Page 5 of 8
Re: IPv6 and SNMP: Traps arrive, but not processed by snmptr
Posted: Tue Apr 12, 2016 3:22 pm
by gormank
Code: Select all
# cat /etc/snmp/snmptrapd.conf
disableAuthorization yes
traphandle default /usr/local/sbin/snmptthandler
###########################################################################
# SECTION: Authentication options
#
# Authentication options
# ignoreauthfailure: Ignore authentication failure traps
# arguments: (1|yes|true|0|no|false)
ignoreauthfailure 1
Code: Select all
# cat /etc/sysconfig/snmptrapd
# snmptrapd command line options
# OPTIONS="-Lsd -p /var/run/snmptrapd.pid"
#OPTIONS="-Lsd -On -p /var/run/snmptrapd.pid"
OPTIONS="-a -A -Lf /var/log/snmptrapd.log -p /var/run/snmptrapd.pid udp:162,udp6:162"
#OPTIONS="-D all -Lsd udp:162,udp6:[::1]:162 -p /var/run/snmptrapd.pid"
#OPTIONS="-a -A -Lf /var/log/snmptrapd.log -p /var/run/snmptrapd.pid udp6:[::1]:162,udp:162"
#OPTIONS="-a -A -Lf /var/log/snmptrapd.log -On -p /var/run/snmptrapd.pid udp:162,udp6:[::1]:162"
#OPTIONS="-a -A -Lf /var/log/snmptrapd.log -On -p /var/run/snmptrapd.pid udp:162,udp6:[::]:162"
#OPTIONS="-a -A -Lf /var/log/snmptrapd.log -On -p /var/run/snmptrapd.pid udp:162,udp6:[2001:4888:a03:311f:c0:a:0:1f5]:162"
Re: IPv6 and SNMP: Traps arrive, but not processed by snmptr
Posted: Tue Apr 12, 2016 4:14 pm
by gormank
If I send a trap from the Nagios server to the same Nagios server, snmptrapd sees it.
Code: Select all
2016-04-12 20:27:34 UDP/IPv6: [2001:4888:a03:311f:c0:a:0:1f5]:51861 [UDP/IPv6: [2001:4888:a03:311f:c0:a:0:1f5]:51861]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (42) 0:00:00.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp
If I send the same trap from the failover Nagios server to the primary Nagios server, snmptrapd doesn't see it, but of course, tcpdump does.
Code: Select all
# tcpdump -i eth3 -s 0 port 162
tcpdump: WARNING: eth3: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
20:43:56.298976 IP6 2001:4888:a03:311f:c0:a:0:1f6.46874 > txslm2mlnag001v6.snmptrap: C=sp1der V2Trap(54) system.sysUpTime.0=42 S:1.1.4.1.0=S:1.1.5.4
Re: IPv6 and SNMP: Traps arrive, but not processed by snmptr
Posted: Tue Apr 12, 2016 5:13 pm
by gormank
Ok, I changed the ip6tables config and now see the trap arrive there.
Apr 12 22:08:32 txslm2mlnag001 kernel: IN=eth3 OUT= MAC=00:50:56:aa:12:32:fc:15:b4:1a:c9:ff:86:dd SRC=2001:4888:0a03:311f:00c0:000a:0000:0190 DST=2001:4888:0a03:311f:00c0:000a:0000:01f5 LEN=231 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=32866 DPT=162 LEN=191
Not sure this tells me much...
Re: IPv6 and SNMP: Traps arrive, but not processed by snmptr
Posted: Tue Apr 12, 2016 5:18 pm
by ssax
Are you saying that iptables is showing that it's getting there but not showing in /var/log/messages still?
Not sure if that is an accept log or a block log.
Did you enable the -D all snmptrapd settings for debugging?
