This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SNMP v3 - need help with credentials

I have looked through the Admin guide and the often referenced Cisco doc on SNMP v3.  I have gone through the many posts on it as well.  So I am starting to think I am doing something uniquely dumb.

Below is my Cisco switch config, I know there is some overlap on the views but I just kept getting broader to try and fix the problem.  In NPM it says credentials fail, however when I use the SNMP Tester tool in the engineer toolset I get a more specific error.

ERROR:   SNMPv3 - Unsupported Security Level - Either the requested MIB is not readable for this username, or this username requires a higher level of authentication / encryption.

Cisco SNMP config:

snmp-server group GROUPNAME v3 auth read view_all write view_all access 6

snmp-server view view_all iso included

snmp-server view view_all internet included

snmp-server view view_all system included

snmp-server view view_all interfaces included

snmp-server view view_all chassis included

snmp-server community public RO 5

snmp-server host 10.27.28.5 public

The last 2 lines are there so I can still monitor the switch while i figure this out.

I used this to config the user:

snmp-user USERNAME GROUPNAME v3 auth md5 PASSWORD access 6

 

Help please!

 

Parents
  • RNEWMARK,

    Below is the template we use for SNMPv3.  I've listed comments below the configuration.  Enter your own information/passwords in the bracketed sections and be sure to remove the brackets.

    no snmp-server system-shutdown
    no snmp-server trap-timeout 180
    snmp-server packetsize 1400
    snmp-server queue-length 20
    !
    snmp-server contact [ENTER CONTACT NAME & PHONE # HERE]
    !
    snmp-server view MGMTview interfaces included
    snmp-server view MGMTview internet included
    snmp-server view MGMTview chassis included
    snmp-server view MGMTview system included
    snmp-server view MGMTview mib-2 included
    snmp-server ifindex persist
    !
    snmp-server group READgroup v3 auth read MGMTview
    snmp-server group WRITEgroup v3 auth write MGMTview
    !
    ! NO ENCRYPTION
    snmp-server user HQNNM READgroup v3 auth sha [ENTER READ-ONLY AUTHENTICATION PASSWORD] access 1
    snmp-server user HQMGMT WRITEgroup v3 auth sha [ENTER READ-WRITE AUTHENTICATION PASSWORD] access 2
    !
    ! DES56
    snmp-server user HQNNM READgroup v3 auth sha [ENTER READ-ONLY AUTHENTICATION PASSWORD] priv des56 [ENTER READ-ONLY ENCRYPTION PASSWORD] access 1
    snmp-server user HQMGMT WRITEgroup v3 auth sha [ENTER READ-WRITE AUTHENTICATION PASSWORD] priv des56 [ENTER READ-WRITE ENCRYPTION PASSWORD] access 2
    !
    ! AES
    snmp-server user HQNNM READgroup v3 auth sha [ENTER READ-ONLY AUTHENTICATION PASSWORD] priv aes 128 [ENTER READ-ONLY ENCRYPTION PASSWORD] access 1
    snmp-server user HQMGMT WRITEgroup v3 auth sha [ENTER READ-WRITE AUTHENTICATION PASSWORD] priv aes 128 [ENTER READ-WRITE ENCRYPTION PASSWORD] access 2
    !
    !
    no access-list 1
    access-list 1 remark "SNMP: READGroup access"
    access-list 1 permit host XXX.XXX.XXX.XXX
    access-list 1 deny any log

    no access-list 2
    access-list 2 remark "SNMP: WRITEGroup access"
    access-list 2 permit host XXX.XXX.XXX.XXX
    access-list 2 deny any log

    In this configuration the users are HQNNM or HQMGMT depending on whether they get READ or WRITE access.  In your Orion, these will be in the User Name field for SNMPv3.  We don't use context.  Our devices have 1 Authentication method which is SHA for standardization and 3 different Authentication methods depending on the IOS loaded.  Our goal is for all devices to run AES.  We use 20 character randomly generated passwords for our authentiation and encryption passwords.  In the Orion credential manager, based on the configuration above we have 4 different
    credentials loaded. 

    HQ READ DES56
    HQ WRITE DES56
    HQ READ AES128
    HQ WRITE AES128

    Before running the script above on the device, you can see what encryption the device will support by running this command in config mode: snmp-server user HQNNM READgroup v3 auth testpassword priv ?

    We run the complete template above so the highest supported level of encryption will be applied because many times we are not appling the template ourselves.  To troubleshoot devices that do not test out OK in Orion, use the following command in Global mode on the device:
    sh snmp user

    That command will show you how the device is configured.  All you'll need to do is select the appropriate credential.  If you have verified the credential is correct then verify your ACL.  You can do this by telnetting/sshing from your Orion server to the device and running a who on the device once you are logged in to confirm the IP.  Many times we are using NATed Orion IPs so be sure to include those in your ACL.  If the device doesn't accept any encryption, we usually use one of the 4 credentials above and blank the encryption password and set encrption to none.  You could create a seperate credential for that if you wish though.  We also just created one view and use it for both READ & WRITE access.  I've also included our SNMP ACLs.  Tailor as necessary.

