Discussion:
Problems Migrating from snmp v2c to v3
Gary Treadway
2013-01-15 15:57:57 UTC
Permalink
Gary Treadway [http://community.zenoss.org/people/vadragon] created the discussion

"Problems Migrating from snmp v2c to v3"

To view the discussion, visit: http://community.zenoss.org/message/71016#71016

--------------------------------------------------------------
Hello.
I am very new to Zenoss and I am having a problem with converting our installation from snmp v2c to snmp v3

I have successfully changes snmp on the zenoss server, running 4.2 on a Red Hat Enterprise Linux 6.3 server.
I am able to run an snmpwalk -v3 localhost system on both the zenoss server and one of the monitored servers but now under zenoss I am getting error messages about the snmp agent being down and "Unable to read process on device XXX.XXX.XXX.XXX; Timeout on Device"

If I model the device it takes over 150 seconds to model the device even though the scan says it took only 4.73 seconds.  The difference is the time it takes from the time I click on Model device and the time it says ZenModeler is shutting down.

Any help would be appreciated.

Thank you in advance
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71016#71016]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
nilie
2013-01-15 17:16:34 UTC
Permalink
nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Problems Migrating from snmp v2c to v3"

To view the discussion, visit: http://community.zenoss.org/message/71000#71000

--------------------------------------------------------------
Did you check to make sure Zenoss server is using the same parameters (security model, authentication type, username and password, encryption type etc.) ? When you do a snmpwalk v3 from Zenoss, what are the parameters used ? Oh, and by tha way if you use a community name with snmp v3 at least on Cisco devices this will also enable v2 access. Can you post here your server snmp configuration, of course without the passwords ?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71000#71000]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Gary Treadway
2013-01-17 14:13:15 UTC
Permalink
Gary Treadway [http://community.zenoss.org/people/vadragon] created the discussion

"Re: Problems Migrating from snmp v2c to v3"

To view the discussion, visit: http://community.zenoss.org/message/71053#71053

--------------------------------------------------------------
As far as I can tell everything is set correctly
when I run the snmpwalk command from zenoss it hangs and I do not get results back.
This is the base command for zenoss for snmpwalk
snmpwalk -${device/zSnmpVer} -c${device/zSnmpCommunity} ${device/snmpwalkPrefix}${here/manageIp}:${here/zSnmpPort} system


When I run it I get the following shows up  (IP Address masked for Security reasons)
snmpwalk -v3 -c XXX.XXX.XXX.246:161 system



when I run the same command with out the -c from the command line it works fine

my snmpd.conf (under Red Hat 6.3 is pretty simple (Username masked out for Security)

# Second, map the security name into a group name:
#       groupName      securityModel securityNamegroup   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser
group   notConfigGroup v3           <USERNAME>
# Make at least  snmpwalk -v 1 localhost -c public system fast again.
#       name           incl/excl     subtree         mask(optional)view    all            included      .1
view    systemview    included   .1.3.6.1.2.1.1
view    systemview    included   .1.3.6.1.2.1.25.1.1

# Finally, grant the group read-only access to the systemview view.
#       group          context sec.model sec.level prefix read   write  notif

access  notConfigGroup ""      any       noauth    exact  all    all    none

# It is also possible to set the sysContact and sysLocation system
# variables through the snmpd.conf file:
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root < http://community.zenoss.org/mailto:***@localhost ***@localhost> (configure /etc/snmp/snmp.local.conf)

dontLogTCPWrappersConnects yes

rwuser <USERNAME> authpriv .1


Thank you for your assistance
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71053#71053]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
nilie
2013-01-17 16:00:36 UTC
Permalink
nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Problems Migrating from snmp v2c to v3"

To view the discussion, visit: http://community.zenoss.org/message/71067#71067

--------------------------------------------------------------
I never tried configuring snmp v3 on a Linux server, however your snmpwalk does not seem to me like a proper snmp v3. I'm using snmp v3 with Cisco routers to manage our public Internet routers, obviously for security reasons so here's how a proper snmpwalk looks in my case :

snmpwalk -v 3 -l *authPriv* -a sha -A +*password*+ -x des -X +*sharedsecret*+ -u *username hostname* system

where :
* authPriv is the security method I have chosen
* password is for authentication purpose defined on device and in Zenoss
* sharedsecret is used for the encryption of snmp traffic (in case you chose to encrypt it) both in Zenoss and the device
* username is for authentication purpose defined in Zenoss and in the device
* hostname is the snmp v3 host you are polling

Basically, to have a functional snmp v3 communication with a host, you will need to define a username and password, chose the security model, encryption shared secret in needed.

The tricky bit is that in Zenoss you can not chose the security model explicitely. It's Zenoss that will figure it out based on what you configure for authentication and encryption. For example, if you don't configure any encryption parameters (type and sharedsecret) Zenoss will pick up authentication only security model.

Here's how I configured it in Zenoss :

1- for authentication and privacy
Loading Image... Loading Image...

2. for authentication only (router IOS does not offer encryption)
Loading Image... Loading Image...
see zSnmpPrivPassword and zSnmpPrivType are empty

also if you want to use snmp v3 for security purposes then don't configure snmp v2 at all.

At a first glance, apart from the configuration of snmp v3 on Linux server, it seems that you did not configure any authentication and encryption parameters in Zenoss, otherwise you will see a denied access. Zenoss seems to fall back on using a community name (this means no authentication and no encryption). More than that, the line

| access  notConfigGroup ""  | any   | noauth | exact  all | all | none |

in your snmpd.conf seems to imply the server requires no authntication at all for snmp access, but don't take my word for that because as I said I never configured snmp v3 on a Linux server.

I hope this will give you a hint at least.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71067#71067]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...