It is even worse with TLS.

When the snmptrapd is restarted without restarting the snmpd:

kill the snmptrapd:

>From the snmpd logs:  snmpd detects the connection close.

Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlstcp:
Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: remote side closed connection
Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlstcp:
Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: Shutting down SSL connection
Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlsbase:
Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: Freeing TLS Base data for a
session

Start the snmptrapd up again

When snmpd tries to send a trap:

Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: trap:
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: send_trap -1 -1
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: MYMib-MIB::myMib
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]:
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: trap:
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: sending trap type=167,
version=139482016
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: snmpd: send_trap: Generic error
(Unknown error -146129760)


Both DTLS and TLS issue seems to center around the fact that snmpd does not
properly handle the case where the trap receiver's connection goes away.

Anyone else seeing this behavior?

On Wed, Nov 20, 2019 at 10:24 AM Larry Hayes <lhay...@gmail.com> wrote:

> Hello,
>
> I am using net-snmp v5.8 r0.
>
> I think I have successfully configured an snmpd server to generate V3
> Traps/Informs using TSM with certificates and have an snmptrapd receive
> those V3 Traps/Informs.
> As I can see the Trap/Infom data dumped to the window snmptrapd is running.
>
> My issue is, when I restart snmptrapd, it can no longer receive V3
> Traps/Informs using TSM without restarting the snmpd also.
>
> snmptrapd can receive V2 Traps/Infoms without restarting snmpd.
>
> Is this the normal/desired behavior with DTLS?
> (I have not tried TLS yet)
>
>
> sudo snmptrapd
> -Dtsm,tls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san
> -f -Losd dtlsudp:10162 udp:162
>
>
> 2019-11-20 10:11:50 apcon-ubuntu.apconnet.apcon.com [UDP:
> [10.20.19.57]:33656->[10.20.19.57]:162]:
> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10093) 0:01:40.93
> SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.10830.5.0.62
> SNMPv2-SMI::enterprises.10830.2.15.0 = STRING: "cli-ssh"
> SNMPv2-SMI::enterprises.10830.2.16.0 = STRING: "admin/10.20.19.37"
>  SNMPv2-SMI::enterprises.10830.2.17.0 = STRING: "10.20.19.57"
> 2019-11-20 10:11:50 apcon-ubuntu.apconnet.apcon.com [UDP:
> [10.20.19.57]:60888->[10.20.19.57]:162]:
> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10093) 0:01:40.93
> SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.10830.5.0.62
> SNMPv2-SMI::enterprises.10830.2.15.0 = STRING: "cli-ssh"
> SNMPv2-SMI::enterprises.10830.2.16.0 = STRING: "admin/10.20.19.37"
>  SNMPv2-SMI::enterprises.10830.2.17.0 = STRING: "10.20.19.57"
> dtlsudp: received 229 raw bytes on way to dtls
> dtlsudp: starting a new connection
> cert:find:params: looking for identity(1) in DEFAULT(0x0), hint (nil)
> cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint
> 0x1249450
> cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
> 0x1249450
> cert:find:params:  hint =
> 04:BF:CF:1A:9C:5D:7A:9D:87:7E:1D:D8:A3:77:1A:DD:D7:76:77:0B
> cert:find:found: using cert manager.crt /
> 04bfcf1a9c5d7a9d877e1dd8a3771addd776770b for identity(1)
> (uses=identity+remote_peer (3))
> cert:find:found: using cert manager.crt /
> 04bfcf1a9c5d7a9d877e1dd8a3771addd776770b for identity(1)
> (uses=identity+remote_peer (3))
>
>
> snmpd
> -Dtls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san -f
> -Lsd udp:0.0.0.0:161 dtlsudp:10161
>
> Config:
> trapsess -v 2c 10.20.19.57:162 -c public
> trapsess -v 2c -Ci -r 0 10.20.19.57:162 -c public
> trapsess -v 3 -Ci -r 0 -T their_identity=manager.crt  dtlsudp:
> 10.20.19.57:10162
>
> snmpd: logging
> Nov 20 10:19:21 apcon-ubuntu snmpd[5857]: dtlsudp:
> Nov 20 10:19:21 apcon-ubuntu snmpd[5857]: sending 193 bytes
>
>
>
>
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Reply via email to