SNMPv3 with Zabbix - Authentication Issues

gmjxo · ‎07-19-2023

Hello,

Thank you for reading.

Zabbix, version 6.4, will be collecting traps from my 9300 cisco catalyst switch on version 16.6.1.

I am having an authentication issues with SNMPv3 utilizing AES 128,192, and 256. However, I am able to authenticate utilizing DES for my encryption.

The commands I am using for AES is:

snmp-server group aesgroup v3 priv read READERS

snmp-server user aesuser aesgroup v3 auth sha authpass priv aes 256 cryptpass

snmp-server host 10.10.1.1 version 3 priv aesuser

The commands I am using for DES is:

snmp-server group desgroup v3 priv read READERS

snmp-server user desuser desgroup v3 auth sha authpass priv des cryptpass

snmp-server host 10.10.1.1 version 3 priv desuser

DES authenticates with Zabbix.

Some assistance will be great.

DanielP211 · ‎07-19-2023

Hello!

I really wouldn't recommend using des, but still...

Your configuration seems as it should. What is the output of show snmp user?

BR

****Kindly rate all useful posts*****

gmjxo · ‎07-20-2023

Today,

the host and switch decided to connect utilizing AES 128. However, I am not getting any data on the host. I did a wireshark capture, and I see the get request from the host, and I decrypted the data, and the following SNMP packets are Malformed.

My current SNMP configuration is:

snmp-server group aesgroup v3 priv read v1default

snmp-server user aesuser aesgroup v3 auth sha authpass priv aes 128 cryptpass

snmp-server host 10.10.1.1 version 3 priv aesuser

show snmp user displays username, engineID,storagetype: nonvolatile active, authentication protocol, privacy protocol,and groupname.

Georg Pauwen · ‎07-22-2023

Hello,

I don't know what environment you are running Zabbix in, but the thread below might be useful:

https://www.zabbix.com/forum/zabbix-help/443645-snmpv3-unsupported-authentication-protocol

gmjxo · ‎07-22-2023

I appreciate the response. The issue has to be with the switch and the version. I also tested the 9300 switch version 16.6.1 with Paessler, and I was getting an engineID error. I added some engineID configurations, and it did not work. Yesterday, I tested my SNMPv3 configurations on a 9200 switch version 17.0.2 if I remember correctly, and the switch did connect. Possibly the switch version on the 9300 may be bugged....I could not find any documentation on it.

Georg Pauwen · ‎07-23-2023

Hello,

I did a bug search, and possibly the bug below applies (you are using aes 128 and not 192/256, but you still might want to give this a try). The workaround would be to use (I am not 100% sure about the syntax, the goal is to use 'sha256' for authentication instead of 'sha':

snmp-server user aesuser aesgroup v3 auth sha256 authpass priv aes 128 cryptpass

SNMPv3 polling may fail using privacy algorithms AES192/AES256
CSCwe73933

Customer Visible

Notifications

Save Bug

Open Support Case

Description

Symptom: SNMP v3 polling does not work. Conditions: The SNMP v3 authentication algorithm is set to SHA and encryption is set to AES 192 or AES 256. Workaround: Use SHA 256 as an authentication algorithm. Further Problem Description: none

gmjxo · ‎07-24-2023

I don't have any sha options than "SHA", but I will give that a try. In my wireshark capture, I did see the Authentication complete. It was the privacy protocol that was "Malformed". I will give this a try though.

snowbars · ‎01-22-2025

I definitely tried it on purpose, Cisco doesn't support any sha variants with any values

JayeshR · ‎12-01-2023

We have 2 networks that we monitor, Currently Solarwinds is running with SHA and aes128 on SNMP V3 with no issues. On the other network,

I am trying to run Zabbix and apparently SNMP v3 does not work correctly on the templates provided. You have a adjust the, 'Security Name' 'Authentication passphrase' 'Enter Privacy passphrase' in the .xml file