cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3747
Views
0
Helpful
8
Replies
Beginner

SNMPv3 with AES256 not working in Cisco Routers

We have configured SNMPv3 with AES256 encryption in Cisco routers available in our network.

However we see that devices are unable to manage from NMS if we configure with AES256 whereas  with AES128 its getting discovered properly.

Even we tried snmpwalk with AES256  from NMS but no success, however with AES128 snmpwalk is successful,

We even tried using other tools apart from NMS for snmpwalk but still with AES256 alone is unsuccessful.

Please confirm whether cisco routers will support snmpv3 with AES256. Is there any way to check and diagnose in routers that AES256 is supported in Routers ?

Everyone's tags (1)
8 REPLIES 8
Highlighted
Hall of Fame Guru

Most routers and switches

Most routers and switches with relatively recent code (say the last 4-5 years or newer) will support AES-256 for SNMPv3 privacy.

However, not all management systems will support it. For instance, Cisco Prime Infrastructure does not (as of the current latest release 3.1):

Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1/administrator/guide/PIAdminBook/config_server_settings.html#22136

  • snmpv3_privacy_type:SNMP V3 privacy type. Can be None or DES or CFB-AES-128

What is your NMS product and version?

Highlighted
Beginner

Hi

Hi

Is there any way to confirm that snmpv3 with aes256 is working properly from router end ? By means of any show commands ?

Please confirm is there any freeware that support SNMP v3 with aes256, to get that checked from device .

I read in some document that for aes256 it will use separate usm-ext MiB.. however I don't understand that exactly. How to check if I have this MiB in router ?

Highlighted
Hall of Fame Guru

I am not sure any products or

I am not sure any products or even freeware tools will allow you to query using AES256 (or 192). Neither has been adopted per se:

http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption

If you "show snmp user" you can see the configured privacy protocol. As shown here, you can add users with AES256 parameter - but it's mostly academic as no products that I know of support it.

CORE#show snmp user
User name: cprime
Engine ID: 800000090300A46C2A35E974
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: <redacted>

User name: testuser
Engine ID: 800000090300A46C2A35E974
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES256
Group-name: testgroup
Highlighted
Beginner

Hi Marvin

Hi Marvin

Thanks for your help,

SNMPv3 with AES256 encryption is working now with our network devices

Highlighted
Beginner

Marvin --

Marvin --

I'm having trouble accessing my ASRs via SNMP V3 since it only allows me to enter credentials for CFN-AES-128 when I enter my parameters on Cisco Prime v 3.1

What can do to overcome this issue and configure Prime to be able to use AES-256

Thank you in advance,

Highlighted
Hall of Fame Guru

As I mentioned earlier, Prime

As I mentioned earlier, Prime Infrastructure does not support AES-256 for SNMPv3 privacy. That remains the case with the current 3.1.5 update. 

Reference:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1-5/administrator/guide/PIAdminBook/config_server_settings.html?bookSearch=true

Highlighted
Beginner

Thanks Marvin. There is a

Thanks Marvin. There is a forum where I found that Prime can be configured to support AES-256. I'm going to test it in my environment and will let you know how it goes.

Thanks again!

Highlighted
Beginner

FYI - if you are having

FYI - if you are having trouble getting a third party SNMP tool to work with Cisco AES192/256, then it is probably because Cisco implemented this in a different way from the draft standard.

The draft standard for AES192/256 is:
https://tools.ietf.org/html/draft-blumenthal-aes-usm-04

and specifies a private key localization method for generating the needed private 192/256 bit key from the secret.  

However, Cisco used the key localization method for the 3DES draft standard for their AES192/256 key
https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00

so this breaks some third party SNMP tools (i.e., SnmpGet from SnmpSoft does not work, but Solar Winds MiB browser does work).  Extreme Networks has followed Cisco's lead on this, so it seems like Cisco has established a de-facto standard for this. 

CreatePlease to create content
Content for Community-Ad