<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div><div>Hi Daniel, All<br></div>I really appreciate your Help<br><br></div><div>I carried out your suggestion and used TCP DUMP and Wire Shark <br><br></div><div>I found the Context engine ID which appears to be 80003a8c04<br>
<br></div><div>But there appears a difference between snmpwalk and cfgmaker + SNMPv3, <br><br></div><div>after the initial discovery, when cfg maker is run the authoritiveengine boots and authoritiveenginetime appears to be zeroed out (when Cfg maker sends data after the initial response form the router ) (while the correct values are sent by snmp walk ) <br>
<br></div><div>( I have attached2 screenshots of the wireshark of the SNMPv3 Conversatons compared with MRTG Cfgmaker and Snmpwalk <br><br></div><div><br><br></div><div>I have run the command below <br></div><div><br>
cfgmaker --enablesnmpv3 --contextengineid=0x80003a8c04 --username=Read_Only_Secure --authpassword=testtest --authprotocol=sha --privpassword=testtest --privprotocol=des --community=Read_Only_Secure --snmp-options=:::::3 <a href="mailto:Read_Only_Secure@10.17.1.250" target="_blank">Read_Only_Secure@10.17.1.250</a><br>
<br></div><div>and I get this error from cfgmaker<br></div><div><br>SNMPWALK Problem for 1.3.6.1.2.1.1 on Read_Only_Secure@10.17.1.250:::::3:v4only: Expected OCTET STRING, but found OBJECT IDENTIFIER at /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 1805<br>
Net_SNMP_util::snmpwalk_flg('Read_Only_Secure@10.17.1.250:::::3:v4only', undef, 'HASH(0x89d8ca8)', 1.3.6.1.2.1.1) called at /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 766<br> Net_SNMP_util::snmpwalk('Read_Only_Secure@10.17.1.250:::::3:v4only', 'HASH(0x89d8ca8)', 1.3.6.1.2.1.1) called at /usr/bin/cfgmaker line 950<br>
main::DeviceInfo('Read_Only_Secure@10.17.1.250:::::3', 'HASH(0x89d8d08)', 'HASH(0x89d8ca8)') called at /usr/bin/cfgmaker line 137<br> main::main() called at /usr/bin/cfgmaker line 155<br>
WARNING: Skipping Read_Only_Secure@10.17.1.250:::::3 as no info could be retrieved<br><br><br>I run the the exact same command beow command below <br><br><br>cfgmaker --enablesnmpv3 --contextengineid=0x80003a8c04 --username=Read_Only_Secure --authpassword=testtest --authprotocol=sha --privpassword=testtest --privprotocol=des --community=Read_Only_Secure --snmp-options=:::::3 <a href="mailto:Read_Only_Secure@10.17.1.250" target="_blank">Read_Only_Secure@10.17.1.250</a><br>
<br>and I get this *different* error from cfgmaker<br><br><br>SNMPWALK Problem for 1.3.6.1.2.1.1 on Read_Only_Secure@10.17.1.250:::::3:v4only: The ASN.1 type 0x84 is unknown at /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 1805<br>
Net_SNMP_util::snmpwalk_flg('Read_Only_Secure@10.17.1.250:::::3:v4only', undef, 'HASH(0xa422ca8)', 1.3.6.1.2.1.1) called at /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 766<br> Net_SNMP_util::snmpwalk('Read_Only_Secure@10.17.1.250:::::3:v4only', 'HASH(0xa422ca8)', 1.3.6.1.2.1.1) called at /usr/bin/cfgmaker line 950<br>
main::DeviceInfo('Read_Only_Secure@10.17.1.250:::::3', 'HASH(0xa422d08)', 'HASH(0xa422ca8)') called at /usr/bin/cfgmaker line 137<br> main::main() called at /usr/bin/cfgmaker line 155<br>
WARNING: Skipping Read_Only_Secure@10.17.1.250:::::3 as no info could be retrieved<br><br></div><div><br><br></div><div>Below is the Debug output from our router ... which complains about Time windows and Engine Boots (even though I never configured them <br>
</div><div><br></div>02:18:59 snmp,debug v3 err: 3 unknown engine id <br>02:18:59 snmp packet from: 10.64.34.77 version: 3 <br>02:18:59 snmp user: Read_Only_Secure <br>02:18:59 snmp,debug v3 err: 1 not in time window or incorrect engine boots <br>
02:18:59 snmp packet from: 10.64.34.77 version: 3 <br>02:18:59 snmp user: Read_Only_Secure <br>02:18:59 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0 <br>02:19:15 snmp packet from: 10.64.34.77 version: 3 <br>
02:19:15 snmp user: <br>
