SNMP V3 unable to connect

Witchy · April 1, 2021, 4:36pm

Hi folks,

Been puzzling over this one for ages. Right up to Equulus 202103 seems that SNMP V3 just doesn’t work. SNMP V2 is fine, but V3 just returns… nothing, timeouts. After doing many changes and tests I blew the config all away and started again with the example in the wiki:

vyos@vyos# show service snmp v3
   engineid 000000000000000000000002
   group default {
      mode ro
      view default
   }
  user vyos {
     auth {
         encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe
         type sha
     }
     group default
     privacy {
         encrypted-password 4e52fe55fd011c9c51ae2c65f4b78ca93dcafdfe
         type aes
     }
 }
 view default {
     oid 1 {
     }
 }

Both SNMPwalk and Paessler SNMP Tester return timeouts while running tcpdump on the node returns nothing but invalidEngineID:


vyos@vyos# tcpdump -vv | grep snmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    10.168.243.16.61406 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="000000000000000000000002" { GetRequest(12) R=1534  } } }
10.168.243.241.snmp > 10.168.243.16.61406: [bad udp cksum 0xfcd1 → 0x7d7f!]  { SNMPv3 { F= } { USM B=1 T=1330 U=“” } { ScopedPDU E=_00_00_00_00_00_00_00_00_00_00_00_02 C=“” { Report(29) R=1534  S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=21 } } }
10.168.243.16.61406 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=apr } { USM B=1 T=1330 U="vyos" } { ScopedPDU [!scoped PDU]c3_68_05_8d_dc_d9_f0_10_c2_81_fe_06_a7_bd_bd_dd_74_ec_30_e3_d2_ea_22_a6_72_e3_2b_e1_e0_9b_0e_fc_5e_40_c7_b5_f2_83_38_d6_48_79_6c_e1_d6_92_33_04_60_a5_a8_5c_25_57_e3_9f_81_d0_87_43_0b_69_0f_4f_3a_3b_68_76_fd_01} }

10.168.243.16.61407 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="000000000000000000000002" { GetRequest(12) R=5067  } } }

10.168.243.241.snmp > 10.168.243.16.61407: [bad udp cksum 0xfcd1 -> 0x082c!]  { SNMPv3 { F= } { USM B=1 T=1332 U="" } { ScopedPDU E=_00_00_00_00_00_00_00_00_00_00_00_02 C="" { Report(29) R=5067  S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=22 } } }

10.168.243.16.61407 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=apr } { USM B=1 T=1332 U="vyos" } { ScopedPDU [!scoped PDU]35_25_98_70_d2_45_82_94_95_a4_51_23_4e_11_6e_3e_4e_84_d3_b6_21_7c_93_3d_54_01_98_52_fa_0e_4e_0f_d3_d8_3d_2d_e9_a2_68_99_bc_6a_19_4b_63_f6_26_48_7c_72_3d_1a_d9_b3_81_8d_58_92_d3_6a_e5_28_e6_39_02_23_2b_8e_9e_43} }
10.168.243.16.61408 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="000000000000000000000002" { GetRequest(12) R=5069  } } }

10.168.243.241.snmp > 10.168.243.16.61408: [bad udp cksum 0xfcd1 -> 0x022a!]  { SNMPv3 { F= } { USM B=1 T=1334 U="" } { ScopedPDU E=_00_00_00_00_00_00_00_00_00_00_00_02 C="" { Report(29) R=5069  S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=23 } } }

10.168.243.16.61408 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=apr } { USM B=1 T=1334 U="vyos" } { ScopedPDU [!scoped PDU]11_07_d4_85_e6_56_bd_cc_5e_38_2d_7c_0c_ac_08_0b_a5_0f_87_2e_7e_4b_65_ac_1e_85_a3_29_41_ae_e7_47_54_15_28_ce_c2_18_e3_56_20_40_1a_fa_d0_70_c5_29_ed_ff_c5_4c_65_ef_26_fc_4c_79_37_09_5d_f8_f2_91_46_39_49_44_77_40_58} }

