Active IQ Unified Manager Discussions

SNMP issue with acquiring Cisco MDS switches with OCI 7.1

JBARBALACE
7,629 Views

Hello,

I'm trying to find a bit more information and guidance regarding the below error:

 

"Snmp error code: 43 error message: Error Sending PDU. Failed to authenticate the SecurityParameters for user <username> SnmpEngineEntry not found for address <IP address> port 161"

 

The switches are located at a remote site, and I've been increasing the timeout to try and accomodate for the distance.  Would an RAU assist in acquiring switches?  We have an exisiting RAU at this location to assist with acquiring an array, and I'm curious if it can pull double-duty.

 

Thank you!

Julia

5 REPLIES 5

ostiguy
7,600 Views

Hey Julia,

 

This looks more like a misconfiguration than a timeout / latency issue. Have these datasources ever worked?

 

From your error message, with username cited, are you using SNMPv3?

 

SNMPv3 data is identical to v2, what is different is SNMP v1+v2 have a simplistic security model using community strings (functionally shared secrets) whereas v3 allows authentication and encryption.

 

However, since SNMP is UDP based, it can be a bit tricky to troubleshoot, as you are not guaranteed to get a reply if your request doesn't meet the expectations of the receiving device.

 

OCI ships a snmpwalk.bat that allows you test snmp outside of a datasource.

 

If you know whether you should or should not be using SNMP v3, I can give you some examples.

 

cmd prompt

 

cd %sanscreen_home%\bin

 

snmpwalk.bat 1.2.3.4 -v2 -cpublic

 

If you see a ton of stuff scroll past, good. if it times out, that is a sign that "public" is not a valid community string on device 1.2.3.4, or snmp v2 may not be enabled.

 

 

JBARBALACE
7,597 Views

Hi,

Yes, we are using V3 and no, they have never worked.  We do have additional MDS switches that are local and we are acquiring just fine.  It is just those at the remote location with the issue.

 

I specific community string was created for OCI (by the admins, not by me) which seems to work for the local, but not the remote.

 

I ran the command below, using -v2 and -v3 and using the community string name that was set up, and also with -cpublic...whatever I adjusted for, there was not a lot of scrolling of anything.

 

 

 

 

 

 

ostiguy
7,565 Views

So, the good news I can offer you is that the reply back , or error you are seeing in the OCI datasource is a pretty good sign that there is no firewall between OCI and the device in question, so I think we can probably eliminate that as a possibility.

 

Admittedly, our terminology for SNMP is somewhat cryptic

 

SNMP community string - this field is the datasource is mandatory, but irrelevant for SNMP v3 configs. So, you need to populate it with something, but the value is not used in v3 configs

 

User name - this field is optional, as it is irrelevant for anything *but* SNMP v3 configs. It is functionally mandatory for snmp v3 configs

 

Password - this field is optional, as it is irrelevant for anything *but* SNMP v3 configs. It it MAY be functionally mandatory for snmp v3 configs, depending on how your device (in this case, a Cisco MDS switch) is configured

 

SNMP Auth Protocol - only relevant for v3 configs. MD5 | SHA | NO_AUTH

 

SNMP Privacy Protocol - only relevant for v3 configs DES | TRIPLEDES | AES | NONE

 

SNMP Privacy Password - only relevant for v3 configs

 

 

The tricky stuff with snmpv3:

 

You can configure a switch where no authentication or encryption (privacy) is required - in which case, from an OCI perspective, you simply need to:

populate username

set SNMP auth protocol to NO_AUTH

set SNMP privacy protocol to NONE

 

And you should be in business

 

snmpWalk.bat 1.2.3.4 -v3 -snostiguy

 

Would be a way of testing such a config for user "ostiguy"

 

At the opposite extreme, authentication and encryption could be required. And separate authentication passwords and encryption passwords could be required. For OCI:

populate username with extreme

populate password with authpasswordhere

set SNMP auth protocol to SHA

set SNMP Privacy Protocol to AES

Set SNMP Privacy Password to privpasswordhere

 

To test this with our snmpwalk.bat:

 

snmpwalk.bat 1.2.3.4 -v3 -snextreme -uaauthpasswordhere -sha -privpcAES128 -privpprivpasswordhere

 

I unfortunately don't have much for notes on SNMP v3 on Cisco. However:

 

It may be worth looking if any policies have been enabled on the switch to force certain levels of auth or encryption - if these have been set, but your user was not create in compliance with them, your user may be functionally unusable (i.e, no encryption password defined, but the switch only allows SNMPv3 usage with AES128).

 

I don't know if Cisco supports any crypto we don't support - OCI doesn't support AES 192 or 256 because Java doesn't, out of the box.

 

I am kinda over-due to take a look at this stuff on Cisco. We have a strongly Brocade playbook because in Brocade Virtual Fabric environments, you MUST use SNMPv3 to collect performance, or else you cannot get statistics on the non-default Virtual Fabric

 

Matt

JBARBALACE
7,550 Views

Thanks very much for all those details!  I'm going to forward this info over to networking and see what they have to say for themselves.

 

We do require an authentication, and we are currently using SNMP auth protocol MD5 and SNMP Privacy Protocol DES.  It's possible that I'm running the command incorrectly, but what is returned (some items redacted to protect the innocent):

 

D:\SANscreen\bin>snmpwalk.bat 1.2.3.4 -v3 -sn<name> –au<password> -md5 -privpcdes –privp<password>

Host=1.2.3.4:161 Timeout=1000ms Retries=1 Debug=false Version=SNMPv3 Community=public User=<name> AuthProtocol=MD5 sessionName=null_0

End of MIB Reached

Total # of Requests = 0

Total # of Objects = 0

 

 

Thank you again for your help today! 

Julia

stephen2
6,765 Views
you MUST use SNMPV3 you MUST have a valid RO Community String you MUST have an SNMP V3 user account and password you MUST set the privacy and auth protocols to match you MUST have an access control entry in the SNMP setup
Public