SNMP V3 and CiscoWorks

Unanswered Question
Jul 4th, 2007

Hi,

today I configered a router (1760) for snmp v3:

snmp-server view ReadView internet included

snmp-server group OurGroup v3 auth read ReadView

snmp-server user xxxx OurGroup v3 auth md5 yyyy

Trying out with net-snmp works fine:

snmpwalk -v3 -u xxxx -l authNoPriv -a MD5 -A yyyy 192.168.1.1 system

...

system.sysORTable.sysOREntry.sysORUpTime.1 = Timeticks: (0) 0:00:00.00

system.sysORTable.sysOREntry.sysORUpTime.2 = Timeticks: (0) 0:00:00.00

system.sysORTable.sysOREntry.sysORUpTime.3 = Timeticks: (0) 0:00:00.00

system.sysORTable.sysOREntry.sysORUpTime.4 = Timeticks: (0) 0:00:00.00

system.sysORTable.sysOREntry.sysORUpTime.5 = Timeticks: (0) 0:00:00.00

system.sysORTable.sysOREntry.sysORUpTime.6 = Timeticks: (0) 0:00:00.00

...

Now I want to manage the router via our CiscoWorks and configuered:

Campus Manager Administration - Admin - Device Discovery - SNMP Settings

->SNMPV3

Target: 192.168.1.*

Username: xxxx

Password: yyyy

Authentication: MD5

and started discovery with result "device unreachable".

Sniffering the packets I found out, that the CW sets "AuthParam" with value NULL, while net-snmp sets some (crypted) data.

The router doesn't responde to CW.

Looks to me like that's the problem.

We're using LMS 2.6.1

Any ideas how to make it work?

Thanks in advance,

kind regards

Rolf Fischer

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Wed, 07/04/2007 - 09:36

If the device is already in DCR, check the v3 credentials under Common Services > Device and Credentials > Device Management. The first packet will go out incomplete so that Discovery can discover the SNMP engine ID, engine time, and boots. Once these values are sent from the device, the actual request packet should go out with valid AuthData, engine time, and boot count.

Rolf Fischer Thu, 07/05/2007 - 01:39

Hm, I don't know who rated this post - definitely it wasn't me ?!

The router is in DCR with correct credentials.

We're still having the same problem.

Attachment: 
Rolf Fischer Thu, 07/05/2007 - 02:53

I'm not sure if I understand the question.

Thought with

"snmp-server view ReadViewITZ internet included"

I allow the whole internet-tree (1.3.6.1...)

Please correct me if I'm wrong.

Regarding my posted picture:

The traced packet from Net-SNMP was full encrypted, this was a first try with authPriv.

I changed that to authNoPriv meanwhile.

Thats part of what I was looking for, redacted meaning remove or obscure the sensitive information from your configs...

Your device configuration should look something like this for querying remotel:

snmp-server group remotegroup v3 priv

snmp-server user remote PrivUser remotePrivGroup remote #.#.#.# v3 auth md5

password1 priv des56 password2

Rolf Fischer Thu, 07/05/2007 - 05:20

Right, I posted this part of my config yesterday:

snmp-server view ReadView internet included

snmp-server group OurGroup v3 auth read ReadView

snmp-server user CiscoWorks OurGroup v3 auth md5 yyyy

Doing a Device Credentials Verification Job a couple of minutes ago I got this message:

Setting v3 Param mode to authNoPriv. querying sysLocation.obtained exception while g/setting sysLocation com.cisco.nm.lib.snmp.futureapi.SnmpReqTimeoutException: SnmpRequestTimeout on 192.168.1.1 while performing SnmpGet at index = -1. Wrong Credentials.

That's strange because I re-checked the parameters and they are correct.

Joe Clarke Thu, 07/05/2007 - 08:28

The CiscoWorks query should cause a report packet back from the device? What is the next packet to come from the device?

Rolf Fischer Thu, 07/05/2007 - 22:26

The problem is fixed now - I have to say sorry.

Between the router and the CW-server we have a cryptor which needs to have a bypass for our management-traffic.

This bypass was configered incompletely: The way back to the CW-server was missing.

We added that rule and now it works.

Embarrassing...

Actions

This Discussion