Re: CSPC SNMPv3 discovery issue - devices reporting "no auth" connection attempt.

Philip Badhams · ‎01-07-2019

Hi

I have installed CSPC 2.8.1 for a customer and they are experiencing an isssue where the CSPC is configured to use 'Priv Auth' but the devices are reporting the connection attempt is being made using "No Auth"

The Auth algorithm is using SHA and the privacy password is using AES-128.

The devices have been discovered using IP address and the SNMP security level on the switch is set to "Priv".

Can anbody assist in what would cause a device to report an SNMP connection attempt being made using 'no auth' when the collector is set to use 'Priv Auth'?

I have asked the customer to confirm the switch IOS versions and am awaiting a response. Any help in the mean time would be appreciated.

brawall · ‎01-09-2019

Philip,

Can you please share logs or screenshots of the switches reporting the SNMP connection attempts as "No Auth"? Can you also please share screenshot of the SNMPv3 credential configuration in the collector.

Thanks,

Brandon

Philip Badhams · ‎01-10-2019

Hi Brandon. Please see the switch debug below:

Switch debug:

Dec 27 2018 15:03:46.097 gmt: SNMP: Packet received via UDP from X.X.X.X on TenGigabitEthernet1/1/3

Dec 27 2018 15:03:46.098 gmt:

Incoming SNMP packet

Dec 27 2018 15:03:46.098 gmt: v3 packet security model: v3 security level: noauth

Dec 27 2018 15:03:46.098 gmt: username:

Dec 27 2018 15:03:46.098 gmt: snmpEngineID: 80000009030000425A434F00

Dec 27 2018 15:03:46.098 gmt: snmpEngineBoots: 0 snmpEngineTime: 0

Dec 27 2018 15:03:46.098 gmt: SNMP: Report, reqid 0, errstat 0, erridx 0

usmStats.4.0 = 258

The switches experiencing issues are:

WS-3850-12S (IOS Version 03.06.06E)

2960X (IOS Version 15.2(2)E6)

Thanks

brawall · ‎01-11-2019

From the collector CLI can you attempt an snmpwalk to see if it is successful

snmpwalk -v3 -l authPriv -u <USERNAME> -a sha -A <AUTHPASSWORD> -x aes -X <PRIVPASSWORD> <IPADDRESS> system

Thank you,

Philip Badhams · ‎01-21-2019

On Further investigation we believe it may be due to the use of special characters in the SNMPv3 password. Can anybody confirm if there are any issues with the use of special characters for SNMPv3?

brawall · ‎01-22-2019

Philip -- I have lab devices running v3 with special characters in the password and have no issue managing them with CSPC. If you are getting a failure doing the snmpwalk you can try escaping the characters.

Philip Badhams · ‎01-28-2019

When using a special character in the password we get the following message from snmpwalk.

"

No log handling enabled - turning on stderr logging

Error: passphrase chosen is below the length requirements of the USM (min=8).

snmpwalk: (The supplied password length is too short.)

Error generating a key (Ku) from the supplied authentication pass phrase."

It seem as though snmpwalk doesn’t recognise the special character

On a test device if we change the password so that it contains no special character the snmpwalk runs without any issues.

To save us from changing the snmp password is there anything that can be done?

brawall · ‎01-28-2019

Try escaping the " character with a backslash before it.

snmpwalk -v3 -l authPriv -u brawall -a sha -A test\"test1 -x aes -X test\"test1 <IP ADDRESS>

Thanks,

Brandon

Philip Badhams · ‎02-05-2019

HI Brandon.

We have tried that and get the following error:

No log handling enabled - turning on stderr logging

snmpwalk: Authentication failure (incorrect password, community or key)

it’s not happy about the \ in the password.

Is it possible to get a Webex with someone to look at the issue?

Thanks