Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7965
Views
0
Helpful
5
Replies

SNMPv3 config changing after reboot

jonashamre
Level 1
Level 1

‎06-09-2010 08:28 AM

Whenever one of my C2960's reboot, our Solarwinds monitoring stops working.  I found that this is due to one line of SNMPv3 config changing by itself.  This used to be in the config:

     snmp-server group XXX v3 priv access permit-snmp

(permit-snmp being the access-list defining ip addresses allowed to query)  After the reboot, snmpv3 stops working and this line shows up in the config instead of the one above:

     snmp-server group XXX v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F

Is this a bug?  (I did check the bug database, without success.)  I have upgraded the IOS to 12.2(53) SE2 without any success.  The switch is a C2960-24TC-L.

3 people had this problem
Labels:
0 Helpful
5 Replies 5

billy.posey
Level 1
Level 1

‎06-10-2010 11:47 AM

I have the same issue with the 3560's, SNMP v3 loses it's configuration or unknown engine ID. I can reload the v3 user name and group and it appears to work.

0 Helpful

UWE STEINHAU
Level 1
Level 1

‎06-14-2010 01:04 PM

Same issue here with a WS-C3750G-24PS running (C3750-IPBASEK9-M), Version 12.2(35)SE5.

0 Helpful

UWE STEINHAU
Level 1
Level 1

‎06-15-2010 01:49 PM

I had the same problem and believe the issue is that you probably have a trap server configured and are using the same snmp-server group for the trap server and your queries. I created another group for SNMPv3 queries and the configuration no longer seems to get overwritten. Here's what I did.

Go into config mode and create a group just for the trap server - let's call it TRAPS. I used priv and it looks like that's what you use. Don't worry about defining any MIB views as this group will automatically populate the notifyview once the trap servers below are added to the config. (...and will remove the readview and writeview entries after reboot - that's why a second group is needed). Remove your old trap server entries and set up the new trap server using the new group called TRAPS.

snmp-server group TRAPS v3 priv
snmp-server host version 3 priv TRAPS

Now create another group for queries only - (let's call it QUERIES but you could just use your current group XXX since it's already set up) - I like the v1default MIB view for both reads and writes but you can limit the MIBs with the snmp-server view command. I am using md5 and des56 here - your case may be different - and set up the user (or keep the one you already have configured)

snmp-server group QUERIES v3 priv read v1default write v1default access
snmp-server user QUERIES v3 auth md5 priv des56

Exit and check the config.

The group TRAPS should have the notifyview set. The group QUERIES should have the readview and writeview set to v1default (or whatever view you chose to enter here). The two SNMPv3 groups should look like this:

#sh snmp group
groupname: TRAPS                            security model:v3 priv
readview :           writeview:
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active

groupname: QUERIES                          security model:v3 priv
readview : v1default                        writeview: v1default
notifyview:
row status: active      access-list: 4

The old trap server entry using the old group XXX should have been removed already. Verify that the user: entry says TRAPS

#sh snmp host
Notification host: xxx.xxx.xxx.xxx      udp-port: 162   type: trap
user: TRAPS     security model: v3 priv

Finally make sure the user is in the correct group (QUERIES):

#sh snmp user

User name:
Engine ID: xxxxxxxxxxxxxxxxxxxxxxxxxx
storage-type: nonvolatile        active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: QUERIES

If all is well - write the config. You should now be able to perform a coldstart without losing your SNMPv3 config.

Please, let me know if this worked for you.

0 Helpful

jonashamre
Level 1
Level 1
In response to UWE STEINHAU

‎06-17-2010 02:20 AM

Hi Uwe,

Thank you for a very thorough reply!  I do indeed send my traps to the polling server.

I'm unable to test the proposed solution before the weekend, but I will make sure to let you know ASAP.

Again, thanks!

Jonas

0 Helpful

ggovier
Level 1
Level 1
In response to jonashamre

‎07-29-2010 11:53 AM

and the result?

I also have had a customers 2960 losing some config info, possibly after reboot, or adding POE phones. Haven't seen it before they fixed it though.

have already "no setup express" in case someone has been leaning on the front panel button.

returned 3, happened on 2 more this week. Hoping to get cust to do "show tech" next time.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents