IPv6 and SNMP: Traps arrive, but not processed by snmptrapd

[gormank]

Hmm, I stopped ip6tables and sent a trap. Tcpdump sees it but still nothing in snmptrapd.log.

Code: Select all

# service ip6tables stop
ip6tables: Setting chains to policy ACCEPT: filter         [  OK  ]
ip6tables: Flushing firewall rules:                        [  OK  ]
ip6tables: Unloading modules:                              [  OK  ]

# !tcpdump
tcpdump -i eth3 -s 0 port 162
tcpdump: WARNING: eth3: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes

16:38:00.254398 IP6 2001:4888:a03:311f:c0:a:0:190.32866 > txslm2mlnag001v6.snmptrap:  C=sp1der Trap(165)  E:232 0.0.0.0 enterpriseSpecific s=11003 1233 system.sysName.0="TXSLM2MCHP7004-OA" E:232.11.2.11.1=1 E:232.11.2.8.1="HP Onboard Administrator Test Trap sent from enclosure: TXSLM2MCHP7004"

[gormank]

I added some logging to ip6tables, but even though I see it dropping packets, it looks like they're going out. Packets dropped seem to have no relation to test traps sent.

Code: Select all

# service ip6tables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all      ::/0                 ::/0                state RELATED,ESTABLISHED
2    ACCEPT     icmpv6    ::/0                 ::/0
3    ACCEPT     all      ::/0                 ::/0
4    ACCEPT     udp      ::/0                 fe80::/64           state NEW udp dpt:546
5    ACCEPT     tcp      ::/0                 ::/0                state NEW tcp dpt:22
6    REJECT     all      ::/0                 ::/0                reject-with icmp6-adm-prohibited
7    LOGGING    all      ::/0                 ::/0

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all      ::/0                 ::/0                reject-with icmp6-adm-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain LOGGING (1 references)
num  target     prot opt source               destination
1    LOG        all      ::/0                 ::/0                limit: avg 2/min burst 5 LOG flags 0 level 4 prefix `IPTables-Dropped: '
2    DROP       all      ::/0                 ::/0

Code: Select all

# tail -f /var/log/messages
Apr 12 18:36:04 txslm2mlnag001 kernel: IPTables-Dropped: IN= OUT=lo SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=264 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=60656 DPT=60656 LEN=224
Apr 12 18:36:34 txslm2mlnag001 kernel: IPTables-Dropped: IN= OUT=lo SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=60656 DPT=60656 LEN=24
Apr 12 18:37:04 txslm2mlnag001 kernel: IPTables-Dropped: IN= OUT=lo SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=46833 DPT=80 WINDOW=65476 RES=0x00 SYN URGP=0
Apr 12 18:37:34 txslm2mlnag001 kernel: IPTables-Dropped: IN= OUT=lo SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=60656 DPT=60656 LEN=24
Apr 12 18:37:50 txslm2mlnag001 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Apr 12 18:37:50 txslm2mlnag001 kernel: IPTables-Dropped: IN= OUT=lo SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=264 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=60656 DPT=60656 LEN=224
Apr 12 18:37:50 txslm2mlnag001 kernel: IPTables-Dropped: IN= OUT=lo SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=46855 DPT=80 WINDOW=65476 RES=0x00 SYN URGP=0
Apr 12 18:37:50 txslm2mlnag001 kernel: IPTables-Dropped: IN= OUT=lo SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=46856 DPT=80 WINDOW=65476 RES=0x00 SYN URGP=0
Apr 12 18:37:51 txslm2mlnag001 kernel: IPTables-Dropped: IN= OUT=lo SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=60656 DPT=60656 LEN=128
Apr 12 18:37:51 txslm2mlnag001 kernel: IPTables-Dropped: IN= OUT=lo SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=264 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=60656 DPT=60656 LEN=224

[lgroschen]

Hey Gormank,

You mind posting your snmptt.ini file here?

[gormank]

Snmptrapd doesn't process the trap so snmptt never gets the trap. Posting the ini will only serve to complicate things.

[lgroschen]

Fair point, but it seemed like you were looking in /var/spool/snmptt/ and I know that sometimes enabling the writing to database will stop the trap from being put into the spool.

[gormank]

People keep asking about snmptt forcing me too discuss it.
IPv4 traps are logged as they're processed by snmptrapd, but IPv6 traps are not logged, which means to me that snmptrapd never gets IPv6 traps, or discards them w/o logging.

Now we see from looking at ip6tables, that it also doesn't log accepting or rejecting v6 traps. Actually, I think only rejections are logged...

[lgroschen]

Well given that sometimes snmpd and snmptt interact with each other so often, specifically config files, I don't really see the issue with serving up the config files just to be ruled out- if nothing else.

I think you're right about the rejections only being logged. You did compile the net-snmp suite when you installed it on this system? I noticed a --ipv6 enable flag for the compile. I don't think I ever had to do that when setting it up but it's an option.

What doesn't make sense is that I've used the net-snmp suite installed via yum with ipv6 at least twice and it works with both v4 and v6 traps.

Lastly, I found a stackoverflow post that had something you might try. Make a separate community for ipv6 in snmpd.conf and give it proper access then send your test trap. The intention here is to have something like this:
agentAddress udp:161,udp6:161
rocommunity6 public default

[gormank]

Snmpd isn't in use while snmptrapd is. The config for snmptrapd is in the options line of /etc/sysconfig/snmptrapd.
I compiled, but didn't install a newer version of net-snmp recently to test. Running it from the commandline produced the same results as we see now. v4 traps are logged, v6 are not.

Code: Select all

# grep ^OPT /etc/sysconfig/snmptrapd
OPTIONS="-a -A -Lf /var/log/snmptrapd.log -p /var/run/snmptrapd.pid udp6:[::1]:162,udp:162"

We can see snmptrapd listening on port 162:

Code: Select all

# !netstat
netstat -an | grep ":162 "
udp        0      0 0.0.0.0:162                 0.0.0.0:*
udp        0      0 ::1:162                     :::*

[gormank]

Even though ts been done before, I reconfigured, restarted snmptrapd and sent a test trap:

Code: Select all

# grep ^OPT /etc/sysconfig/snmptrapd
OPTIONS="-a -A -Lf /var/log/snmptrapd.log -p /var/run/snmptrapd.pid udp:162,udp6:162"

No change.

[lgroschen]

Installing a newer version isn't likely to help it's been the same for a decent amount of time. Maybe you can just lab this in a new machine, compile fresh using the same version and see if you can get it working using the different options for the snmpd config. This really sounds like a configuration issue you are having with something on your system.

Just out of curiosity, can you run these commands?
cat /etc/snmp/snmptrapd.conf
cat /etc/sysconfig/snmptrapd