Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
0
Helpful
4
Replies

SNMPV3 Configuration

uni1389
Level 1
Level 1

‎08-02-2025 09:56 AM

Hello Team am trying to configure SNMPv3 with MD5 /SHA , but with MD5 it is working but SHA is not working . Snapshot are also attached for reference from SNMP Tester. 

************************************************************

Cisco IOS XE Software, Version 17.03.04a
Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.4a, RELEASE  

snmp-server user CheckMK01 CheckMK v3 auth md5 Cisco123456 priv des Cisco123456

snmp-server user CheckMK CheckMK v3 auth sha Cisco123456 priv aes 256 Cisco123456


CSR-SiteA#show snmp user

User name: CheckMK
Engine ID: 8000000903005000002D0000
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: CheckMK

User name: CheckMK01
Engine ID: 8000000903005000002D0000
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: CheckMK

CSR-SiteA#

*********************************************************

Labels:
0 Helpful
4 Replies 4

uni1389
Level 1
Level 1

‎08-02-2025 09:58 AM

uni1389_0-1754153877926.png

uni1389_1-1754153891385.png

 

 

Preview file
59 KB
Preview file
128 KB
0 Helpful

MHM Cisco World
VIP
VIP
In response to uni1389

‎08-02-2025 10:02 AM

snmp-server user CheckMK CheckMK v3 auth sha Cisco123456 priv aes 256 Cisco123456 <<- try priv des not aes 256

Aes 256 need secuirty license I think 

MHM

0 Helpful

Jens Albrecht
Spotlight
Spotlight

‎08-02-2025 12:46 PM

Hello @uni1389,

I just tested this with IOS-XE 17.3.8a and an active ax license.

The problems are due to AES-256 and not to SHA. The ax license includes the security license and AES-256 is still not working. I also did a quick test on another routing platform with the same result. So it has nothing to do with the license.

You can use SHA if you combine it with AES-128 encryption. This works reliably on both platforms I tested.

Well, and really never use DES. That's broken and simply means that you do not use encryption.

So using this command should work:

snmp-server user CheckMK CheckMK v3 auth sha Cisco123456 priv aes 128 Cisco123456

HTH!

0 Helpful

Jens Albrecht
Spotlight
Spotlight
In response to Jens Albrecht

‎08-02-2025 01:08 PM - edited ‎08-02-2025 01:11 PM

Just completed some additional tests on the second platform which is a Cat8000v running IOS-XE 17.16.1a.

This confirmed that the problems are due to the combination of SHA with AES-256.

These newer software versions support SHA-2 which works just fine with AES-256.
So on the Cat8000v the following users do work:

snmp-server user SNMP3U4 SNMP3G v3 auth sha-2 256 MyS3cureAuth priv aes 256 MyS3curePriv
snmp-server user SNMP3U5 SNMP3G v3 auth sha-2 512 MyS3cureAuth priv aes 256 MyS3curePriv

However, the combination of SHA with AES-256 does not work on this platform either.

SHA-2 support for SNMPv3 was introduced with IOS-XE 17.10.1a.
If you are running any older version that only supports SHA you are limited to AES-128 encryption.

HTH!

0 Helpful
Customers Also Viewed These Support Documents