Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: How to configure snmpd as a proxy for SNMPv3 GET requests

825 views
Skip to first unread message

Dave Shield

unread,
Nov 11, 2010, 3:38:24 AM11/11/10
to
On 11 November 2010 06:48, Hansen Candrawinata
<hansen.ca...@gmail.com> wrote:
> Now, I want to use snmpd to act as a proxy on host1 to relay GET requests to
> the agent...

> This is what I currently have in my snmpd.conf (only one line):
>   proxy -v3 -u defaultUser -A "mypassword" -l authNoPriv localhost:8085 .1.3
>
> When using the above snmpget command to send a GET request to the proxy
> (instead of to the agent directly), I get a timeout error:

What access control settings do you have in the snmpd.conf file on host1?
Remember, the snmp agent providing the proxy service needs to validate the
the request before it is passed on to the other agent.

I suggest that you get queries to the Net-SNMP agent running on host1
working first, before you look at passing some of these requests on
to the second agent.


Dave

------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________
Net-snmp-users mailing list
Net-snm...@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Hansen Candrawinata

unread,
Nov 11, 2010, 8:52:36 AM11/11/10
to
Hi Dave,

On Thu, Nov 11, 2010 at 7:38 PM, Dave Shield <D.T.S...@liverpool.ac.uk> wrote:
> What access control settings do you have in the snmpd.conf file on host1?
> Remember, the snmp agent providing the proxy service needs to validate the
> the request before it is passed on to the other agent.
>
> I suggest that you get queries to the Net-SNMP agent running on host1
> working first, before you look at passing some of these requests on
> to the second agent.

Here is the full content of my snmpd.conf on host1, which looks pretty
similar to the one described at
http://net-snmp.sourceforge.net/wiki/index.php/Snmpd_proxy:

<snmpd.conf>
view systemview included .1.3.6.1

com2sec notConfigUser default public

group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser

access notConfigGroup "" any noauth exact systemview none none

com2sec -Cn ctx_remotehost1 notConfigUser default cmty_remotehost1
com2sec -Cn ctx_remotehost2 notConfigUser default cmty_remotehost2

access notConfigGroup ctx_remotehost any noauth prefix systemview none none

proxy -Cn ctx_remotehost1 -v 2c -c public@TEST-CONTEXT localhost:8085
.1.3.6.1.4.1.9999
proxy -Cn ctx_remotehost2 -v 3 -u defaultUser -a MD5 -A "mypassword"
-l authNoPriv -n TEST-CONTEXT localhost:8085 .1.3.6.1.4.1.9999
</snmpd.conf>

I am able to send some SNMP queries to snmpd providing the proxy
service, for example:
$ snmpget -v2c -c public localhost:161 .1.3.6.1.2.1.1.3.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (7250) 0:01:12.50

Sending SNMPv1/2c queries to snmpd to relay it to the second agent
also works fine. For example:
$ snmpget -v2c -c cmty_remotehost1 host1:161 .1.3.6.1.4.1.9999.2.0
SNMPv2-SMI::enterprises.9999.2.0 = INTEGER: 3

But not when sending SNMPv3 queries to snmpd to relay it to the second
agent as I get a timeout error:
$ snmpget -v3 -u defaultUser -A mypassword -l authNoPriv -n
TEST-CONTEXT host1:161 .1.3.6.1.4.1.9999.2.0
Timeout: No Response from host:161.

But if I send the SNMPv3 query above directly to the second agent, it
works fine:
$ snmpget -v3 -u defaultUser -A mypassword -l authNoPriv -n
TEST-CONTEXT host1:8085 .1.3.6.1.4.1.9999.2.0
SNMPv2-SMI::enterprises.9999.2.0 = INTEGER: 3

Perhaps my proxy directive for SNMPv3 in the above snmpd.conf is
wrong? Frankly, I don't know where I should put the context name of
the second agent (TEST-CONTEXT) in the snmpd.conf.
I have tried replacing the above SNMPv3 proxy line with the following
(which may not make sense at all!):
proxy -Cn TEST-CONTEXT -v 3 -u defaultUser -a MD5 -A "mypassword" -l
authNoPriv -n TEST-CONTEXT localhost:8085 .1.3.6.1.4.1.9999

But sending an SNMPv3 query to snmpd now result in an authorization error:
$ snmpget -v3 -u defaultUser -A mypassword -l authNoPriv -n
TEST-CONTEXT host1:161 .1.3.6.1.4.1.9999.2.0
Error in packet
Reason: authorizationError (access denied to that object)

The second agent is an application written in Java using openDMK to
support SNMPv1/2c/3 queries. It has the following settings in terms
of context binding and users.
context name=TEST-CONTEXT
security level=authNoPriv
user=defaultUser
password=mypassword

I need to use snmpd to act as a proxy between the SNMP managers and
the second agent. The goal is that the SNMP managers should be able
to send certain SNMPv1/v2c/v3 queries to snmpd which will then pass
them to the second agent. But, as seen in my case above, only
SNMPv1/2c queries work so far with snmpd.

So where might things have gone wrong?

Thanks,
Hansen

0 new messages