Page 1 of 1
NagiosXI SNMP V3 (Do I need an EngineID)
Posted: Tue Mar 10, 2015 12:30 am
by mlopez
Hi All,
I needed some help with SNMP v3 (Passive Traps).
I was wondering if I could set up a wildcard configuration for all my SNMP v3 devices or will I be forced to use "EngineID" as a parameter. The reason I ask is I am using another NMS which doesn't not need to do so for snmpv3.
This is an example of an SNMP Trap as per net-snmp:
Code: Select all
createUser -e 0x8000000001020304 traptest SHA mypassword AES
authuser log traptest
Now I wish I could use INFORM but most of my devices are not reachable as per layers of security and if you look at the INFORM example it doesn't involve having an "EngineID":
Code: Select all
createUser informtest SHA mypassword AES
authuser log informtest
Now I could use tcpdump and dump the engineid for each device but this would be very pain staking and if new devices are added to the network it will become very unmanageable for the future.
Any recommendations?
Thanks again all for all your help
Michael
Re: NagiosXI SNMP V3 (Do I need an EngineID)
Posted: Tue Mar 10, 2015 3:24 pm
by tmcdonald
I've not heard of needing this and it isn't mentioned in our documentation:
http://assets.nagios.com/downloads/nagi ... ios_XI.pdf
Are you asking in general or have you tried to set up traps and found they do not work?
Re: NagiosXI SNMP V3 (Do I need an EngineID)
Posted: Wed Mar 11, 2015 1:09 pm
by mlopez
Hi TMC,
Correct, I have tried it and I'm experiencing issues but only with SNMPv3. I am not sending an EngineID and unable to convert the SNMPv3 encryption.
BTW SNMPv2 is no problem at all, it's working like a charm but we have some new equip with snmpv3 and I would like to implement.
Here are some things I've tested:
TEST1 (NO ENGINE ID) (DOESN'T WORK):
Code: Select all
[root@NagiosXI mlopez]# cat snmptrapd-test-6.conf
createUser myname SHA PASSWORD DES PRIVATEPASSWORD
authUser log myname
This is running to check for new Traps with new config:
Code: Select all
/usr/sbin/snmptrapd -On -c /home/snmptrapd-test-6.conf -Lsd -Lf /var/log/snmpv3.log -p /var/run/snmptrapd.pid -D -d -f
TCPDUMPING (I SEE TRAP BUT NOT SHOWING UP on SNMPTRAPD):
Code: Select all
tcpdump -vvv port 161 or port 162 |grep SNMPv3
10.1.2.101.snmptrap > NagiosXI.snmptrap: [udp sum ok] { SNMPv3 { F=apr } { USM B=1 T=6793 U=myname } { ScopedPDU [!scoped PDU]ee_0b_e5_88_1b_db_2c_73_07_c9_1d_b1_7d_a4_1c_41_66_1f_69_16_32_4f_d3_a8_ae_78_7e_a7_bf_df_a0_a9_08_f4_06_e9_ac_2b_6f_5a_34_6a_6e_xx_1e_b0_20_bd_94_4a_06_6d_6b_d2_a5_6c_58_49_cf_37_xx_fe_c5_36_f9_31_b4_14_38_16_f1_1d_a6_c3_84_c2_35_4f_12_50_c3_9f_f3_ef_60_6b_c2_55_2f_39_1c_58_51_4f_68_c2_a8_74_e5_f7_aa_6b_fe_bd_a1_ca_ac_da_85_0f_be_9f_4a_cb_5e_6f_ac_88_b9_c0_54_6d_xx_d1_d6_ed_48_26_df_85_18_ea_ed_64_9d_88_2a_d4_7d_ea_c9_61_8d_9f_43_60_85_88_c1_24_59_04_99_52_e0_7f_dd_23_52_30_be_be_3c_bc_b0_73_ee_10_42_a3_86_4a_dd_be_82_a6_5e_58_73_ef_cc_b6_e5_49_ee_c2_29_b5_81_85_c0_a7_61_71_4e_13_99_b2_cd_68_16_c2_74_86_49_38_05_c0_95_60_9c_9a_3f_31_8a_ad_xx_8f_eb_c5_87_e9_15_d7_af_1e_ee_ef_8a_fd_7d_b2_a5_30_a3_60_d9_3e_02_32_b5_63_7f_39_ff_92_22_7a} }
NagiosXI.snmptrap > 10.1.2.101.snmptrap: [bad udp cksum a240!] { SNMPv3 { F= } { USM B=1 T=41 U=myname } { ScopedPDU E= 0x800x000x1F0x880x800x890xF10x810x1A0xD10x830x000x551x000x000x000x00 C= { Report(28) R=0 S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=9 } } }
Code: Select all
/usr/sbin/snmptrapd -On -c /home/snmptrapd-test-6.conf -Lsd -Lf /var/log/snmpv3.log -p /var/run/snmptrapd.pid -D -d -f
(I see nothing new which I should) (Now I tested normal SNMPv3 traps with EngineID and worked fine)
Re: NagiosXI SNMP V3 (Do I need an EngineID)
Posted: Wed Mar 11, 2015 2:45 pm
by jdalrymple
Hi mlopez,
From what I read it doesn't sound like authentication is going to be possible without actually "specifying" the EngineID.
http://www.cisco.com/c/en/us/td/docs/io ... #wp1011412
How your other devices are doing it with a wildcard sounds... impossible honestly based upon what I'm reading.
http://www.net-snmp.org/tutorial/tutori ... ap-v3.html
You might want to get in touch with your other NMS software distributor, sounds like they have some secret sauce that maybe they could let you in on. Curious, what type of device is it that you're receiving traps on? I would like to configure something of a lab here to mimic your environment, the closer I can get to your reality the better.
Thanks
Re: NagiosXI SNMP V3 (Do I need an EngineID)
Posted: Wed Mar 11, 2015 3:01 pm
by mlopez
Hi jdalrymple,
That's what I can't wrap my head around, from all the documentation on net-snmp you need an ENGINEID unless you are not using SNMPv3 Traps but SNMPv3 INFORMS. I will contact the third party vendor as the only thing I typed in was the SHA + DES + username that's all, I'm wondering how they are able to display the SNMPv3 TRAP without the ENGINEID and it's been working for weeks now so I'm not just imagining things and yes it's SNMPv3 as I ran Wireshark and I even tried changing the password which made the traps stop.
Michael
Re: NagiosXI SNMP V3 (Do I need an EngineID)
Posted: Wed Mar 11, 2015 3:20 pm
by jdalrymple
Great Michael - in the meantime I'm still curious what kind of device(s) you're working with? Cisco maybe/probably?