cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
219
Views
0
Helpful
0
Replies

SNMP INFORM Requests not working with SNMP version 3

Arne Bier
VIP
VIP

Hello,

I have been spending hours trying to get SNMPv3 Informs working on any Cisco IOS or IOS-XE and it's just not working for me.

The reason I want to use Informs and not traps, is that Informs are more reliable and will be queued and retried if the SNMP trap receiver does not acknowledge them. And the reasons for using SNMPv3 over v2 should be obvious.

IOS-XE 17.03 on Cisco CSR1000v (but I also tried this on other IOS versions)

Net-SNMP version 5.9.1 on Ubuntu Linux.

Just to be clear, I am able to do the following successfully with my setup:

  • Cisco SNMPv2 traps - working
  • Cisco SNMPv2 informs - working
  • Cisco SNMPv3 traps (authPriv) - working
  • Aruba Wireless Controller v8.6 SNMPv3 Informs (authPriv) - works perfectly (no need to configure the Net-SNMP EngineID in the Aruba config - it performs the RFC discovery process and gets the SNMPv3 report from Net-SNMP to learn the EngineID) - a shining example of how (easy) this should work.

The snmp trap receiver is Net-Snmp snmptrapd and my snmptrapd.conf looks like this -the createUser -e entries are there EngineID's for the SNMPv3 traps - those all work. 

###############################################################################
#
# PLEASE: read the snmptrapd.conf(5) manual page as well!
#
# SNMPv2 for sanity checking
authCommunity log somecommunity
#
# SNMPv3 users below
# Cisco IOS
createUser -e 8000000903000CF58EB50000 SNMPV3_RO_TEST SHA TEST12345 AES TEST12345
# ArubaCX
createUser -e 8000b85c03080009f0ddc2 SNMPV3_RO_TEST SHA TEST12345 AES TEST12345
#Cisco ASA
createUser -e 80000009fe70aca831f335115b0b7c7e0a86a33bc37f56d8d2 SNMPV3_RO_TEST SHA TEST12345 AES TEST12345
#
# CSR1000v
#createUser -e 800000090300005056855488 SNMPV3_RO_TEST SHA TEST12345 AES TEST12345
# SNMPv3 Informs
createUser SNMPV3_RO_TEST SHA TEST12345 AES TEST12345
#
authUser log SNMPV3_RO_TEST

Here is my CSR1000v config - I am not 100% sure of the config required, and according to the RFC for SNMPv3 Informs, there should be no need for the sender to know or care about the remote engineID but I tried it with and without.

snmp-server user SNMPV3_RO_TEST SNMPV3_RO_TEST v3 auth sha TEST12345 priv aes 128 TEST12345
snmp-server engineID remote 172.22.128.120 80001F8804383030303146383830343536364536353734354136313632
snmp-server group SNMPV3_RO_TEST v3 priv notify ViewDefault
snmp-server inform
snmp-server view ViewDefault iso included
snmp-server trap-source GigabitEthernet1
snmp-server location Home Lab
snmp-server contact Local Admin
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server host 172.22.128.120 informs version 3 priv SNMPV3_RO_TEST  ospf config-copy config

And the SNMPv3 security User - the auth/priv passwords are as per the Net-SNMP config above

CSR#show snmp user

User name: SNMPV3_RO_TEST
Engine ID: 800000090300005056855488
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: SNMPV3_RO_TEST

 

0 Replies 0

Review Cisco Networking for a $25 gift card