02:19:15 snmp,debug v3 err: 3 unknown engine id <br>02:19:15 snmp packet from: 10.64.34.77 version: 3 <br>02:19:15 snmp user: Read_Only_Secure <br>02:19:15 snmp,debug v3 err: 1 not in time window or incorrect engine boots <br>
02:19:15 snmp packet from: 10.64.34.77 version: 3 <br>02:19:15 snmp user: Read_Only_Secure <br>02:19:15 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0 <br>02:20:11 snmp packet from: 10.64.34.77 version: 3 <br>
02:20:11 snmp user: <br>
02:20:11 snmp,debug v3 err: 3 unknown engine id <br>02:20:11 snmp packet from: 10.64.34.77 version: 3 <br>02:20:11 snmp user: Read_Only_Secure <br>02:20:11 snmp,debug v3 err: 1 not in time window or incorrect engine boots <br>
02:20:11 snmp packet from: 10.64.34.77 version: 3 <br>02:20:11 snmp user: Read_Only_Secure <br>02:20:11 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0 <br>02:20:31 snmp packet from: 10.64.34.77 version: 3 <br>
02:20:31 snmp user: <br>
02:20:31 snmp,debug v3 err: 3 unknown engine id <br>02:20:31 snmp packet from: 10.64.34.77 version: 3 <br>02:20:31 snmp user: Read_Only_Secure <br>02:20:31 snmp,debug v3 err: 1 not in time window or incorrect engine boots <br>
02:20:31 snmp packet from: 10.64.34.77 version: 3 <br>02:20:31 snmp user: Read_Only_Secure <br>02:20:31 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0 <br><br></div><div class="gmail_extra"><div><div class="h5">
<br><br><div class="gmail_quote">
On Wed, Apr 24, 2013 at 3:22 PM, Daniel McDonald <span dir="ltr"><<a href="mailto:dan.mcdonald@austinenergy.com" target="_blank">dan.mcdonald@austinenergy.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><br>
On 4/23/13 7:47 PM, "Tom Smyth" <<a href="mailto:tom.smyth@wirelessconnect.eu" target="_blank">tom.smyth@wirelessconnect.eu</a>> wrote:<br>
<br>
><br>
> Hi Lads,<br>
><br>
> I was wondering if someone could help me, I have a query about how to get<br>
> Cfgmaker and MRTG to talk SNMPv3<br>
><br>
> with Privacy and Authentication enabled, to a Router.<br>
><br>
> I can snmp walk the router fine... I just cant get mrtg + snmpv3 working...<br>
><br>
> I know it may not be straight forward but Im looking for a fully worked snmp<br>
> example... I am willing to pay someone for this so you can contact me on my<br>
> email regarding this... or if you dont want to be paid more money I will<br>
> Dontate more money to the project...<br>
<br>
</div>I normally sniff an interactive poll to determine the engineid. The<br>
net-snmp-utils library doesn¹t detect it properly, but snmpwalk does. You<br>
don't even need correct credentials:<br>
<br>
$ tcpdump -vvv -x host somehost &<br>
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535<br>
bytes<br>
$ snmpwalk -v3 -u foofoo -l authpriv -A 12345678 -X 12345678 somehost<br>
<br>
09:13:05.621967 IP (tos 0x0, ttl 64, id 9037, offset 0, flags [none], proto<br>
UDP (17), length 92, bad cksum 0 (->85d0)!)<br>
10.10.207.244.57070 > elroy-probe.austin-energy.net.snmp: [bad udp cksum<br>
6c33!] { SNMPv3 { F=r } { USM B=0 T=0 U= } { ScopedPDU E= C= {<br>
GetRequest(14) R=1116332740 } } }<br>
0x0000: 4500 005c 234d 0000 4011 0000 0a0a cff4<br>
0x0010: 0a02 ed73 deee 00a1 0048 d1cd 303e 0201<br>
0x0020: 0330 1102 0455 d8d3 a002 0300 ffe3 0401<br>
0x0030: 0402 0103 0410 300e 0400 0201 0002 0100<br>
0x0040: 0400 0400 0400 3014 0400 0400 a00e 0204<br>
0x0050: 4289 e2c4 0201 0002 0100 3000<br>
09:13:05.683814 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto UDP<br>
(17), length 120)<br>
elroy-probe.austin-energy.net.snmp > 10.10.207.244.57070: [udp sum ok]<br>
{ SNMPv3 { F= } { USM B=7 T=2922798 U= } { ScopedPDU E= C= { Report(29) R=0<br>
S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=11458 } } }<br>
0x0000: 4500 0078 0000 4000 f711 b200 0a02 ed73<br>
0x0010: 0a0a cff4 00a1 deee 0064 10f6 305a 0201<br>
0x0020: 0330 1102 0455 d8d3 a002 0300 ffe3 0401<br>
0x0030: 0002 0103 041d 301b 040b 8000 43dd 0300<br>
0x0040: 1985 e03e ce02 0107 0203 2c99 2e04 0004<br>
0x0050: 0004 0030 2304 0004 00a8 1d02 0100 0201<br>
0x0060: 0002 0100 3012 3010 060a 2b06 0106 030f<br>
0x0070: 0101 0400 4102 2cc2<br>
09:13:05.684078 IP (tos 0x0, ttl 64, id 3357<br>
<br>
