SNMP V3 unable to connect

Hi folks,

Been puzzling over this one for ages. Right up to Equulus 202103 seems that SNMP V3 just doesn’t work. SNMP V2 is fine, but V3 just returns… nothing, timeouts. After doing many changes and tests I blew the config all away and started again with the example in the wiki:

vyos@vyos# show service snmp v3
   engineid 000000000000000000000002
   group default {
      mode ro
      view default
   }
  user vyos {
     auth {
         encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe
         type sha
     }
     group default
     privacy {
         encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe
         type aes
     }
 }
 view default {
     oid 1 {
     }
 }

Both SNMPwalk and Paessler SNMP Tester return timeouts while running tcpdump on the node returns nothing but invalidEngineID:

vyos@vyos# tcpdump -vv | grep snmp tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 10.168.243.16.61406 > 10.168.243.241.snmp: [udp sum ok] { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="000000000000000000000002" { GetRequest(12) R=1534 } } }

10.168.243.241.snmp > 10.168.243.16.61406: [bad udp cksum 0xfcd1 → 0x7d7f!] { SNMPv3 { F= } { USM B=1 T=1330 U="" } { ScopedPDU E=_00_00_00_00_00_00_00_00_00_00_00_02 C="" { Report(29) R=1534 S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=21 } } }

10.168.243.16.61406 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=apr } { USM B=1 T=1330 U="vyos" } { ScopedPDU [!scoped PDU]c3_68_05_8d_dc_d9_f0_10_c2_81_fe_06_a7_bd_bd_dd_74_ec_30_e3_d2_ea_22_a6_72_e3_2b_e1_e0_9b_0e_fc_5e_40_c7_b5_f2_83_38_d6_48_79_6c_e1_d6_92_33_04_60_a5_a8_5c_25_57_e3_9f_81_d0_87_43_0b_69_0f_4f_3a_3b_68_76_fd_01} }

10.168.243.16.61407 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="000000000000000000000002" { GetRequest(12) R=5067  } } }

10.168.243.241.snmp > 10.168.243.16.61407: [bad udp cksum 0xfcd1 -> 0x082c!]  { SNMPv3 { F= } { USM B=1 T=1332 U="" } { ScopedPDU E=_00_00_00_00_00_00_00_00_00_00_00_02 C="" { Report(29) R=5067  S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=22 } } }

10.168.243.16.61407 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=apr } { USM B=1 T=1332 U="vyos" } { ScopedPDU [!scoped PDU]35_25_98_70_d2_45_82_94_95_a4_51_23_4e_11_6e_3e_4e_84_d3_b6_21_7c_93_3d_54_01_98_52_fa_0e_4e_0f_d3_d8_3d_2d_e9_a2_68_99_bc_6a_19_4b_63_f6_26_48_7c_72_3d_1a_d9_b3_81_8d_58_92_d3_6a_e5_28_e6_39_02_23_2b_8e_9e_43} }
10.168.243.16.61408 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="000000000000000000000002" { GetRequest(12) R=5069  } } }

10.168.243.241.snmp > 10.168.243.16.61408: [bad udp cksum 0xfcd1 -> 0x022a!]  { SNMPv3 { F= } { USM B=1 T=1334 U="" } { ScopedPDU E=_00_00_00_00_00_00_00_00_00_00_00_02 C="" { Report(29) R=5069  S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=23 } } }

10.168.243.16.61408 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=apr } { USM B=1 T=1334 U="vyos" } { ScopedPDU [!scoped PDU]11_07_d4_85_e6_56_bd_cc_5e_38_2d_7c_0c_ac_08_0b_a5_0f_87_2e_7e_4b_65_ac_1e_85_a3_29_41_ae_e7_47_54_15_28_ce_c2_18_e3_56_20_40_1a_fa_d0_70_c5_29_ed_ff_c5_4c_65_ef_26_fc_4c_79_37_09_5d_f8_f2_91_46_39_49_44_77_40_58} }

10.168.243.16.61409 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="000000000000000000000002" { GetRequest(12) R=9289  } } }

10.168.243.241.snmp > 10.168.243.16.61409: [bad udp cksum 0xfcd1 -> 0x8042!]  { SNMPv3 { F= } { USM B=1 T=1336 U="" } { ScopedPDU E=_00_00_00_00_00_00_00_00_00_00_00_02 C="" { Report(29) R=9289  S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=24 } } }

10.168.243.16.61409 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=apr } { USM B=1 T=1336 U="vyos" } { ScopedPDU [!scoped PDU]d5_38_ce_f6_3a_f3_4a_14_80_09_6c_cf_d3_1f_ac_6e_cf_31_25_6a_aa_88_5a_aa_ac_98_9c_70_77_4d_0c_82_fd_94_bf_a2_7a_52_94_44_2e_91_6c_af_8a_a4_8a_f6_57_33_b8_4f_dc_a0_7c_d2_01_de_fb_4d_14_8a_3c_d5_fc_87_d6_d9_03_bb_49} }

Thanks!

Witchy

version: VyOS 1.4-rolling-20210327

Strangely enough, my snmp is working fine

set service snmp listen-address 192.168.0.1 port '161'
set service snmp listen-address fc00:470:f1cd::1 port '161'
set service snmp location 'HOME'
set service snmp v3 engineid 'ff42'
set service snmp v3 group default mode 'ro'
set service snmp v3 group default seclevel 'priv'
set service snmp v3 group default view 'public'
set service snmp v3 user vyos auth encrypted-password 'encrypted'
set service snmp v3 user vyos auth type 'sha'
set service snmp v3 user vyos group 'default'
set service snmp v3 user vyos mode 'ro'
set service snmp v3 user vyos privacy encrypted-password 'encrypted'
set service snmp v3 user vyos privacy type 'aes'
set service snmp v3 view public oid 1

OK, looks like I need to go up to 1.4 then!

Cheers.

@Witchy

please note that SNMPv3 will use the engine ID as salt for the crypto keys. Please create your own keys from plaintext mode which will be encrypted by us.

SNMPv3 is the exact same version in 1.4 and 1.3

Hi,

After a lot of reading I tried to create an engineID of the correct format based on the mac address of the adapter (‘000000000300mac address’), this is before I scrapped everything and tried just using the example in the wiki page. I still couldn’t get authentication going. I’ll set everything up as it was before and report back.

Cheers

Witchy

OK, getting somewhere. I changed tack and built a 1.4 install locally in vmware to avoid all firewalls and anything unknown. I created a new engineID then reset the auth and priv passwords. Amazingly snmpwalk worked first time, though I noticed it makes a difference whether the passwords are created in quotes or not.

The difference being that in the Paessler SNMP tester and SNMPwalk GUI I was treating the engineID as the context and that’s what didn’t work. My clue was snmpwalk not needing a context. Change my query in Paessler Tester and that worked too.

Now I just need to make Solarwinds discover it and I’ll be home dry. It’s a shame Solarwinds appears to be a law unto itself when it comes to SNMP testing :slight_smile:

Cheers!