Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SNMPv3 on embedded system

188 views
Skip to first unread message

Adrian Bica

unread,
May 19, 2011, 3:45:40 PM5/19/11
to
I am trying to implement a SNMP agent on an embedded system arm based. Everything works fine in SNMPv2. I want to get SNMPv3 working.
For simplicity, I started with no auth no privacy.
When I try to do a request, the agent does not answer at all. If in my request I put a wrong engineID or user, then the agent answers with the message uknown engineID/user. But when everything ok, it does not answer at all.

In my snmpd.conf file I have the lines:

createUser

------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its
next-generation tools to help Windows* and Linux* C/C++ and Fortran
developers boost performance applications - including clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Net-snmp-users mailing list
Net-snm...@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Adrian Bica

unread,
May 19, 2011, 3:49:43 PM5/19/11
to
For some reason, the previous message did not go through completely. I apologize and send it again:

I am trying to implement a SNMP agent
on an embedded system arm based. Everything works fine in
SNMPv2. I want to get SNMPv3 working.
For simplicity, I started with no auth no privacy.
When I try to do a request, the agent does not answer at
all. If in my request I put a wrong engineID or user, then

the agent answers with the message unknown engineID/user. But


when everything ok, it does not answer at all.

In my snmpd.conf file I have the lines:

createUser user1
rwuser user1

Can anybody help me with this issue? Again snmpv2c works just fine.

Thanks you

Dave Shield

unread,
May 19, 2011, 4:20:06 PM5/19/11
to
On 19 May 2011 20:49, Adrian Bica <adria...@yahoo.com> wrote:
> In my snmpd.conf file I have the lines:
>
> createUser user1


$ man snmpd.conf
createUser username (MD5|SHA) authpassphrase [DES|AES] [privpassphrase]

Try adding the missing parameters

Dave

Ron Rader

unread,
May 19, 2011, 4:38:12 PM5/19/11
to
> From: Adrian Bica [mailto:adria...@yahoo.com]

> when everything ok, it does not answer at all.

I see that Dave addressed your configuration issue. From my own
experience, don't assume you are actually using the same engine IDs.
snmpd creates its own engine ID that does not match the "engineID" seed
specified in /usr/local/share/snmp/snmpd.conf.

Check the snmpd persistent configuration store at
/var/net-snmp/snmpd.conf. In it you will find an "oldEngineID" value.
Use that to configure your management stations and retry.

For example, on my test system I have the following data:

/usr/local/share/snmp/snmpd.conf
- engineID ""

/var/net-snmp/snmpd.conf
- oldEngineID 0x80001f88042222

You must use the oldEngineID value in your management station
configuration.

You have to jump the engine ID hurdle before you face the USM hurdle.
Also, don't hesitate to use full debug mode on both the agent and the
management applications, that will help a lot in finding out why SNMPv3
traffic gets lost.

Ron

The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting all copies. Thank you.

Adrian Bica

unread,
May 19, 2011, 5:06:07 PM5/19/11
to
Thank you and Dave for your prompt answers.
I wanted to use a non authenticated and not encrypted agent, just to get things started. I assumed that a line "createUser user1" will do this.

Anyway, I changed the line to:
createUser user1 MD5 12345678

and I have the same results (i.e no answer from agent - I use Wireshark sniffer to see the traffic). If I force a wrong password in my manager, then I get an answer saying usmStatsWrongDigests (which is a legitimate answer). But with correct password, the agent doesn't say anything at all.

The engineID seems to be ok (again, forcing a bad one will conduct to some rejection message, good one - no message)

Ron Rader

unread,
May 19, 2011, 5:20:45 PM5/19/11
to
> From: Adrian Bica [mailto:adria...@yahoo.com]

> The engineID seems to be ok (again, forcing a bad one will conduct to


some
> rejection message, good one - no message)

Lack of an engine ID error does not equal engine ID success. There
are many layers that the SNMPv3 traffic needs to pass before you can get
it working. It will be very useful for you to enable debug modes on
both your agent and management applications to see exactly what's
happening. If the agent is throwing the traffic away there is no way to
tell why other than debug mode.

In my cases (net-snmp 5.4.1 and net-snmp 5.5) failed engine ID
verifications resulted in no error traffic. This may be intentional to
help prevent brute force discovery of engine ID values.

Ron

The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting all copies. Thank you.

------------------------------------------------------------------------------

Adrian Bica

unread,
May 19, 2011, 5:44:18 PM5/19/11
to
My engineID as returned by the agent is 80001F8801C0A80317 (generated from IP). I put this in my manager (I'm using SNMPc) and if I change one digit of it, I get a usmStatusUnknownEngineIDs message. Without changing anything, I get no answer. I think this is good enough proof that the engine ID is correct.

How do I turn debug on (I'm on embedded board with limited capabilities, I have ssh console available anyway)?

Thanks,
Adrian

PS How do I keep these posts to stick to one thread? I see they show up as separate threads...

--- On Thu, 5/19/11, Ron Rader <ron....@certesnetworks.com> wrote:

> From: Ron Rader <ron....@certesnetworks.com>
> Subject: RE: SNMPv3 on embedded system

Adrian Bica

unread,
May 20, 2011, 10:08:36 AM5/20/11
to
Well, I figured out that the snmpd server is answering properly when I do the request from the same subnet.
All the day yesterday, I tried requests from a different subnet. There is no firewall problem between them, should be something internally to net-snmp, probably some setting. Any idea?

Wes Hardaker

unread,
May 23, 2011, 12:46:45 PM5/23/11
to
>>>>> On Thu, 19 May 2011 12:49:43 -0700 (PDT), Adrian Bica <adria...@yahoo.com> said:

AB> rwuser user1

The default access granted by rwuser is 'authNoPriv'. You need to
change that to:

rwuser user1 noauth

if you are using it without authentication/privacy as you indicated.
--
Wes Hardaker
Cobham Analytic Solutions

Adrian Bica

unread,
May 23, 2011, 2:03:06 PM5/23/11
to
I actually just found the problem: I set up by mistake a context name into my MIB browser. Removing that fixed the problem.
Thanks

--- On Mon, 5/23/11, Wes Hardaker <hard...@users.sourceforge.net> wrote:

> From: Wes Hardaker <hard...@users.sourceforge.net>
> Subject: Re: SNMPv3 on embedded system
> To: "Adrian Bica" <adria...@yahoo.com>

0 new messages