10.168.243.16.61409 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="000000000000000000000002" { GetRequest(12) R=9289  } } }

10.168.243.241.snmp > 10.168.243.16.61409: [bad udp cksum 0xfcd1 -> 0x8042!]  { SNMPv3 { F= } { USM B=1 T=1336 U="" } { ScopedPDU E=_00_00_00_00_00_00_00_00_00_00_00_02 C="" { Report(29) R=9289  S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=24 } } }

10.168.243.16.61409 > 10.168.243.241.snmp: [udp sum ok]  { SNMPv3 { F=apr } { USM B=1 T=1336 U="vyos" } { ScopedPDU [!scoped PDU]d5_38_ce_f6_3a_f3_4a_14_80_09_6c_cf_d3_1f_ac_6e_cf_31_25_6a_aa_88_5a_aa_ac_98_9c_70_77_4d_0c_82_fd_94_bf_a2_7a_52_94_44_2e_91_6c_af_8a_a4_8a_f6_57_33_b8_4f_dc_a0_7c_d2_01_de_fb_4d_14_8a_3c_d5_fc_87_d6_d9_03_bb_49} }

Thanks!

Witchy

jack9603301 · April 1, 2021, 5:44pm

version: VyOS 1.4-rolling-20210327

Strangely enough, my snmp is working fine

set service snmp listen-address 192.168.0.1 port '161'
set service snmp listen-address fc00:470:f1cd::1 port '161'
set service snmp location 'HOME'
set service snmp v3 engineid 'ff42'
set service snmp v3 group default mode 'ro'
set service snmp v3 group default seclevel 'priv'
set service snmp v3 group default view 'public'
set service snmp v3 user vyos auth encrypted-password 'encrypted'
set service snmp v3 user vyos auth type 'sha'
set service snmp v3 user vyos group 'default'
set service snmp v3 user vyos mode 'ro'
set service snmp v3 user vyos privacy encrypted-password 'encrypted'
set service snmp v3 user vyos privacy type 'aes'
set service snmp v3 view public oid 1

Witchy · April 5, 2021, 2:42pm

OK, looks like I need to go up to 1.4 then!

Cheers.

c-po · April 6, 2021, 8:19am

@Witchy

please note that SNMPv3 will use the engine ID as salt for the crypto keys. Please create your own keys from plaintext mode which will be encrypted by us.

SNMPv3 is the exact same version in 1.4 and 1.3

Witchy · April 6, 2021, 10:51am

Hi,

After a lot of reading I tried to create an engineID of the correct format based on the mac address of the adapter (‘000000000300mac address’), this is before I scrapped everything and tried just using the example in the wiki page. I still couldn’t get authentication going. I’ll set everything up as it was before and report back.

Cheers

Witchy

Witchy · April 6, 2021, 3:09pm

OK, getting somewhere. I changed tack and built a 1.4 install locally in vmware to avoid all firewalls and anything unknown. I created a new engineID then reset the auth and priv passwords. Amazingly snmpwalk worked first time, though I noticed it makes a difference whether the passwords are created in quotes or not.

The difference being that in the Paessler SNMP tester and SNMPwalk GUI I was treating the engineID as the context and that’s what didn’t work. My clue was snmpwalk not needing a context. Change my query in Paessler Tester and that worked too.

Now I just need to make Solarwinds discover it and I’ll be home dry. It’s a shame Solarwinds appears to be a law unto itself when it comes to SNMP testing

Cheers!

Witchy · June 22, 2021, 11:51am

Yes, it was down to how VYOS handles the engineID - it’s used to salt the auth/priv passwords and nothing else. I ended up setting the engineID to be the MAC address of the box itself then setting the auth/priv passwords. Remove any context from whatever you’re using to query the box and all should be good.

The thing to remember is if you change the engineID you must then also reset the auth/priv passwords. The correct order of things is in jack9603301’s post above.