Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30796
Views
0
Helpful
4
Replies

SNMPv3 authpriv problem - Not in Time Windows

Go to solution
phil_carter
Level 1
Level 1

‎06-26-2012 07:42 AM

I'm trying to model a cisco 2911 using SNMPv3 with authentication and encryption, however, it wont work.The config is exactly the same already running on an identical router (same IOS) but it fails to commuicate - SNMPv1 works fine:

KENSWO_D_CR291_01#sh snmp

...

189 SNMP packets input

    0 Bad SNMP version errors

    0 Unknown community name

    0 Illegal operation for community name supplied

    0 Encoding errors

    250 Number of requested variables

    0 Number of altered variables

    23 Get-request PDUs

    94 Get-next PDUs

    0 Set-request PDUs

    0 Input queue packet drops (Maximum queue size 1000)

285 SNMP packets output

    0 Too big errors (Maximum packet size 1500)

    0 No such name errors

    0 Bad values errors

    0 General errors

    117 Response PDUs

    96 Trap PDUs

SNMP Dispatcher:

   queue 0/75 (current/max), 0 dropped

SNMP Engine:

   queue 0/1000 (current/max), 0 dropped

    0 Unknown Security Models

    0 SNMP Invalid Messages

    0 SNMP Unknown PDU handlers

    0 Unsupported Security Level

    1 Unknown User Names

    1 Unknown EngineIDs

    70 Not In Time Windows  <<<<<<<<<<<<

    0 Wrong MD5 or SHA Digests

    0 Decryption Errors

debug snmp packet / detail shows the below error in the logs:

,,,

000642: Jun 26 15:37:49: SNMP: Packet received via UDP from 10.2.0.129 on Vlan4S

rParseV3SnmpMessage: not in lifetime failure

SrParseV3SnmpMessage: Failed.

SrDoSnmp: Packet not in Time Window

000643: Jun 26 15:37:49: SNMP: Report, reqid 2147483647, errstat 0, erridx 0

internet.6.3.15.1.1.2.0 = 71

000644: Jun 26 15:37:49: SNMP: Packet sent via UDP to 10.2.0.129

process_mgmt_req_int: UDP packet being de-queued

000645: Jun 26 15:37:52: SNMP: Packet received via UDP from 10.2.0.129 on Vlan4S

rParseV3SnmpMessage: not in lifetime failure

SrParseV3SnmpMessage: Failed.

SrDoSnmp: Packet not in Time Window

,,,

Config:

snmp-server group USER-GROUP v3 priv

snmp-server host 10.2.0.129 version 3 priv USER

snmp-server user USER USER-GROUP v3 auth md5 password priv des password

KENSWO_D_CR291_01#sh snmp engin

Local SNMP engineID: 800000090300000000000000

Remote Engine ID          IP-addr    Port

KENSWO_D_CR291_01#sh snmp engin

Local SNMP engineID: 800000090300000000000000

Remote Engine ID          IP-addr    Port

KENSWO_D_CR291_01#sh snmp user

User name: USER

Engine ID: 800000090300000000000000

storage-type: nonvolatile        active

Authentication Protocol: MD5

Privacy Protocol: DES

Group-name: USER-GROUP

Has anyone seen this or can advise further??

Thanks

Phil

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎06-26-2012 10:22 AM

This error points to specifying a bad engine time when querying your device.  How are you doing the querying?  Are you using the same exact command line from the working device?  If so, you can't use the same engine ID, boots, and engine time.  Note: the way SNMPv3 typically works is that the first query will be without an engine ID, boots, or engine time.  The device will reply with a REPORT packet that contains the authoritative values.  The manager will then re-request the objects with the appropriate engine values.

If you're seeing repeated time window violations, you may have a bad SNMP engine cache on your manager.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎06-26-2012 10:22 AM

This error points to specifying a bad engine time when querying your device.  How are you doing the querying?  Are you using the same exact command line from the working device?  If so, you can't use the same engine ID, boots, and engine time.  Note: the way SNMPv3 typically works is that the first query will be without an engine ID, boots, or engine time.  The device will reply with a REPORT packet that contains the authoritative values.  The manager will then re-request the objects with the appropriate engine values.

If you're seeing repeated time window violations, you may have a bad SNMP engine cache on your manager.

0 Helpful

Go to solution
phil_carter
Level 1
Level 1
In response to Joe Clarke

‎06-27-2012 08:22 AM

Hello - yes it has the same engine ID shown in sh snmp engine command - I see this can be changed using a local engine ID (see below), but what hex value should be used per device to make sure this is unique (I tried using a hex conversion of an IP on the device but it stated it needs 10 digits)?

snmp-server enigne local <10-digit-hex-value>

Is there a standard policy to follow?

Thanks

Phil

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to phil_carter

‎06-27-2012 09:55 AM

Did you change the engine ID originally?  The engine ID needs to be unique across all devices.  By default, this will be the case (unless you're seeing a bug).  You should never copy and paste the SNMP engine ID config from one device to another.  If you did this, configure the following:

no snmp-server

Then reload.  When the device reboots, reconfigure your SNMPv3 parameters WITHOUT changing the engine ID.  That should give you a unique value.

0 Helpful

Go to solution
phil_carter
Level 1
Level 1
In response to Joe Clarke

‎06-28-2012 12:40 AM

used a MAC address from an interface on the router as the snmp engine ID - all working - thanks.

0 Helpful
Customers Also Viewed These Support Documents