IPv6 and SNMP: Traps arrive, but not processed by snmptrapd

[gormank]

Code: Select all

# cat /etc/snmp/snmptrapd.conf
disableAuthorization yes
traphandle default /usr/local/sbin/snmptthandler

###########################################################################
# SECTION: Authentication options
#
# Authentication options
# ignoreauthfailure: Ignore authentication failure traps
# arguments: (1|yes|true|0|no|false)

ignoreauthfailure 1

Code: Select all

# cat /etc/sysconfig/snmptrapd
# snmptrapd command line options
# OPTIONS="-Lsd -p /var/run/snmptrapd.pid"
#OPTIONS="-Lsd -On -p /var/run/snmptrapd.pid"
OPTIONS="-a -A -Lf /var/log/snmptrapd.log -p /var/run/snmptrapd.pid udp:162,udp6:162"
#OPTIONS="-D all -Lsd udp:162,udp6:[::1]:162 -p /var/run/snmptrapd.pid"
#OPTIONS="-a -A -Lf /var/log/snmptrapd.log -p /var/run/snmptrapd.pid udp6:[::1]:162,udp:162"
#OPTIONS="-a -A -Lf /var/log/snmptrapd.log -On -p /var/run/snmptrapd.pid udp:162,udp6:[::1]:162"
#OPTIONS="-a -A -Lf /var/log/snmptrapd.log -On -p /var/run/snmptrapd.pid udp:162,udp6:[::]:162"
#OPTIONS="-a -A -Lf /var/log/snmptrapd.log -On -p /var/run/snmptrapd.pid udp:162,udp6:[2001:4888:a03:311f:c0:a:0:1f5]:162"

[gormank]

If I send a trap from the Nagios server to the same Nagios server, snmptrapd sees it.

Code: Select all

2016-04-12 20:27:34 UDP/IPv6: [2001:4888:a03:311f:c0:a:0:1f5]:51861 [UDP/IPv6: [2001:4888:a03:311f:c0:a:0:1f5]:51861]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (42) 0:00:00.42        SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp

If I send the same trap from the failover Nagios server to the primary Nagios server, snmptrapd doesn't see it, but of course, tcpdump does.

Code: Select all

# tcpdump -i eth3 -s 0 port 162
tcpdump: WARNING: eth3: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes

20:43:56.298976 IP6 2001:4888:a03:311f:c0:a:0:1f6.46874 > txslm2mlnag001v6.snmptrap:  C=sp1der V2Trap(54)  system.sysUpTime.0=42 S:1.1.4.1.0=S:1.1.5.4

[gormank]

Ok, I changed the ip6tables config and now see the trap arrive there.

Apr 12 22:08:32 txslm2mlnag001 kernel: IN=eth3 OUT= MAC=00:50:56:aa:12:32:fc:15:b4:1a:c9:ff:86:dd SRC=2001:4888:0a03:311f:00c0:000a:0000:0190 DST=2001:4888:0a03:311f:00c0:000a:0000:01f5 LEN=231 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=32866 DPT=162 LEN=191

Not sure this tells me much...

[ssax]

Are you saying that iptables is showing that it's getting there but not showing in /var/log/messages still?

Not sure if that is an accept log or a block log.

Did you enable the -D all snmptrapd settings for debugging?

[gormank]

The debug output has been posted before but I'll do it again.
ip6tables is logging the arrival of the test IPv6 trap in /var/log/messages.
snmptrapd doesn't log anything related to the test traps from the IPv6 host.

# service ip6tables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all ::/0 ::/0 state RELATED,ESTABLISHED
2 ACCEPT icmpv6 ::/0 ::/0
3 ACCEPT all ::/0 ::/0
4 ACCEPT udp ::/0 fe80::/64 state NEW udp dpt:546
5 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:22
6 LOG udp ::/0 ::/0 udp dpt:162 LOG flags 0 level 4
7 REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

[tgriep]

In your earlier post, you said "If I send a trap from the Nagios server to the same Nagios server, snmptrapd sees it." but remotely it fails, that could be a firewall problem.
Can you stop both the IPv6 and the IPv4 firewalls and test it remotely again?

If you add this to your firewall rules, it should work for you.

Code: Select all

ACCEPT udp ::/0 ::/0 state NEW udp dpt:162

[gormank]

With both firewalls disabled on both boxes, the trap is seen in tcpdump, but not logged by snmptrapd.

The format of your rule was different than what I see in the config file so I did a bit of guessing and below your commented rule, is my translation.

Code: Select all

# cat /etc/sysconfig/ip6tables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#ACCEPT udp ::/0 ::/0 state NEW udp dpt:162
-A INPUT -m state --state NEW -m udp -p udp --dport 162 -d ::/0 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT
-A INPUT -p udp --dport 162 -j LOG
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

The FW accepts the changes at startup. It looks like the 2 new rules end up being the same as each other as well as the same as what you suggested...

Code: Select all

# service ip6tables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all      ::/0                 ::/0                state RELATED,ESTABLISHED
2    ACCEPT     icmpv6    ::/0                 ::/0
3    ACCEPT     all      ::/0                 ::/0
4    ACCEPT     udp      ::/0                 fe80::/64           state NEW udp dpt:546
5    ACCEPT     tcp      ::/0                 ::/0                state NEW tcp dpt:22
6    ACCEPT     udp      ::/0                 ::/0                state NEW udp dpt:162
7    ACCEPT     udp      ::/0                 ::/0                state NEW udp dpt:162
8    LOG        udp      ::/0                 ::/0                udp dpt:162 LOG flags 0 level 4
9    REJECT     all      ::/0                 ::/0                reject-with icmp6-adm-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all      ::/0                 ::/0                reject-with icmp6-adm-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

No change in the result. Traps arrive, can be seen in tcpdump, and are not logged by the FW, or processed by snmptrapd.
I may need to work on my log rule...

[tgriep]

Best thing is to stop the firewall until it is working for you.

When the snmptrapd daemon receives a trap, this line in the snmptrapd.conf file

Code: Select all

traphandle default /usr/sbin/snmptthandler

Takes the received trap, formats it and saves it in this folder.

Code: Select all

/var/spool/snmptt/

Did the trap show up in this folder?

If it does, the snmpttd daemon will read those files, compare them to the OID in the snmptt.conf and if it matches, it will send it to Nagios XI.

Overly simplified but that is how the flow works.

[gormank]

snmptrapd logs every trap it gets. If it doesn't log the trap, there's no sense talking about snmptt.
Regardless of whether the FWs are running or not snmptrapd never logs anything about the traps on v6.
No, there is nothing about the traps in the snmptt log files.

[tgriep]

If you send the trap from itself using IPv6, to itself using IPv6, is it logged in this file, /var/log/snmptrapd.log ?