Re: IPv6 and SNMP: Traps arrive, but not processed by snmptr
Posted: Tue Apr 12, 2016 5:23 pm
by gormank
The debug output has been posted before but I'll do it again.
ip6tables is logging the arrival of the test IPv6 trap in /var/log/messages.
snmptrapd doesn't log anything related to the test traps from the IPv6 host.
# service ip6tables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all ::/0 ::/0 state RELATED,ESTABLISHED
2 ACCEPT icmpv6 ::/0 ::/0
3 ACCEPT all ::/0 ::/0
4 ACCEPT udp ::/0 fe80::/64 state NEW udp dpt:546
5 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:22
6 LOG udp ::/0 ::/0 udp dpt:162 LOG flags 0 level 4
7 REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Re: IPv6 and SNMP: Traps arrive, but not processed by snmptr
Posted: Wed Apr 13, 2016 12:29 pm
by tgriep
In your earlier post, you said "If I send a trap from the Nagios server to the same Nagios server, snmptrapd sees it." but remotely it fails, that could be a firewall problem.
Can you stop both the IPv6 and the IPv4 firewalls and test it remotely again?
If you add this to your firewall rules, it should work for you.
Code: Select all
ACCEPT udp ::/0 ::/0 state NEW udp dpt:162
Re: IPv6 and SNMP: Traps arrive, but not processed by snmptr
Posted: Wed Apr 13, 2016 2:05 pm
by gormank
With both firewalls disabled on both boxes, the trap is seen in tcpdump, but not logged by snmptrapd.
The format of your rule was different than what I see in the config file so I did a bit of guessing and below your commented rule, is my translation.
Code: Select all
# cat /etc/sysconfig/ip6tables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#ACCEPT udp ::/0 ::/0 state NEW udp dpt:162
-A INPUT -m state --state NEW -m udp -p udp --dport 162 -d ::/0 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT
-A INPUT -p udp --dport 162 -j LOG
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
The FW accepts the changes at startup. It looks like the 2 new rules end up being the same as each other as well as the same as what you suggested...
Code: Select all
# service ip6tables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all ::/0 ::/0 state RELATED,ESTABLISHED
2 ACCEPT icmpv6 ::/0 ::/0
3 ACCEPT all ::/0 ::/0
4 ACCEPT udp ::/0 fe80::/64 state NEW udp dpt:546
5 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:22
6 ACCEPT udp ::/0 ::/0 state NEW udp dpt:162
7 ACCEPT udp ::/0 ::/0 state NEW udp dpt:162
8 LOG udp ::/0 ::/0 udp dpt:162 LOG flags 0 level 4
9 REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
No change in the result. Traps arrive, can be seen in tcpdump, and are not logged by the FW, or processed by snmptrapd.
I may need to work on my log rule...
Re: IPv6 and SNMP: Traps arrive, but not processed by snmptr
Posted: Wed Apr 13, 2016 3:29 pm
by tgriep
Best thing is to stop the firewall until it is working for you.
When the snmptrapd daemon receives a trap, this line in the snmptrapd.conf file
Code: Select all
traphandle default /usr/sbin/snmptthandler
Takes the received trap, formats it and saves it in this folder.
Did the trap show up in this folder?
If it does, the snmpttd daemon will read those files, compare them to the OID in the snmptt.conf and if it matches, it will send it to Nagios XI.
Overly simplified but that is how the flow works.
Re: IPv6 and SNMP: Traps arrive, but not processed by snmptr
Posted: Wed Apr 13, 2016 3:37 pm
by gormank
snmptrapd logs every trap it gets. If it doesn't log the trap, there's no sense talking about snmptt.
Regardless of whether the FWs are running or not snmptrapd never logs anything about the traps on v6.
No, there is nothing about the traps in the snmptt log files.
Re: IPv6 and SNMP: Traps arrive, but not processed by snmptr
Posted: Wed Apr 13, 2016 4:19 pm
by tgriep
If you send the trap from itself using IPv6, to itself using IPv6, is it logged in this file, /var/log/snmptrapd.log ?