Re: SNMP v3 User lost after reboot

simon9665 · ‎01-21-2022

Using the configuration for SNMP v3 username on Cisco 3650 switches, the username is lost after the switch is rebooted.

show snmp user

User name: mySNMPUser
Engine ID: 800000090300B414892AA603
storage-type: nonvolatile active access-list: 82
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: snmpV3Grp

snmp-server ip dscp 11
snmp-server contact Business Systems Infrastructure Team
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps mac-notification change move threshold
snmp ifmib ifindex persist

snmp-server enable traps config
snmp-server enable traps syslog

snmp-server group snmpV3Grp v3 priv access 82
snmp-server user mySNMPUser snmpV3Grp v3 auth sha authPassword priv aes 256 privPassword access 82

marce1000 · ‎01-22-2022

- Do you also save the configuration to startup-config after configuring snmpv3 ?

M.

simon9665 · ‎01-22-2022

Yes I've saved the config.

Georg Pauwen · ‎01-22-2022

Hello,

what exactly is lost ? What is the output you posted, is that before of after the reboot ?

simon9665 · ‎01-22-2022

It appears that the user portion is lost.

So the output is pre-reboot, when I issue the command "show snmp users" after the reboot, there is no output, as in the output is blank.

Also and this is probably why, the username does not appear in the running config or startup config.

marce1000 · ‎01-22-2022

- This is a possible culprit : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt63576 . for a complete list of known issues with snmpv3 on the 3650 check , https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&kw=snmpv3&bt=custV&sb=anfr&prdNam=Cisco%20Catalyst%203650%20Series%20Switches , you may need to wait a few seconds when using that link before the bug list is presented. In the context of the two issues mentioned above check current software version being used and upgrade to the advisory release if applicable https://software.cisco.com/download/home/286309910/type/282046477/release/Gibraltar-16.12.5b , check if the problem remains after that.

M.

simon9665 · ‎01-22-2022

I have tried different switch models (3750, IE2000, 3650) and IOS versions (15.0(2)SE11, 15.2(4)EA9, 16.3.6) and they all behave that way.

marce1000 · ‎01-22-2022

- Did you try the 3650 with : https://software.cisco.com/download/home/286309910/type/282046477/release/Gibraltar-16.12.5b

M.

simon9665 · ‎01-23-2022

Yes and sadly the same.

I upgraded a 3650 from cat3k_caa-guestshell.16.03.06.SPA to cat3k_caa-universalk9.16.12.06.SPA same outcome

I upgraded a IE2000 from ie2000-universalk9-mz.152-4.EA9 to ie2000-universalk9-mz.152-8.E1 same outcome

I did one other test and I removed the auth, priv and access list and the user does then appear in the configuration.

snmp-server user mySNMPUser snmpV3Grp v3 or snmp-server user mySNMPUser snmpV3Grp v3 access 82 works but add anymore security and it's lost during the reboot as it's not in the configuration, either running or start-up.

marce1000 · ‎01-23-2022

- Raise a TAC case

M.

simon9665 · ‎01-23-2022

Already on that....

I think it's a bug with the username. The one I have configured is 29 characters and that is lost.

I'm going to change all of them now so I will post the actual name (and no those are not the operational passwords :)).

snmp-server user jcHXYLxgCSS6LoKKBcQ7ghaXGsye snmpV3Grp v3 auth sha password1 priv aes 256 password2 access 82

doesn't work (29 characters in the username) but...

snmp-server user PGNddmRkKTDt3psQd9jE2345678 snmpV3Grp v3 auth sha P@$4gCNjJhYojP7RoSKJqGrtkxBBmG9 priv aes 256 dr8NxkyitQaQ6QFt7mFAT5KsB8CG access 82

does work (28 characters).

I may well be blind but I couldn't find there was a size limit on the username field and if there is why doesn't the code error or warn of excess username length.