cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9915
Views
6
Helpful
10
Replies

SNMPv3 with AES256 not working in Cisco Routers

pgyogeshkumar
Level 1
Level 1

We have configured SNMPv3 with AES256 encryption in Cisco routers available in our network.

However we see that devices are unable to manage from NMS if we configure with AES256 whereas  with AES128 its getting discovered properly.

Even we tried snmpwalk with AES256  from NMS but no success, however with AES128 snmpwalk is successful,

We even tried using other tools apart from NMS for snmpwalk but still with AES256 alone is unsuccessful.

Please confirm whether cisco routers will support snmpv3 with AES256. Is there any way to check and diagnose in routers that AES256 is supported in Routers ?

10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

Most routers and switches with relatively recent code (say the last 4-5 years or newer) will support AES-256 for SNMPv3 privacy.

However, not all management systems will support it. For instance, Cisco Prime Infrastructure does not (as of the current latest release 3.1):

Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1/administrator/guide/PIAdminBook/config_server_settings.html#22136

  • snmpv3_privacy_type:SNMP V3 privacy type. Can be None or DES or CFB-AES-128

What is your NMS product and version?

Hi

Is there any way to confirm that snmpv3 with aes256 is working properly from router end ? By means of any show commands ?

Please confirm is there any freeware that support SNMP v3 with aes256, to get that checked from device .

I read in some document that for aes256 it will use separate usm-ext MiB.. however I don't understand that exactly. How to check if I have this MiB in router ?

I am not sure any products or even freeware tools will allow you to query using AES256 (or 192). Neither has been adopted per se:

http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption

If you "show snmp user" you can see the configured privacy protocol. As shown here, you can add users with AES256 parameter - but it's mostly academic as no products that I know of support it.

CORE#show snmp user
User name: cprime
Engine ID: 800000090300A46C2A35E974
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: <redacted>

User name: testuser
Engine ID: 800000090300A46C2A35E974
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: AES256
Group-name: testgroup

Hi Marvin

Thanks for your help,

SNMPv3 with AES256 encryption is working now with our network devices

Hello pgyoges - what are the steps you had followed up to resolve aes 256 got discovered

Marvin --

I'm having trouble accessing my ASRs via SNMP V3 since it only allows me to enter credentials for CFN-AES-128 when I enter my parameters on Cisco Prime v 3.1

What can do to overcome this issue and configure Prime to be able to use AES-256

Thank you in advance,

As I mentioned earlier, Prime Infrastructure does not support AES-256 for SNMPv3 privacy. That remains the case with the current 3.1.5 update. 

Reference:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1-5/administrator/guide/PIAdminBook/config_server_settings.html?bookSearch=true

Thanks Marvin. There is a forum where I found that Prime can be configured to support AES-256. I'm going to test it in my environment and will let you know how it goes.

Thanks again!

Robert Reese
Level 1
Level 1

FYI - if you are having trouble getting a third party SNMP tool to work with Cisco AES192/256, then it is probably because Cisco implemented this in a different way from the draft standard.

The draft standard for AES192/256 is:
https://tools.ietf.org/html/draft-blumenthal-aes-usm-04

and specifies a private key localization method for generating the needed private 192/256 bit key from the secret.  

However, Cisco used the key localization method for the 3DES draft standard for their AES192/256 key
https://tools.ietf.org/html/draft-reeder-snmpv3-usm-3desede-00

so this breaks some third party SNMP tools (i.e., SnmpGet from SnmpSoft does not work, but Solar Winds MiB browser does work).  Extreme Networks has followed Cisco's lead on this, so it seems like Cisco has established a de-facto standard for this. 

nostajan1
Level 1
Level 1

'AES-256' is supported from net-snmp 5.8 and later, and cisco should use 'AES-256-C' protocol instead of 'AES-256'.

http://www.net-snmp.org/wiki/index.php/Strong_Authentication_or_Encryption

ex (net-snmp v5.9.3)> snmpwalk -v3 -l authPriv -u user -a SHA -A "PASSPHRASE" -x AES-256-C -X "PASSPHRASE" 1.1.1.1 sysName

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: