019 22:01 > *To:* Krishna Vivek Vitta <krishna.vivekvi...@citrix.com> > *Cc:* net-snmp-users@lists.sourceforge.net > *Subject:* Re: Help required for "snmpwalk: Authentication failure " > > > > Hi Krishna, > > > > net-snmp 5.5 is 10 years old this year. 5.8 is the current release. > > > > That said, it might be possible to help you if you share the actual > snmpd.conf files. You mention "add snmptrap dest_server=10.91.31.244 > user_name=test dest_port=162 version=v3", but that is not how to configure > net-snmp, so I don't know what to think about how that changes the actual > configuration. > > > > Bill > > > > > > On Wed, Apr 24, 2019 at 7:19 AM Krishna Vivek Vitta < > krishna.vivekvi...@citrix.com> wrote: > > Any update on the behaviour ? > > > > > > Thank you > > Krishna Vivek > > > > *From:* Krishna Vivek Vitta > *Sent:* 23 April 2019 11:43 > *To:* net-snmp-users@lists.sourceforge.net > *Subject:* Help required for "snmpwalk: Authentication failure " > > > > Hi expert, > > > > We have a case where snmpwalk fails after snmpv3 user is added to trap > destination. Net-SNMP version being used is 5.5 on FreeBSD setup > > > > We start with a configured user for SNMPv3. We used SHA1 and AES for the > auth and privacy protocols: > > add snmpuser name=test auth_password=testtest privacy_password=testtest > auth_protocol=SHA1 privacy_protocol=AES view_name=SNMP-View > security_level=authPriv > > add snmpview name=SNMP-View subtree=1.3.6.1 type=Include > > > > The above steps: > > Adds a createUser directive in /var/mps/netsnmp/snmpd.conf and restarts > snmpd > > 1. SNMPD replaces the createUser directive with a usmUser directive > in persistent conf > > > > All this is normal. The configuration in the persistent snmpd.conf is > correct. This is our test entry: > > > > bash-3.2# fgrep 0x4e65747363616c657200 /var/mps/netsnmp/snmpd.conf > > usmUser 1 3 0x80001f88809c0a3f394b485c5600000000 0x4e65747363616c657200 > 0x4e65747363616c657200 NULL .1.3.6.1.6.3.10.1.1.3 > 0x06be7a79a8108ccde730455187973c0719b3e460 .1.3.6.1.6.3.10.1.2.4 > 0x06be7a79a8108ccde730455187973c07 "" > > > > bash-3.2# gdb /usr/sbin/snmpd -p `cat /var/run/snmpd.pid` --batch > --command=/root/print_users.gdb | awk '/test/,/privKey:/' > > name: 0x801c6fac0: "test" > > secName: 0x801c6fad0: "test" > > *authProtocol: .1.3.6.1.6.3.10.1.1.3 << This means SHA1* > > *privProtocol: .1.3.6.1.6.3.10.1.2.4 << This means AES* > > authKey: 0x6be7a79a8108ccd 0xe730455187973c07 0x19b3e46000000000 > > privKey: 0x6be7a79a8108ccd 0xe730455187973c07 > > > > And of course the queries work: > > > > vyos@vyos:~$ snmpwalk - -v3 -l authPriv -u Netscaler -a SHA -A 'testtest' > -x AES -X 'testtest' 10.91.16.71:161 > <http://secure-web.cisco.com/1DeWAQy3PpOvyZKTQKl0y9vktN-KUg8jeA8jEq2ZgffI-qSxpcTBB_0HSvLxxp_13uwvBEvQG8UWcOuYctOjMmK--OCCmSkH6cCvXaZh-qMkU97wqGLkJ7PHUvBVZj0hHl4lQwSlHSYOuKbetU-6WzrC7YqkJDubz4NNSC9hIom88WZHQMPriwTuQLyhP11YehxZS__2b2gSbl066_YF16bdWtb0uFenZdyf7D096Td_PC2yJtemzmMx2cFqDfEyLeMAB77cL5CXV7NKZMSZTbQ/http%3A%2F%2F10.91.16.71%3A161> > 1.3.6.1.2.1.1.1 > > SNMPv2-MIB::sysDescr.0 = STRING: FreeBSD nssdx-mgmt 8.4-NETSCALER-12.0 > FreeBSD 8.4-NETSCALER-12.0 #0: Wed Sep 12 06:47:55 PDT 2018 > root@sjcpbld84-64:/usr/obj/home/build/rs_120_59_5_RTM/usr.src/sys/NSSVM[image: > https://issues.citrite.net/images/icons/mail_small.gif] > <root@sjcpbld84-64:/usr/obj/home/build/rs_120_59_5_RTM/usr.src/sys/NSSVM> > amd64 > > > > Then I add an snmptrap destination that uses this user: > > > > add snmptrap dest_server=10.91.31.244 user_name=test dest_port=162 > version=v3 > > And the queries fail with authentication failure: > > vyos@vyos:~$ snmpwalk - -v3 -l authPriv -u Netscaler -a SHA -A > 'testtest' -x AES -X 'testtest' 10.91.16.71:161 > <http://secure-web.cisco.com/1DeWAQy3PpOvyZKTQKl0y9vktN-KUg8jeA8jEq2ZgffI-qSxpcTBB_0HSvLxxp_13uwvBEvQG8UWcOuYctOjMmK--OCCmSkH6cCvXaZh-qMkU97wqGLkJ7PHUvBVZj0hHl4lQwSlHSYOuKbetU-6WzrC7YqkJDubz4NNSC9hIom88WZHQMPriwTuQLyhP11YehxZS__2b2gSbl066_YF16bdWtb0uFenZdyf7D096Td_PC2yJtemzmMx2cFqDfEyLeMAB77cL5CXV7NKZMSZTbQ/http%3A%2F%2F10.91.16.71%3A161> > 1.3.6.1.2.1.1.1 > > snmpwalk: Authentication failure (incorrect password, community or key) > > > > This time although the configuration is the same, snmpd internally has set > the wrong protocols: > > > > bash-3.2# fgrep 0x4e65747363616c657200 /var/mps/netsnmp/snmpd.conf > > usmUser 1 3 0x80001f88809c0a3f394b485c5600000000 0x4e65747363616c657200 > 0x4e65747363616c657200 NULL *.1.3.6.1.6.3.10.1.1.3* > 0x06be7a79a8108ccde730455187973c0719b3e460 > *.1.3.6.1.6.3.10.1.2.4*0x06be7a79a8108ccde730455187973c07 > 0x > > bash-3.2# gdb /usr/sbin/snmpd -p `cat /var/run/snmpd.pid` --batch > --command=/root/print_users.gdb | awk '/Netscaler/,/privKey:/' > > name: 0x801c6fac0: "test" > > secName: 0x801c6fad0: "test" > > *authProtocol: .1.3.6.1.6.3.10.1.1.2 << This means MD5* > > *privProtocol: .1.3.6.1.6.3.10.1.2.2 << This means DES* > > authKey: 0x6be7a79a8108ccd 0xe730455187973c07 0x19b3e46000000000 > > privKey: 0x6be7a79a8108ccd 0xe730455187973c07 > > > > > > Kindly provide assistance in resolving the case. > > > > Thank you > > Krishna Vivek > > > > _______________________________________________ > Net-snmp-users mailing list > Net-snmp-users@lists.sourceforge.net > Please see the following page to unsubscribe or change other options: > https://lists.sourceforge.net/lists/listinfo/net-snmp-users > >
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
