NagiosXI SNMP V3 (Do I need an EngineID)

[mlopez]

Hi All,
I needed some help with SNMP v3 (Passive Traps).

I was wondering if I could set up a wildcard configuration for all my SNMP v3 devices or will I be forced to use "EngineID" as a parameter. The reason I ask is I am using another NMS which doesn't not need to do so for snmpv3.

This is an example of an SNMP Trap as per net-snmp:

Code: Select all

 createUser -e 0x8000000001020304 traptest SHA mypassword AES
 authuser log traptest

Now I wish I could use INFORM but most of my devices are not reachable as per layers of security and if you look at the INFORM example it doesn't involve having an "EngineID":

Code: Select all

 createUser informtest SHA mypassword AES
 authuser log informtest

Now I could use tcpdump and dump the engineid for each device but this would be very pain staking and if new devices are added to the network it will become very unmanageable for the future.

Any recommendations?

Thanks again all for all your help

Michael

[tmcdonald]

I've not heard of needing this and it isn't mentioned in our documentation:

http://assets.nagios.com/downloads/nagi ... ios_XI.pdf

Are you asking in general or have you tried to set up traps and found they do not work?

[mlopez]

Hi TMC,
Correct, I have tried it and I'm experiencing issues but only with SNMPv3. I am not sending an EngineID and unable to convert the SNMPv3 encryption.

BTW SNMPv2 is no problem at all, it's working like a charm but we have some new equip with snmpv3 and I would like to implement.


Here are some things I've tested:


TEST1 (NO ENGINE ID) (DOESN'T WORK):

Code: Select all

[root@NagiosXI mlopez]# cat snmptrapd-test-6.conf
createUser myname SHA PASSWORD DES PRIVATEPASSWORD
authUser log myname

This is running to check for new Traps with new config:

Code: Select all

/usr/sbin/snmptrapd -On -c /home/snmptrapd-test-6.conf -Lsd -Lf /var/log/snmpv3.log -p /var/run/snmptrapd.pid -D -d -f

Generated a couple of traps....


TCPDUMPING (I SEE TRAP BUT NOT SHOWING UP on SNMPTRAPD):

Code: Select all

tcpdump -vvv port 161 or port 162 |grep SNMPv3

   10.1.2.101.snmptrap > NagiosXI.snmptrap: [udp sum ok]  { SNMPv3 { F=apr } { USM B=1 T=6793 U=myname } { ScopedPDU [!scoped PDU]ee_0b_e5_88_1b_db_2c_73_07_c9_1d_b1_7d_a4_1c_41_66_1f_69_16_32_4f_d3_a8_ae_78_7e_a7_bf_df_a0_a9_08_f4_06_e9_ac_2b_6f_5a_34_6a_6e_xx_1e_b0_20_bd_94_4a_06_6d_6b_d2_a5_6c_58_49_cf_37_xx_fe_c5_36_f9_31_b4_14_38_16_f1_1d_a6_c3_84_c2_35_4f_12_50_c3_9f_f3_ef_60_6b_c2_55_2f_39_1c_58_51_4f_68_c2_a8_74_e5_f7_aa_6b_fe_bd_a1_ca_ac_da_85_0f_be_9f_4a_cb_5e_6f_ac_88_b9_c0_54_6d_xx_d1_d6_ed_48_26_df_85_18_ea_ed_64_9d_88_2a_d4_7d_ea_c9_61_8d_9f_43_60_85_88_c1_24_59_04_99_52_e0_7f_dd_23_52_30_be_be_3c_bc_b0_73_ee_10_42_a3_86_4a_dd_be_82_a6_5e_58_73_ef_cc_b6_e5_49_ee_c2_29_b5_81_85_c0_a7_61_71_4e_13_99_b2_cd_68_16_c2_74_86_49_38_05_c0_95_60_9c_9a_3f_31_8a_ad_xx_8f_eb_c5_87_e9_15_d7_af_1e_ee_ef_8a_fd_7d_b2_a5_30_a3_60_d9_3e_02_32_b5_63_7f_39_ff_92_22_7a} }
    NagiosXI.snmptrap > 10.1.2.101.snmptrap: [bad udp cksum a240!]  { SNMPv3 { F= } { USM B=1 T=41 U=myname } { ScopedPDU E= 0x800x000x1F0x880x800x890xF10x810x1A0xD10x830x000x551x000x000x000x00 C= { Report(28) R=0  S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=9 } } }

Code: Select all

/usr/sbin/snmptrapd -On -c /home/snmptrapd-test-6.conf -Lsd -Lf /var/log/snmpv3.log -p /var/run/snmptrapd.pid -D -d -f

(I see nothing new which I should) (Now I tested normal SNMPv3 traps with EngineID and worked fine)

[jdalrymple]

Hi mlopez,

From what I read it doesn't sound like authentication is going to be possible without actually "specifying" the EngineID.

http://www.cisco.com/c/en/us/td/docs/io ... #wp1011412

How your other devices are doing it with a wildcard sounds... impossible honestly based upon what I'm reading.

http://www.net-snmp.org/tutorial/tutori ... ap-v3.html

You might want to get in touch with your other NMS software distributor, sounds like they have some secret sauce that maybe they could let you in on. Curious, what type of device is it that you're receiving traps on? I would like to configure something of a lab here to mimic your environment, the closer I can get to your reality the better.

Thanks

[mlopez]

Hi jdalrymple,
That's what I can't wrap my head around, from all the documentation on net-snmp you need an ENGINEID unless you are not using SNMPv3 Traps but SNMPv3 INFORMS. I will contact the third party vendor as the only thing I typed in was the SHA + DES + username that's all, I'm wondering how they are able to display the SNMPv3 TRAP without the ENGINEID and it's been working for weeks now so I'm not just imagining things and yes it's SNMPv3 as I ran Wireshark and I even tried changing the password which made the traps stop.


Michael

[jdalrymple]

Great Michael - in the meantime I'm still curious what kind of device(s) you're working with? Cisco maybe/probably?