SNMP v3 trap-target is busted

kris240376 · November 25, 2025, 6:46am

I’ve been working on getting v3 trap targets with VyOS and discovered that the /etc/snmp/snmpd.conf file that gets generated is busted for v3 trap-targets. I tried to file a bug, but wasn’t able to, so I’m putting this here so maybe someone can see it.

On my trap target I created a /etc/snmp/snmptrapd.conf file with the following contents:

snmpTrapdAddr :163
doNotLogTraps no
doNotFork yes

# v3 config
createUser -e 0000000000000002 snmpv3user SHA vyos12345678 AES vyos12345678 authUser log snmpv3user
disableAuthorization yes

I then spun snmptrapd on the trap target:

snmptrapd -Lf /var/log/snmptrapd.log -c /etc/snmp/snmptrapd.conf

I then monitored the /var/log/snmptrapd.log file:

tail -f /var/log/snmptrapd.log

And watched for inbound UDP traffic:

tcpdump -vv -A -T snmp -s 0 "dst port 163"

You can test this from VyOS by invoking the following:

snmptrap -v 3 -e 0000000000000002 -u snmpv3user -l authPriv -a SHA -A vyos12345678 -x AES -X vyos12345678 10.3.29.93:163 '' .1.3.6.1.4.1.5089.1.0.1 .1.3.6.1.4.1.5089.2.0.999 s "123456"

For my VyOS config I did the following:

set service snmp v3 engineid '0000000000000002'
set service snmp v3 group default mode 'ro'
set service snmp v3 group default view 'default'
set service snmp v3 trap-target 10.3.29.93 auth plaintext-password 'vyos12345678'
set service snmp v3 trap-target 10.3.29.93 auth type 'sha'
set service snmp v3 trap-target 10.3.29.93 port '163'
set service snmp v3 trap-target 10.3.29.93 privacy plaintext-password 'vyos12345678'
set service snmp v3 trap-target 10.3.29.93 privacy type 'aes'
set service snmp v3 trap-target 10.3.29.93 type 'trap'
set service snmp v3 trap-target 10.3.29.93 user 'snmpv3user'
set service snmp v3 view default oid 1

First thing you’ll notice is that there are no SNMP messages that make their way to the trap host. If you examine /etc/snmp/snmpd.conf on VyOS you’ll see the following line:

trapsess -v 3  -e "0000000000000002" -u snmpv3user -a sha -A vyos12345678 -x aes -X vyos12345678 -l authPriv 10.3.29.93:udp:163

This is incorrect. To make this work you’ll need to replace the auth and privacy type to upper case:

sha → SHA
aes → AES

and reorder the target host:

10.3.29.93:udp:163 → udp:10.3.29.93:163

The new line should look like the following:

trapsess -v 3  -e "0000000000000002" -u snmpv3user -a SHA -A vyos12345678 -x AES -X vyos12345678 -l authPriv udp:10.3.29.93:163

Now restart SNMP on VyOS:

restart snmp

You should see VyOS send SNMP messages to the trap target.

Hopefully this can help someone fix their issue.

Regards,

kris240376 · November 25, 2025, 3:36pm

Hi all,

Got a bit of sleep and wrote a bit of Python to patch the config file on system boot.

Created a Python script /config/scripts/patch-snmpd.py with the following contents:

#!/usr/bin/env python3

import re
import sys

if not len(sys.argv) == 2:
    sys.exit(1)

with open(sys.argv[1], 'r') as cfg_file:
    for cfg_line in cfg_file:
        if re.search(r"^trapsess\s+-v\s+3", cfg_line):
            # Patch auth flag
            auth_match = re.search(r"(-a\s+([^\s]+))", cfg_line)
            if auth_match:
                auth_type = auth_match[2].upper()
                cfg_line = cfg_line.replace(auth_match[1], f"-a {auth_type}")

            # Patch privacy flag
            priv_match = re.search(r"(-x\s+([^\s]+))", cfg_line)
            if priv_match:
                priv_type = priv_match[2].upper()
                cfg_line = cfg_line.replace(priv_match[1], f"-x {priv_type}")

