Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
1
Helpful
3
Replies

SNMPv3 Encryption Issues on Cisco Catalyst 3850 (IOS 16.12.12) - Auth

immolation
Level 1
Level 1

‎03-24-2025 10:27 AM

Hi Cisco Community,

I’ve been troubleshooting SNMPv3 on a Catalyst 3850-48U-E (IOS 16.12.12) for Zabbix 7.0.1 monitoring, aiming for SHA auth and AES-256 encryption. Auth-only works perfectly, but enabling privacy (encryption) results in timeouts. Has anyone seen this behavior on a 3850-48U-E and found a solution?

 

Setup and Config Attempts

  • Switch Details: Catalyst 3850 (WS-C3850-48U), IOS 16.12.12 (CAT3K_CAA-UNIVERSALK9, BUNDLE mode), VLAN 100 with DHCP IP 192.168.1.10, standalone (renumbered from Switch 2 to 1).
  • SNMPv3 with Encryption:
    snmp-server group MonitorGroup v3 priv read v1default
snmp-server user MonitorUser MonitorGroup v3 auth sha AuthPass123 priv aes 256 PrivPass456
snmp-server host 192.168.1.100 version 3 priv MonitorUser
snmp-server enable traps
  • Test: snmpwalk -v3 -l authPriv -u MonitorUser -a SHA -A AuthPass123 -x AES256 -X PrivPass456 192.168.1.10—times out.
  • Debug: debug snmp packets shows packets arriving on VLAN 100, but returns usmStats.4.0 = 3 (Unknown Engine ID). Tried setting snmp-server engineID local 8000000903007001B595EC00—no change.
  • ACL Attempt: Added an access list to restrict SNMP:
    ip access-list extended SNMP-ALLOW
 permit udp host 192.168.1.100 host 192.168.1.10 eq 161
interface vlan 100
 ip access-group SNMP-ALLOW in
    Blocked all traffic (including SSH), so removed it with no ip access-group SNMP-ALLOW in—traffic’s open now.
  • Working Config (Auth-Only):
    snmp-server group MonitorGroup v3 auth read v1default
snmp-server user MonitorUser MonitorGroup v3 auth sha AuthPass123
  • Test: snmpwalk -v3 -l authNoPriv -u MonitorUser -a SHA -A AuthPass123 192.168.1.10—works fine, polls with Zabbix (Cisco IOS by SNMP template).
  • v1/v2c: Disabled with no snmp-server community public RO—v2c tests timeout, confirming it’s off.

 

The Problem

  • Auth-only (SHA-1) works, but AES-256 privacy fails consistently—timeout, no response beyond debug’s Engine ID error.
  • v2c worked before disabling, and ping to 192.168.1.10 is ~1.5ms, so UDP 161 isn’t blocked.
  • No ACLs now—ruled out filtering.

 

Key Details

  • IOS Version: 16.12.12
  • Model: WS-C3850-48U
  • Engine ID: 8000000903007001B595EC00 (from show snmp user)

 

Questions

  • Has anyone hit this SNMPv3 privacy issue on a Catalyst 3850 with IOS 16.12.x?
  • Could this be an IOS bug with AES-256, or is there a config step I’m missing?
  • Any workarounds besides auth-only?

Thanks for any pointers!

Labels:
0 Helpful
3 Replies 3

marce1000
Hall of Fame
Hall of Fame

‎03-24-2025 10:57 AM

 

     - What happens when you try with AES-128  (instead of 256) ?

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

immolation
Level 1
Level 1
In response to marce1000

‎03-24-2025 01:55 PM

AES-128 works.

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to immolation

‎03-25-2025 12:33 AM

 

   -Probably a bug on the Cisco device ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents