Network Topology Mapper SNMPv3 Test Credential Failed

I am evaluating NTM for my organization, using it for network devices, specifically Cisco.  When I attempt to implement a new scan, using SNMPv3 credentials, I get a failed test.  I have all information input into Edit SNMP Credential. I have verified it against the configuration of the device I am testing against. On a side note, we are currently using SW Orion and have no issues with SNMP with it.

The device where NTM is installed, its IP address is in a range allowed by an ACL on the Cisco devices.  No firewalls in the path are blocking the traffic.

There is something interesting on a Wireshark capture, from the NTM device to the network device, fields indicate that information is missing:
msgAuthenticationParameters:  <MISSING>
msgPrivacyParameters: <MISSING>

The values are stored and are not missing in the Edit SNMP Credential window.

Thanks!

  • That's an interesting situation.  If your node is configured to allow the right pollers to talk to it, and if the node and the pollers have the correct snmp-v3 strings, and if there are no routing or firewall issues present, you've got a bit of a perfect storm.

    I'll mention one thing that's easy to miss--Windows Server local firewall.  I can't count the number of times a "network problem" has been put on my table that turned out to be caused by the SysAdmin forgetting that the server firewall is enabled by default in our environment.  

    It sounds like you've proven the L2 and L3 paths are valid (if your new test APE can ping the node, that part's good).

    I'd spend a tiny bit of time focusing on the snmp-v3 string on the node and the new Solarwinds environment.  A single character (especially an unintentionally pasted-in space at the end of a Ctrl-C to a Ctrl-V) is far to easy to accidentally put in place, thanks to Microsoft's functionality.  Sometimes this is so pervasive that we open a Notepad++ window and test-paste the snmp-v3 string into it and look closely to confirm whether a space is being pasted in.

    If that isn't the case in your situation, does it work with snmp-v2 (just as a temporary test for confirmation)?

    Another surprise I've run into is certain combinations of devices and their versions (especially APC UPS's and other APC networked devices like ATS's) have a set maximum snmp string limit that's far too short.  In other cases, some systems just won't play well with special characters in the snmp strings.

    At the least, open a support ticket with Solarwinds and detail the complete setup, including device models & brands & their software versions.

    I'm confident you'll get it figured out, and it should (hopefully) be something simple like an easily overlooked operator error or typo.  If it turns out to be something weird, right out of left field (like your Node can't report to two different Solarwinds environments using the same snmp-v3 string), I'll be watching to see what you and Solarwinds Support come up with.  Please post what you learn here!

    Swift Packets!

    Rick Schroeder

  • I know this is 2 years later but I have the exact same issue as you.  Did you get it figured out?  I'm starting to think NTM relies on it's host machine for SNMPv3 and mine is Windows Server 2016 which doesn't have native SNMPv3 support.  I figure NTM could craft the SNMPv3 itself but maybe not?

  • This condition is normal for the first SNMPv3 packet to initiate the conversation:

    There is something interesting on a Wireshark capture, from the NTM device to the network device, fields indicate that information is missing:
    msgAuthenticationParameters:  <MISSING>
    msgPrivacyParameters: <MISSING>

    The response from the device will provide as I recall an EngineID which the next request from the poller will include along with the username, authentication password, and privacy password. The first SNMPv3 packet will not have the credentials yet and this is normal setup of the poll.

    Now if you don't see any response from the device it may be something is blocking it along the way or dropping it. The original post indicated no firewalls but there is other reasons for it to be dropped like MTU size so just something to keep in mind. 

    Assuming the end device is receiving the SNMP poll there is another consideration is it replying. A span session or debug may inform us. I have seen devices not respond because they go into an SNMP service lockout when there is too many failed logins - Ruggedcom equipment in my case.

    If you see the packet with no credentials and than a response with an EngineID gets to Solarwinds and then Solarwinds tries to poll the device with no credentials but has the EngineID filled out this will be an issue why Solarwinds is not putting in the credentials you supplied but I would guess it will be one of the other issues I mentioned based on my experience.

  • The NTM sends the SNMP v3 from the host. I was successful with this on my Cisco devices:

    snmp-server group <SOME-SNMP-GROUP> v3 priv read <SOME-VIEW-NAME> access <SOME-NETWORKS>
    snmp-server user <SOME-SNMP-USER> <SOME-SNMP-GROUP> v3 auth sha <auth-password> priv aes 256 <priv-password>
    nnmp-server view <SOME-VIEW-NAME> iso included
    !
    ip access-list extended <SOME-NETWORKS>
    remark *** Add some networks ***
    permit ip 192.168.1.0 0.0.0.255 any