17 Replies Latest reply: Nov 18, 2013 7:32 AM by branfarm RSS

SNMPv3 with ESXi?

mlwitten

Hi,

 

Putting this in the NPM group, since it is an SNMP issue....

 

Please don't ask me why (long story), but I am trying to get NPM to poll an ESXi server.  Anyone get this to work?  I have the ESXi 5.1 system configured for SNMPv3, however when I run a test connect from NPM it fails.  The ESXi is spitting out a syslog message that indicates NPM has requested authNoPriv[2}, and I have it set for both authorization and privacy, so the resulting connection is not supported.... I have both the authorization and privacy fields configured in NPM, so I am not sure why it is sending that kind of request.  As a test, I dropped the ESXi back to auth only, and it quit giving errors, but it also still fails with no errors at the NPM end.

 

If anyone has the magic beans for the configuration on the ESXi side I might be missing, I'd appreciate them.  I have tried this on two different ESXi boxes, and get the same results.

 

Note that I only need polling at this time, not traps.

 

I'll probably open a ticket on this as well.

 

Thanks!

 

-Mike


 
  • Re: SNMPv3 with ESXi?
    rob.hock

    Here's some further documentation on SNMPv3 in ESXi 5.1: VMware vSphere 5.1

    • Re: SNMPv3 with ESXi?
      mlwitten

      (OK, I'll try this edit again...)  Thanks for the input..  I have spent a lot of time in the VMWare sites/instructions including a couple of folks that posted step-by-step instructions for enabling V3 (that matched).  From what I can tell, I have it functioning. Have you gotten it to work with NPM?  I have the settings looking OK and locally tested, but still getting a connect failure  from NPM.  I opened a ticket.

       

      I was hoping to find out if anyone had this actually working with NPM.  Then I'd know which way to push my energies.  ESXi is getting authnopriv requests from NPM when it should be getting authpriv requests.  When I drop the priv requirement at the ESXi client, it is fine with the request but NPM says "test failed".  No clue what NPM is looking for at that point.  I know  ESXi really would like an Engine ID defined from NPM up front, but have not see any way to get that, and in any case ESXi is not detecting any problems with the request at that point. Sooo....

       

      Thanks!

       

       

      -Mike

  • Re: SNMPv3 with ESXi?
    jbechler

    Has anyone found a fix for this?  I really would like to get this setup so here's hoping someone found something.

    • Re: SNMPv3 with ESXi?
      kfehderau

      It's been yet another month and this still isn't working right. I just checked and verified that SNMPv3 does not work right on ESXi 5.5, either.

      • Re: SNMPv3 with ESXi?
        branfarm

        I actually heard back from support regarding my case, and here's what they said:

         

        Here is developments  summary of the problem found during comparison of net-snmp snmpwalk and SolarWinds SNMP library behavior:

        net-snmp implementation of SNMPv3 handshake:
        1. send "get-request" with msgFlags set to Reportable, msgAuthoritativeEngineID <MISSING>, msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime sets to 0
        2. Device responds with "report" message with msgAuthoritativeEngineID set to own value and msgAuthoritativeEngineBoots, msgAuthoritativeEngineTime sets to 0
        3. net-snmp send "get-request" with
        msgAuthoritativeEngineID set to value obtained previously and msgAuthoritativeEngineBoots, msgAuthoritativeEngineTime sets also to values obtained previously. None check for values which are wrong is placed here.



        SolarWinds SNMP library implementation of SNMPv3 handshake:
        1. send "get-request" with msgFlags set to Reportable, msgAuthoritativeEngineID <MISSING>, msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime sets to 0
        2. Device responds with "report" message with msgAuthoritativeEngineID set to own value and msgAuthoritativeEngineBoots, msgAuthoritativeEngineTime sets to 0 -- this is root cause of problem
        3. SNMP library send "get-request" with msgFlags set to Reportable and Authenticated only
        msgAuthoritativeEngineID set to previously obtained value, msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime sets to 0
        - it's because device responds with msgAuthoritativeEngineBoots, msgAuthoritativeEngineTime sets to 0, which is wrong value
        4. device should responds with "report" with variable binding set to 1.3.6.1.6.3.15.1.1.2.0 (usmStatsNotInTimeWindows) and set msgAuthoritativeEngineBoots, msgAuthoritativeEngineTime sets to some reasonable value. But device in reality responds with 1.3.6.1.6.3.15.1.1.1.0 (usmStatsUnsupportedSecurityLevel) and msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime is still sets to 0


        SolarWinds implementation fail with adding ESXi device because of difference in behavior in step 3,4. We check msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime value and refuse to communicate with such device until obtain real device time value. We are doing it because of security concern.

        I believe that Solarwinds approach is correct, because msgAuthoritativeEngineTime must be set by initiator of connection and device must increase this counter over time as described in RFC2574 http://www.ietf.org/rfc/rfc2574.txt otherwise is vulnerable to replay attack.

         

        Development would like you to open a ticket about the replay attack security issue with ESXi support.

         

        So it sounds to me like Solarwinds won't be doing anything, as they believe this is an incorrect implementation of SNMPv3 behavior within ESX.