10-23-2013 01:31 PM
I've run into some problems trying to get SNMPv3 informs to work.
Currently I am working with this simplified (by removing views and ACLs) config:
snmp-server engineID remote XX.XX.XX.XX XXXXXXXXXXXXX
snmp-server group foobar v3 priv
snmp-server user foo foobar remote XX.XX.XX.XX auth sha XXXXXXXXXX priv aes 128 XXXXXXXXXXXX
snmp-server manager enable
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps errdisable
snmp-server host XX.XX.XX.XX informs version 3 priv foo vlancreate vlandelete port-security envmon power-ethernet config syslog mac-notification vlan-membership errdisable snmp
...not sure if the traps lines are even needed. I made sure to enter the snmp user after the remote engineid.
Anyway, problem number 1 is that with this configuration I always get no attempts to send informs:
SNMP Manager-role output packets
0 Get-request PDUs
0 Get-next PDUs
0 Get-bulk PDUs
0 Set-request PDUs
0 Inform-request PDUs
0 Timeouts
0 Drops
SNMP Manager-role input packets
0 Inform request PDUs
0 Trap PDUs
0 Response PDUs
0 Responses with errors
SNMP informs: enabled
Informs in flight 0/25 (current/max)
Logging to XX.XX.XX.XX
0 sent, 0 in-flight, 0 retries, 0 failed, 0 dropped
SNMP agent enabled
Problem number 2 is that whenever I reboot the switch, the remote user definitions disappear. This happens on two different platforms/IOS versions (3560 12.2(55)SE5 and 2960 15.0(2)SE4) otherwise I'd chalk it up to a regression. It also happens no matter how much I try to downgrade the auth/priv level -- even to v2c user definitions. Before the reboot the users are listed as stored in nonvolatile, just like all the local users.
Can anyone spot any missing components from this config? Has anyone else seen the lost snmp user entries behavior?
10-24-2013 11:04 AM
Yay... finally figured out a workaround for this one. If you add a local snmp user with the same name and parameters as the remote SNMP user, then everything suddenly works. A clue if you are having this problem is that when you list snmp users after adding the remote user, it does not show a Group-name for the user. After adding the local user, it shows a Group-name, informs get sent (using the remote user/engineID no less!) and the switch remembers both users after a reboot.
So the correction to the above configuration is:
snmp-server engineID remote XX.XX.XX.XX XXXXXXXXXXXXX
snmp-server group foobar v3 priv
snmp-server user foo foobar remote XX.XX.XX.XX auth sha XXXXXXXXXX priv aes 128 XXXXXXXXXXXX
snmp-server user foo foobar auth sha XXXXXXXXXXX priv aes 128 XXXXXXXXXXXXX
snmp-server manager enable
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps errdisable
snmp-server host XX.XX.XX.XX informs version 3 priv foo vlancreate vlandelete port-security envmon power-ethernet config syslog mac-notification vlan-membership errdisable snmp
Probably more people haven't noticed this problem because they configure the local user first before they realize they need to configure a remote user after consulting the docs, and do not delete the local user.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide