Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4643
Views
0
Helpful
4
Replies

Prime LMS 4.1 and SNMPv3 traps

TomDeLaet
Level 1
Level 1

‎05-30-2012 06:14 AM

Hi there,

I have a problem with receiving traps in Cisco Prime.
I configured the routers that they use SNMPv3 and I enabled the traps that I would like to be sent.
But, They don't arrive in Cisco Prime.
I tested the SNMPv3 connection and the protocol works. So I guess the problem is situated elsewhere.
Is it possible that Cisco Prime (the DFM) receives the packages but that it determines on its own that he "can't" use them for some kind of reason and that he drops it?
because I can see the SNMP packages arrive on the server with wireshark.
I guess I need to adapt some settings in Cisco Prime to accept the packages into his log.

Or is it possible that Prime LMS 4.1 is not capable of logging snmpv3 traps like a login on a router and stuff like that.

I need to be able to log the login details, write memory, and stuff like that.

But it needs to be encrypted. therefore the snmpv3.

Otherwise I would use normal syslog.

Any ideas?
thnx

T.


Labels:
0 Helpful
4 Replies 4

ngoldwat
Level 4
Level 4

‎05-30-2012 08:47 AM

Hi,

Does your SNMP config allow full read/write access? You may want to post the relevant SNMP configs and LMS logs to verify.

Some (I hope) helpful notes:

Enabling SNMP v3 on Cisco IOS devices
To enable SNMP v3 on Cisco IOS devices, follow these steps:
*  Create a View
snmp-server view  iso included
*  Set the Security Model (if there is no ACL then please ignore access access-list )
snmp-server group  v3 auth read  write < LMSView > access access-list 
*  Create a user and authentication protocol to be used
snmp-server user   v3 auth md5 
*  Create a context for every vlan that you have the end host
snmp-server group netset v3 auth context

Enabling SNMP Traps on Switch Ports

Admin > Collection Settings: User Tracking > Device Trap Configuration

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a host is connected to or disconnected from that port.  Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps.

Configuring SNMP Trap Listener

Admin > Collection Settings: User Tracking > Trap Listener Configuration

LMS receives SNMP traps directly from the switches if you configure the port to direct the traps through primary listeners such as HP OpenView (HPOV) or Cisco Prime Device Fault Manager (DFM) applications.

Understanding Dynamic Updates

Admin > Collection Settings: User Tracking > Dynamic Update Process Status

User Tracking generates reports on various functions and attributes of the end hosts and devices connected to your network that are managed by LMS. These reports are generated by polling the network at intervals set by the network administrator.

In addition to polling the network at regular intervals, LMS tracks changes about the end hosts and users on the network to provide real-time updates.

Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps.


Using SNMP Walk

SNMP Walk allows you to trace the MIB tree of a device starting from a given

OID for troubleshooting, or gathering information about a certain device.

You should have System Administrator privileges to use this feature.

To use SNMP Walk:

  1. Select Inventory > Tools > Device Center.

  2. Select a type of problem from the Problem Type drop-down list.

  3. Follow the steps mentioned in Troubleshooting Device Diagnostics to

  proceed with diagnosing devices.

The troubleshooting information for a device appears in a new tab in the

form of portlets under the respective panes.

  4. Click the Device Status pane.

  5. Click SNMP Walk from the list of Quick Links.

The SNMP Walk dialog box appears.

  6. Enter the IP address or DNS name.

  7. Select the SNMP Version to be used.

For SNMP Version 1 and 2c (if it is a 64-bit counter, use SNMPv2):

  1. Enter the Read community string.

  For SNMP Version 3 (NoAuthNoPriv and AuthNoPriv security levels):

2. Enter the SNMPv3 Username.

  3. Enter the SNMPv3 Auth Password.

  4. Specify the SNMP v3 Auth Protocol. Select either the MD5 radio button

  or the SHA radio button.

