Hi Larry, I see the same problem!
You should think more then twice before using TLS/DTLS. The code is full of bugs and design issues (like sending traps before checking hostnames etc) and it's using deprecated version of TLS. Regards Anders Wallin On Wed, Nov 27, 2019 at 9:33 PM Larry Hayes <lhay...@gmail.com> wrote: > It is even worse with TLS. > > When the snmptrapd is restarted without restarting the snmpd: > > kill the snmptrapd: > > From the snmpd logs: snmpd detects the connection close. > > Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlstcp: > Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: remote side closed connection > Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlstcp: > Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: Shutting down SSL connection > Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlsbase: > Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: Freeing TLS Base data for a > session > > Start the snmptrapd up again > > When snmpd tries to send a trap: > > Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: trap: > Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: send_trap -1 -1 > Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: MYMib-MIB::myMib > Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: > Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: trap: > Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: sending trap type=167, > version=139482016 > Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: snmpd: send_trap: Generic error > (Unknown error -146129760) > > > Both DTLS and TLS issue seems to center around the fact that snmpd does > not properly handle the case where the trap receiver's connection goes away. > > Anyone else seeing this behavior? > > On Wed, Nov 20, 2019 at 10:24 AM Larry Hayes <lhay...@gmail.com> wrote: > >> Hello, >> >> I am using net-snmp v5.8 r0. >> >> I think I have successfully configured an snmpd server to generate V3 >> Traps/Informs using TSM with certificates and have an snmptrapd receive >> those V3 Traps/Informs. >> As I can see the Trap/Infom data dumped to the window snmptrapd is >> running. >> >> My issue is, when I restart snmptrapd, it can no longer receive V3 >> Traps/Informs using TSM without restarting the snmpd also. >> >> snmptrapd can receive V2 Traps/Infoms without restarting snmpd. >> >> Is this the normal/desired behavior with DTLS? >> (I have not tried TLS yet) >> >> >> sudo snmptrapd >> -Dtsm,tls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san >> -f -Losd dtlsudp:10162 udp:162 >> >> >> 2019-11-20 10:11:50 apcon-ubuntu.apconnet.apcon.com [UDP: >> [10.20.19.57]:33656->[10.20.19.57]:162]: >> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10093) 0:01:40.93 >> SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.10830.5.0.62 >> SNMPv2-SMI::enterprises.10830.2.15.0 = STRING: "cli-ssh" >> SNMPv2-SMI::enterprises.10830.2.16.0 = STRING: "admin/10.20.19.37" >> SNMPv2-SMI::enterprises.10830.2.17.0 = STRING: "10.20.19.57" >> 2019-11-20 10:11:50 apcon-ubuntu.apconnet.apcon.com [UDP: >> [10.20.19.57]:60888->[10.20.19.57]:162]: >> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10093) 0:01:40.93 >> SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.10830.5.0.62 >> SNMPv2-SMI::enterprises.10830.2.15.0 = STRING: "cli-ssh" >> SNMPv2-SMI::enterprises.10830.2.16.0 = STRING: "admin/10.20.19.37" >> SNMPv2-SMI::enterprises.10830.2.17.0 = STRING: "10.20.19.57" >> dtlsudp: received 229 raw bytes on way to dtls >> dtlsudp: starting a new connection >> cert:find:params: looking for identity(1) in DEFAULT(0x0), hint (nil) >> cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint >> 0x1249450 >> cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint >> 0x1249450 >> cert:find:params: hint = >> 04:BF:CF:1A:9C:5D:7A:9D:87:7E:1D:D8:A3:77:1A:DD:D7:76:77:0B >> cert:find:found: using cert manager.crt / >> 04bfcf1a9c5d7a9d877e1dd8a3771addd776770b for identity(1) >> (uses=identity+remote_peer (3)) >> cert:find:found: using cert manager.crt / >> 04bfcf1a9c5d7a9d877e1dd8a3771addd776770b for identity(1) >> (uses=identity+remote_peer (3)) >> >> >> snmpd >> -Dtls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san -f >> -Lsd udp:0.0.0.0:161 dtlsudp:10161 >> >> Config: >> trapsess -v 2c 10.20.19.57:162 -c public >> trapsess -v 2c -Ci -r 0 10.20.19.57:162 -c public >> trapsess -v 3 -Ci -r 0 -T their_identity=manager.crt dtlsudp: >> 10.20.19.57:10162 >> >> snmpd: logging >> Nov 20 10:19:21 apcon-ubuntu snmpd[5857]: dtlsudp: >> Nov 20 10:19:21 apcon-ubuntu snmpd[5857]: sending 193 bytes >> >> >> >> _______________________________________________ > Net-snmp-users mailing list > Net-snmp-users@lists.sourceforge.net > Please see the following page to unsubscribe or change other options: > https://lists.sourceforge.net/lists/listinfo/net-snmp-users >
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