            # Patch trap target
            trap_match = re.search(r"((\d+\.\d+\.\d+\.\d+):(udp|tcp):(\d+))", cfg_line)
            if trap_match:
                trap_target = f"{trap_match[3]}:{trap_match[2]}:{trap_match[4]}"
                cfg_line = cfg_line.replace(trap_match[0], trap_target)

        print(cfg_line.strip())

    sys.exit(0)

sys.exit(1)

I then invoke this script in /config/scripts/vyos-postconfig-bootup.script:

/config/scripts/patch-snmpd.py /etc/snmp/snmpd.conf > /tmp/snmpd.conf
if [ "$?" == 0 ] && [ -e /tmp/snmpd.conf ]; then
  _old_md5=$(md5sum /etc/snmp/snmpd.conf | awk '{ print $1 }')
  _new_md5=$(md5sum /tmp/snmpd.conf | awk '{ print $1 }')
  if [ ! "${_old_md5}" == "${_new_md5}" ]; then
    cat /tmp/snmpd.conf > /etc/snmp/snmpd.conf
  fi            
  rm /tmp/snmpd.conf
fi

This patches the /etc/snmp/snmpd.conf file on system boot and should get you working SNMPv3 trap targets.

Regards,

c-po · November 25, 2025, 3:55pm

Thank for for this nice bug report incl. a way to reproduce and eve fix this.

I flagged ⚓ T8039 snmp: trap target broken with SNMPv3 for this.

kris240376 · November 25, 2025, 4:20pm

You’re very welcome. Sorry that I couldn’t do more. I was looking through the source code to figure out how to fix it myself but it was pretty late and I had no idea where the file was that creates the config file.

What I’m trying to do is figure out a way to trigger an SNMPv3 trap whenever a load balanced WAN interface goes down/up. I’m still grinding my way through that so I may post more as I discover things.

kris240376 · November 25, 2025, 4:25pm

Accidentally deleted a newline trap targets config file. Should look like:

snmpTrapdAddr :163
doNotLogTraps no
doNotFork yes

# v3 config
createUser -e 0000000000000002 snmpv3user SHA vyos12345678 AES vyos12345678
authUser log snmpv3user
disableAuthorization yes

c-po · November 26, 2025, 10:23pm

github.com/vyos/vyos-1x

snmp: T8039: fix v3 trap targets

current ← c-po:snmp-trap

opened 10:22PM - 26 Nov 25 UTC

c-po

+41 -4

## Change summary The generated Net-SNMP configuration for SNMPv3 trap-targ…ets was fundamentally broken. Not only was the auth/priv type not written in uppercase letters, but also the ordering of transport protocol, IP(v6) address and port was wrong. To complete the issues above - IPv6 addresses did not get wrapped into mandatory [] brackets. ## Types of changes - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Code style update (formatting, renaming) - [ ] Refactoring (no functional changes) - [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component - [ ] Other (please describe): ## Related Task(s) * https://vyos.dev/T8039 ## Related PR(s) ## How to test / Smoketest result ``` vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_service_snmp.py test_snmp_basic (__main__.TestSNMPService.test_snmp_basic) ... ok test_snmp_script_extensions (__main__.TestSNMPService.test_snmp_script_extensions) ... ok test_snmpv3_md5 (__main__.TestSNMPService.test_snmpv3_md5) ... ok test_snmpv3_sha (__main__.TestSNMPService.test_snmpv3_sha) ... ok test_snmpv3_trap (__main__.TestSNMPService.test_snmpv3_trap) ... ok test_snmpv3_view_exclude (__main__.TestSNMPService.test_snmpv3_view_exclude) ... ok ---------------------------------------------------------------------- Ran 6 tests in 19.347s OK ``` ## Checklist: - [x] I have read the [**CONTRIBUTING**](https://github.com/vyos/vyos-1x/blob/current/CONTRIBUTING.md) document - [x] I have linked this PR to one or more Phabricator Task(s) - [x] I have run the components [**SMOKETESTS**](https://github.com/vyos/vyos-1x/tree/current/smoketest/scripts/cli) if applicable - [x] My commit headlines contain a valid Task id - [ ] My change requires a change to the documentation - [ ] I have updated the documentation accordingly