I'm trying to find a bit more information and guidance regarding the below error:
"Snmp error code: 43 error message: Error Sending PDU. Failed to authenticate the SecurityParameters for user <username> SnmpEngineEntry not found for address <IP address> port 161"
The switches are located at a remote site, and I've been increasing the timeout to try and accomodate for the distance. Would an RAU assist in acquiring switches? We have an exisiting RAU at this location to assist with acquiring an array, and I'm curious if it can pull double-duty.
So, the good news I can offer you is that the reply back , or error you are seeing in the OCI datasource is a pretty good sign that there is no firewall between OCI and the device in question, so I think we can probably eliminate that as a possibility.
Admittedly, our terminology for SNMP is somewhat cryptic
SNMP community string - this field is the datasource is mandatory, but irrelevant for SNMP v3 configs. So, you need to populate it with something, but the value is not used in v3 configs
User name - this field is optional, as it is irrelevant for anything *but* SNMP v3 configs. It is functionally mandatory for snmp v3 configs
Password - this field is optional, as it is irrelevant for anything *but* SNMP v3 configs. It it MAY be functionally mandatory for snmp v3 configs, depending on how your device (in this case, a Cisco MDS switch) is configured
SNMP Auth Protocol - only relevant for v3 configs. MD5 | SHA | NO_AUTH
SNMP Privacy Protocol - only relevant for v3 configs DES | TRIPLEDES | AES | NONE
SNMP Privacy Password - only relevant for v3 configs
The tricky stuff with snmpv3:
You can configure a switch where no authentication or encryption (privacy) is required - in which case, from an OCI perspective, you simply need to:
set SNMP auth protocol to NO_AUTH
set SNMP privacy protocol to NONE
And you should be in business
snmpWalk.bat 126.96.36.199 -v3 -snostiguy
Would be a way of testing such a config for user "ostiguy"
At the opposite extreme, authentication and encryption could be required. And separate authentication passwords and encryption passwords could be required. For OCI:
I unfortunately don't have much for notes on SNMP v3 on Cisco. However:
It may be worth looking if any policies have been enabled on the switch to force certain levels of auth or encryption - if these have been set, but your user was not create in compliance with them, your user may be functionally unusable (i.e, no encryption password defined, but the switch only allows SNMPv3 usage with AES128).
I don't know if Cisco supports any crypto we don't support - OCI doesn't support AES 192 or 256 because Java doesn't, out of the box.
I am kinda over-due to take a look at this stuff on Cisco. We have a strongly Brocade playbook because in Brocade Virtual Fabric environments, you MUST use SNMPv3 to collect performance, or else you cannot get statistics on the non-default Virtual Fabric
Thanks very much for all those details! I'm going to forward this info over to networking and see what they have to say for themselves.
We do require an authentication, and we are currently using SNMP auth protocol MD5 and SNMP Privacy Protocol DES. It's possible that I'm running the command incorrectly, but what is returned (some items redacted to protect the innocent):
you MUST use SNMPV3 you MUST have a valid RO Community String you MUST have an SNMP V3 user account and password you MUST set the privacy and auth protocols to match you MUST have an access control entry in the SNMP setup