  5. Enter the SNMP Context Name. This is optional.

For SNMP Version 3 (AuthPriv Security level):

  1. Enter the SNMPv3 Username.

  2. Enter the SNMPv3 Auth Password.

  3. Specify the SNMP v3 Auth

Protocol. Select either the MD5 radio button or the SHA radio button.

  4. Enter the Privacy Password.

  5. Select a Privacy Protocol from the drop-down list. The available items are:

    * DES

    * 3DES

    * AES128

    * AES192

    * AES256

  6. Enter the SNMP Context Name. This is optional.

  8. Enter the starting OID (optional). If you leave this field blank, the tool will

  start from 1.

  9. Enter the SNMP Timeout. The default value is 10 seconds.

  10. Select the Output OIDs Numerically check box to print the output OIDs

  numerically. This is optional.

By default, the corresponding name of the OID is printed in the output window.

  11. Select the Output Indexes Numerically check box to show the output index

  numerically. This is optional.

  12. Select the Debug check box to enable the debugging option. This is optional.

Note:   All the fields are case-sensitive.

  13. Click OK to get the results.

The results will be based on the parameters you entered. When the walk is complete,

you can save it as text. A full walk may take a long time.

The read/write username and password for SNMPv3 and the read/write community string

for SNMP v1/v2c are case sensitive. The SNMP walk dialog box displays the credentials

(SNMP v1/v2c/v3) for the device from Device Credential Repository, if these are

available. Otherwise, the default values for the respective SNMP versions are displayed.

If you launch SNMP Walk feature with Network Operator/Help Desk privilege, device

credential fetching fails and the fields of read/write community strings of SNMP

v1/v2c, read/write SNMPv3 credentials are set to default values. You have to manually

enter SNMP 1/v2c/v3 credentials.

0 Helpful

TomDeLaet
Level 1
Level 1
In response to ngoldwat

‎05-30-2012 11:56 PM

Hi,

As far as I know the snmp view has full read/write access.

Here are some configs.

ROUTERNAME#show snmp view | sec v1default
v1default iso - included permanent active
v1default internet.6.3.15 - excluded permanent active
v1default internet.6.3.16 - excluded permanent active
v1default internet.6.3.18 - excluded permanent active
v1default ciscoMgmt.394 - excluded permanent active
v1default ciscoMgmt.395 - excluded permanent active
v1default ciscoMgmt.399 - excluded permanent active
v1default ciscoMgmt.400 - excluded permanent active

ROUTERNAME#show snmp user
User name: ****************
Engine ID: ************************
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: LMSgroup

ROUTERNAME#show snmp group
groupname: LMSgroup                        security model:v3 priv
contextname:          storage-type: nonvolatile
readview : v1default                        writeview: v1default
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active

ROUTERNAME#show run | sec snmp
snmp-server group LMSgroup v3 priv write v1default
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server location Home1
snmp-server system-shutdown
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host ***.***.***.*** version 3 priv ****************

So I guess everything is correctly configured. As I can see the snmp packets arrive on the server with wireshark.

But they don't get logged.

Yesterday I found a list of traps that LMS is capable of sending. and  a login-trap wasn't in it.

Is it possible that LMS cannot log a login-trap from a router?

thnx.

0 Helpful

ngoldwat
Level 4
Level 4
In response to TomDeLaet

‎05-31-2012 06:02 AM

Hi,

Are other traps/syslogs being processed or is this only device having issue?  Are all the services running on your LMS server?

What do you see when navigating to Admin > Collection Settings > Syslog > Syslog Collector Settings?

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/oview.html#wp1109739

Thanks.

0 Helpful

TomDeLaet
Level 1
Level 1
In response to ngoldwat

‎06-01-2012 01:51 AM

Hi,

None of the traps are being processed.

If we change everything to snmpv2 it works. but it doesn't work with snmpv3

When I  go to  Admin > Collection Settings > Syslog > Syslog Collector Status:

I can test the collector subscription and it tells me that the SSL certificate status is OK

and the collector status of the server is up and reachable.

0 Helpful
Customers Also Viewed These Support Documents