2015-08-21 06:32 AM
I'm trying to find a bit more information and guidance regarding the below error:
"Snmp error code: 43 error message: Error Sending PDU. Failed to authenticate the SecurityParameters for user <username> SnmpEngineEntry not found for address <IP address> port 161"
The switches are located at a remote site, and I've been increasing the timeout to try and accomodate for the distance. Would an RAU assist in acquiring switches? We have an exisiting RAU at this location to assist with acquiring an array, and I'm curious if it can pull double-duty.
2015-08-21 08:45 AM
This looks more like a misconfiguration than a timeout / latency issue. Have these datasources ever worked?
From your error message, with username cited, are you using SNMPv3?
SNMPv3 data is identical to v2, what is different is SNMP v1+v2 have a simplistic security model using community strings (functionally shared secrets) whereas v3 allows authentication and encryption.
However, since SNMP is UDP based, it can be a bit tricky to troubleshoot, as you are not guaranteed to get a reply if your request doesn't meet the expectations of the receiving device.
OCI ships a snmpwalk.bat that allows you test snmp outside of a datasource.
If you know whether you should or should not be using SNMP v3, I can give you some examples.
snmpwalk.bat 184.108.40.206 -v2 -cpublic
If you see a ton of stuff scroll past, good. if it times out, that is a sign that "public" is not a valid community string on device 220.127.116.11, or snmp v2 may not be enabled.
2015-08-21 08:56 AM
Yes, we are using V3 and no, they have never worked. We do have additional MDS switches that are local and we are acquiring just fine. It is just those at the remote location with the issue.
I specific community string was created for OCI (by the admins, not by me) which seems to work for the local, but not the remote.
I ran the command below, using -v2 and -v3 and using the community string name that was set up, and also with -cpublic...whatever I adjusted for, there was not a lot of scrolling of anything.
2015-08-21 10:35 AM
So, the good news I can offer you is that the reply back , or error you are seeing in the OCI datasource is a pretty good sign that there is no firewall between OCI and the device in question, so I think we can probably eliminate that as a possibility.
Admittedly, our terminology for SNMP is somewhat cryptic
SNMP community string - this field is the datasource is mandatory, but irrelevant for SNMP v3 configs. So, you need to populate it with something, but the value is not used in v3 configs
User name - this field is optional, as it is irrelevant for anything *but* SNMP v3 configs. It is functionally mandatory for snmp v3 configs
Password - this field is optional, as it is irrelevant for anything *but* SNMP v3 configs. It it MAY be functionally mandatory for snmp v3 configs, depending on how your device (in this case, a Cisco MDS switch) is configured
SNMP Auth Protocol - only relevant for v3 configs. MD5 | SHA | NO_AUTH
SNMP Privacy Protocol - only relevant for v3 configs DES | TRIPLEDES | AES | NONE
SNMP Privacy Password - only relevant for v3 configs
The tricky stuff with snmpv3:
You can configure a switch where no authentication or encryption (privacy) is required - in which case, from an OCI perspective, you simply need to:
set SNMP auth protocol to NO_AUTH
set SNMP privacy protocol to NONE
And you should be in business
snmpWalk.bat 18.104.22.168 -v3 -snostiguy
Would be a way of testing such a config for user "ostiguy"
At the opposite extreme, authentication and encryption could be required. And separate authentication passwords and encryption passwords could be required. For OCI:
populate username with extreme
populate password with authpasswordhere
set SNMP auth protocol to SHA
set SNMP Privacy Protocol to AES
Set SNMP Privacy Password to privpasswordhere
To test this with our snmpwalk.bat:
snmpwalk.bat 22.214.171.124 -v3 -snextreme -uaauthpasswordhere -sha -privpcAES128 -privpprivpasswordhere
I unfortunately don't have much for notes on SNMP v3 on Cisco. However:
It may be worth looking if any policies have been enabled on the switch to force certain levels of auth or encryption - if these have been set, but your user was not create in compliance with them, your user may be functionally unusable (i.e, no encryption password defined, but the switch only allows SNMPv3 usage with AES128).
I don't know if Cisco supports any crypto we don't support - OCI doesn't support AES 192 or 256 because Java doesn't, out of the box.
I am kinda over-due to take a look at this stuff on Cisco. We have a strongly Brocade playbook because in Brocade Virtual Fabric environments, you MUST use SNMPv3 to collect performance, or else you cannot get statistics on the non-default Virtual Fabric
2015-08-21 11:55 AM
Thanks very much for all those details! I'm going to forward this info over to networking and see what they have to say for themselves.
We do require an authentication, and we are currently using SNMP auth protocol MD5 and SNMP Privacy Protocol DES. It's possible that I'm running the command incorrectly, but what is returned (some items redacted to protect the innocent):
D:\SANscreen\bin>snmpwalk.bat 126.96.36.199 -v3 -sn<name> –au<password> -md5 -privpcdes –privp<password>
Host=188.8.131.52:161 Timeout=1000ms Retries=1 Debug=false Version=SNMPv3 Community=public User=<name> AuthProtocol=MD5 sessionName=null_0
End of MIB Reached
Total # of Requests = 0
Total # of Objects = 0
Thank you again for your help today!
2015-08-28 12:24 PM