    Hope this helps.

    Regards,

    Rob

  • I am having issues getting ORION NPM to sync up with a Cisco 2811 using SNMP V3. Whenever I try to discover the 2811 with the NPM I get the following errors on the CISCO 2811 SNMP debug:

    process_mgmt_req_int: UDP packet being de-queued
    SrParseV3SnmpMessage: No matching Engine ID.
    SrParseV3SnmpMessage: Failed.
    SrDoSnmp: authentication failure, Unknown Engine ID

    process_mgmt_req_int: UDP packet being de-queued
    SrParseV3SnmpMessage: digest mismatch
    SrParseV3SnmpMessage: Failed.
    SrDoSnmp: authentication failure, USM wrong digest

    I followed your template above. I have tried regenerating the crypto keys several times using the various options. SSH works fine from the SolarWinds NPM box to the Cisco 2811.

    access-list 1 remark "SNMP READgroup access"

    access-list 1 permit 172.17.1.20

    access-list 1 deny   any log

    access-list 2 remark "SNMP WRITEgroup access"

    access-list 2 permit 172.17.1.20

    access-list 2 deny   any log

    !

    snmp-server group READgroup v3 auth match exact read orion

    snmp-server group WRITEgroup v3 auth match exact write orion

    snmp-server view orion mib-2 included

    snmp-server view orion system included

    snmp-server view orion interfaces included

    snmp-server view orion chassis included

    snmp-server ifindex persist

    snmp-server packetsize 1400

    snmp-server queue-limit notification-host 20

    snmp-server location ******(omitted)

    snmp-server contact ***** (omitted)

    snmp-server enable traps tty

    termgen#sh snmp user

    User name: DTSP_Solar_Admin
    Engine ID: 8000000903000025842BA478
    storage-type: nonvolatile        active
    Authentication Protocol: MD5
    Privacy Protocol: DES
    Group-name: READgroup

    ermgen#sh snmp group
    groupname: READgroup                        security model:v3 auth
    readview : orion                            writeview: <no writeview specified>
    notifyview: <no notifyview specified>
    row status: active

    groupname: WRITEgroup                       security model:v3 auth
    readview : v1default                        writeview: orion                   
    notifyview: <no notifyview specified>
    row status: active

  • Did you set up the user?  The syntax is snmp-server user <username> <usergroup> v3 <authentication parameter> <authentication value> <authentication pw> <encryption parameter> <encryption type> <encryption password>

    It will not show up in the configuration, but you can see the user when you issue a show snmp user command.

  • Yes I did set up the user. The lastest attempt is below. I have tried all of the different combinations of SHA, MD5, DES etc. to no avail. I even dumbed down the password in an attempt to get around any syntax issues or typing errors. It still does not seem to want to authenticate with the 2811. If I set up the group as noauth it works fine and Orion can manage the box. If I set up the group as either PRIV or Auth, Solars Winds Orion cannot connect and gives the error that the it cannot connect with the provided SNMP V3 credentials. If I do a snmp debug on the 2811 it keeps mentioning the engine ID is incorrect or missing during the handshaking with Orion, but it looks the same to me. I am beginning to wonder if it is not a OS version issue with the router or something to do with the engine id creation/handshaking.

    user name: DTSP_Solar_Admin

    Engine ID: 8000000903000025842BA478

    storage-type: nonvolatile        active access-list: 1

    Authentication Protocol: MD5

    Privacy Protocol: AES128

    Group-name: ORIONview

  • I think I remember something where there is a potential issue if you are using crypto keys with the passwords and how NPM handles them.  Can you sent the passwords without using the crypto keys?

    Regards,

    Matthew Harvey

    Loop1 Systems

  • Try this (take out the match exact):

    snmp-server group READgroup v3 auth read orion

    snmp-server group WRITEgroup v3 auth write orion

    It wasn't clear from your earlier post if you applied an access list.  If you did, try to take it out.

    Also, are you setting up your device like below?

    snmpv3.png

  • Resolution!

    Thanks everyone for all the input and suggestions. I was able to resolve the issue yesterday evening. The 2811 originally had c2800nm-ipbaseK9-mz. In this version for some reason it had a default of "match exact" for context when you created the Group. Everything else looked the same. I upgraded the IOS on the 2811 to c2800nm-advsecurityk9-m. In this version you could leave out the context when creating the group and it does not default to "match exact". If you do a subsequent "sh snmp group" it lists context as "not specified" I made no other changes to the router configuration. After I did this I went back and added the node in Solar Winds with the appropriate SNMP V3 credentials as per rhugh's suggestion above and bingo, it came right up.

  • I ran into the same issue using the above config. Turned out it is was a browser issue - Chrome was populating the context field upon submit, even though I couldn't see it. Switched to Firefox (my backup "clean" browser") and it worked fine first time.

Reply
  • I ran into the same issue using the above config. Turned out it is was a browser issue - Chrome was populating the context field upon submit, even though I couldn't see it. Switched to Firefox (my backup "clean" browser") and it worked fine first time.

Children