SRX Services Gateway
Reply
New User
rdwinter04
Posts: 2
Registered: ‎05-12-2010
0

SRX 3600 10.0R3 SNMP v3 Issues

Has anyone had  success configuring SNMP v3 in Junos. I've confgured it on our SRX 3600 and EX 4200 switches, but am unable to add the devices in SolarWinds or SNMP MIB Walk them with any of our SNMP tools. I recieve authentication errors. I have checked and double checked the credentials on the server and agent...both are correct. Any suggestions would be much appreciated.

 

Error message:

 

"SNMP Validation Failed for Node 'x.x.x.x' - Error: SNMPv3 - Wrong Digests - The authentication digest did not match the expected result, possible incorrect key/password"

 

"show snmp statistics" ouput:

 

SNMP statistics:
  Input:
    Packets: 4, Bad versions: 0, Bad community names: 0,
    Bad community uses: 0, ASN parse errors: 0,
    Too bigs: 0, No such names: 0, Bad values: 0,
    Read onlys: 0, General errors: 0,
    Total request varbinds: 0, Total set varbinds: 0,
    Get requests: 0, Get nexts: 0, Set requests: 0,
    Get responses: 0, Traps: 0,
    Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
    Throttle drops: 0, Duplicate request drops: 0
  V3 Input:
    Unknown security models: 0, Invalid messages: 0
    Unknown pdu handlers: 0, Unavailable contexts: 0
    Unknown contexts: 0, Unsupported security levels: 0
    Not in time windows: 0, Unknown user names: 0
    Unknown engine ids: 2, Wrong digests: 2, Decryption errors: 0
  Output:
    Packets: 0, Too bigs: 0, No such names: 0,
    Bad values: 0, General errors: 0,
    Get requests: 0, Get nexts: 0, Set requests: 0,
    Get responses: 0, Traps: 0

 

SNMP Config:

 

set snmp location Lab
set snmp contact "Network Engineering"
set snmp v3 usm local-engine user xxxxxxxxx authentication-md5 authentication-key "$9$.mQn9A0IhS36A0IcvM24aGDkTz6AuOP5BEclLX"
set snmp v3 usm local-engine user xxxxxxxxxx privacy-des privacy-key "$9$v4p87V24ZqPQaZnCuBSyVwY2JDk.PTF/bs5Fn9OB8X7ds4GUj"
set snmp v3 vacm security-to-group security-model usm security-name xxxxxxxxxx group xxxxxxxxxx
set snmp v3 vacm access group xxxxxxxxxx default-context-prefix security-model usm security-level privacy read-view internet
set snmp engine-id use-mac-address
set snmp view internet oid 1.3.6.1 include
set snmp view system oid 1.3.6.1.2.1.1 include
set snmp view interfaces oid 1.3.6.1.2.1.2 include
set snmp view chassis oid 1.3.1.6.1.2628.2.2 include
set snmp community xxxxxxx authorization read-write
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp

 

Thank You,

 

Ryan

Distinguished Expert
aarseniev
Posts: 1,627
Registered: ‎08-21-2009
0

Re: SRX 3600 10.0R3 SNMP v3 Issues

Hello there,

I'd suggest to do a SNMPv3 packet capture and then try to decode it in Wireshark which supports DES and MD5 (Edit->Preferences->Protocols->SNMP->User table).

Also, are You sure You copied the local engine-id verbatim into Your NMS settings? The SNMPv3 encryption is based on shared-key+local engine-id. Do "show snmp v3" on the router to confirm the local engine-id.

Regards

Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
New User
rdwinter04
Posts: 2
Registered: ‎05-12-2010
0

Re: SRX 3600 10.0R3 SNMP v3 Issues

Thank you Alex. I will try your suggestions and let you know how it goes.

 

Best Regards,

 

Ryan

Contributor
hazeen
Posts: 67
Registered: ‎03-24-2008
0

Re: SRX 3600 10.0R3 SNMP v3 Issues

Hi,

I am also trying to configure SNMP v3.

I have followed similar configuration as posted and i keep getting the "unknown engine ids" error message.

This is lab environment and i am using solarwinds toolset v9 SNMP MIB Browser which supports SNMP v3.

I have no idea where to put the "engine-id" information in this software.

Can anyone help?

Regards,

Haze

Regular Visitor
crouchingbadger
Posts: 12
Registered: ‎08-29-2011
0

Re: SRX 3600 10.0R3 SNMP v3 Issues

Hi Hazeen et al,

 

Unless you're being very security conscious you shouldn't need to enter the SNMP Engine ID into your NMS (Solarwinds). Instead, each time the NMS connects it will ask for an SNMP Engine ID from the remote host and then compare the Engine ID to the local database. If it's not found, the NMS will just start to use the discovered Engine ID.  If it is found, some checks are done against the agent uptime and number of boots to ensure authenticity/sync.

 

In general:

 

Config tips for SNMPv3: 

  • Always make sure the Engine ID is unique.  Failure to do this will cause sessions to fail in unexpected ways as the NMS manages multiple conversations using one Engine ID and keeps resetting sessions.
  • To do this either explicity set the SNMP engine ID (set snmp engine-id local <unique string>) OR set snmp engind-id use-mac-address
  • Never use set snmp engine-id use-default-ip-address unless you know which is the default IP address (which can be lo0, fxp0, vme0, vlan0) or you have a few weeks to spare before you decide to use the other two methods ;-)
  • DES support is reliable, AES less so, but is improving
  • SRXes will lose the SNMP engine ID after an ungraceful restart. You will need to re-commit the config/restart the snmp process.
  • Whenever you update the engine ID, you must commit, then reconfigure the passwords and commit again to generate new keys. This 

NMS tips for SNMPv3:

  • Check you haven't accidentally filled in context name when it should be empty
  • Look for spaces in the keys (obvious, but infuriating)
  • Test basic connectivity from linux when you're troubleshooting:

snmpwalk -v3 -l authpriv -u <username> -X <privacy password> -A <auth password> <devicename> 

(assumes Auth & Privacy, DES and MD5)

 

Ben

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.