Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2220
Views
0
Helpful
1
Replies

SNMP notify and remote SNMPv3 users

b.julin
Level 3
Level 3

‎10-23-2013 01:31 PM

I've run into some problems trying to get SNMPv3 informs to work.

Currently I am working with this simplified (by removing views and ACLs) config:

snmp-server engineID remote XX.XX.XX.XX XXXXXXXXXXXXX

snmp-server group foobar v3 priv

snmp-server user foo foobar remote XX.XX.XX.XX auth sha XXXXXXXXXX priv aes 128 XXXXXXXXXXXX

snmp-server manager enable

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps errdisable

snmp-server host XX.XX.XX.XX informs version 3 priv foo vlancreate vlandelete port-security envmon power-ethernet config syslog mac-notification vlan-membership errdisable snmp

...not sure if the traps lines are even needed.  I made sure to enter the snmp user after the remote engineid.

Anyway, problem number 1 is that with this configuration I always get no attempts to send informs:

SNMP Manager-role output packets

    0 Get-request PDUs

    0 Get-next PDUs

    0 Get-bulk PDUs

    0 Set-request PDUs

    0 Inform-request PDUs

    0 Timeouts

    0 Drops

SNMP Manager-role input packets

    0 Inform request PDUs

    0 Trap PDUs

    0 Response PDUs

    0 Responses with errors

SNMP informs: enabled

    Informs in flight 0/25 (current/max)

    Logging to XX.XX.XX.XX

        0 sent, 0 in-flight, 0 retries, 0 failed, 0 dropped

SNMP agent enabled

Problem number 2 is that whenever I reboot the switch, the remote user definitions disappear.  This happens on two different platforms/IOS versions (3560 12.2(55)SE5 and 2960 15.0(2)SE4) otherwise I'd chalk it up to a regression.  It also happens no matter how much I try to downgrade the auth/priv level -- even to v2c user definitions.  Before the reboot the users are listed as stored in nonvolatile, just like all the local users.

Can anyone spot any missing components from this config?  Has anyone else seen the lost snmp user entries behavior?

Labels:
0 Helpful
1 Reply 1

b.julin
Level 3
Level 3

‎10-24-2013 11:04 AM

Yay... finally figured out a workaround for this one.  If you add a local snmp user with the same name and parameters as the remote SNMP user, then everything suddenly works.  A clue if you are having this problem is that when you list snmp users after adding the remote user, it does not show a Group-name for the user.  After adding the local user, it shows a Group-name, informs get sent (using the remote user/engineID no less!) and the switch remembers both users after a reboot.

So the correction to the above configuration is:

snmp-server engineID remote XX.XX.XX.XX XXXXXXXXXXXXX

snmp-server group foobar v3 priv

snmp-server user foo foobar remote XX.XX.XX.XX auth sha XXXXXXXXXX priv aes 128 XXXXXXXXXXXX

snmp-server user foo foobar auth sha XXXXXXXXXXX priv aes 128 XXXXXXXXXXXXX

snmp-server manager enable

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps config

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps errdisable

snmp-server  host XX.XX.XX.XX informs version 3 priv foo vlancreate vlandelete  port-security envmon power-ethernet config syslog mac-notification  vlan-membership errdisable snmp

Probably more people haven't noticed this problem because they configure the local user first before they realize they need to configure a remote user after consulting the docs, and do not delete the local user.

0 Helpful
Customers Also Viewed These Support Documents