The engineID is in offset 0x003A and the length is specified in 0x0039.<br>
Wireshark will break that out for you... TCPdump not-so-much... In this<br>
case:<br>
800043dd03001985e03ece<br>
<br>
Now I can add --engineid=800043dd03001985e03ece to cfgmaker and discover it<br>
fine.<br>
<div><br>
<br>
><br>
> I currently have the following packages installed on a Centos 6.4 i386 box<br>
> mrtg-2.16.2-7.el6.i686<br>
> mrtg-libs-2.16.2-7.el6.i686<br>
><br>
> net-snmp-utils-5.5-44.el6.i686<br>
> net-snmp-perl-5.5-44.el6.i686<br>
> net-snmp-5.5-44.el6.i686<br>
> net-snmp-libs-5.5-44.el6.i686<br>
> net-snmp-devel-5.5-44.el6.i686<br>
><br>
> rrdtool-devel-1.3.8-6.el6.i686<br>
> rrdtool-1.3.8-6.el6.i686<br>
> rrdtool-perl-1.3.8-6.el6.i686<br>
><br>
><br>
><br>
> My router SNMP v3 config<br>
> /snmp community<br>
</div>> set [ find default=yes ] addresses=<a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> <<a href="http://10.0.0.0/8" target="_blank">http://10.0.0.0/8</a>><br>
<div><div>> authentication-password=testtest authentication-protocol=SHA1<br>
> encryption-password=testtest name=Read_Only security=private<br>
> /snmp<br>
> set contact=<a href="mailto:support@wirelessconnect.eu" target="_blank">support@wirelessconnect.eu</a> enabled=yes trap-community=<br>
> Read_Only trap-target=0.0.0.0 trap-version=3<br>
><br>
><br>
> What Im looking for is a working example of<br>
> MRTG Cfgmaker commnand that would successfully connect to a router with the<br>
> configuration above with Auth and Priv enabled for a given context ID ... on<br>
> SNMPv3<br>
><br>
> If you have to do something funky with context ID ...? for example<br>
><br>
><br>
> I get weird unrecognised ASN.1 errors from the Cfgmaker script with<br>
> hexidecimal references that change every time I modify the cfgmaker command.<br>
><br>
> I have tried many things and I just want some one . give me assistance to get<br>
> the Cfgmaker command working...<br>
><br>
> I can snmp walk the router fine... I just cant get mrtg + snmpv3 working...<br>
><br>
><br>
> Below ... is some mails with more information<br>
><br>
> On Mon, Apr 22, 2013 at 7:29 AM, Tom Smyth <<a href="mailto:tom.smyth@wirelessconnect.eu" target="_blank">tom.smyth@wirelessconnect.eu</a>><br>
> wrote:<br>
>> Hi lads,<br>
>><br>
>> Does any one have tips here for me I just dont get how to get around the<br>
>> Context ID,<br>
>><br>
>> I can snmpwalk no problem without the context ID.. (which is not set on the<br>
>> router as it is optional)<br>
>><br>
>> But everytime I set it on the router and I set it on the command<br>
>><br>
>> on Mrtg Server I set the following command<br>
>> cfgmaker --enablesnmpv3 --contextengineid "" --username=Read_Only<br>
>> --authpassword=testtest --authprotocol=sha --privpassword=testtest<br>
>> --privprotocol=des --ifref=ip --community=Read_Only 10.17.1.250:::::3<br>
>><br>
>><br>
>> I get this error on the router<br>
>><br>
>> 07:21:39 snmp,debug v3 err: 3 unknown engine id<br>
>> 07:21:39 snmp packet from: 10.64.34.77 version: 3<br>
>> 07:21:39 snmp user: Read_Only_Secure<br>
>> 07:21:39 snmp,debug v3 err: 1 not in time window or incorrect engine boots<br>
>> 07:21:39 snmp packet from: 10.64.34.77 version: 3<br>
>> 07:21:39 snmp user: Read_Only_Secure<br>
>> 07:21:39 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0<br>
>><br>
>><br>
>> Any Help or advice would be appreciated<br>
>><br>
>><br>
>> On Thu, Jan 24, 2013 at 11:00 PM, Tom Smyth <<a href="mailto:tom.smyth@wirelessconnect.eu" target="_blank">tom.smyth@wirelessconnect.eu</a>><br>
>> wrote:<br>
>>> Hi lads,<br>
>>><br>
>>> Does anyone have any tips for running MRTG and SNMPv3 (with Auth and Priv)<br>
>>> SHA & DES<br>
>>><br>
>>> I have been having issues with Cfgmaker not accepting my command without <br>
>>> mandatory Context ID (even tho context ID is Optional)<br>
>>> I have tried commenting out the Die if Context is not set lines in cfgmaker<br>
>>><br>
>>> I have been able to SNMP walk with SNmp tools and I have been able to<br>
>>> communicate with routers with Cacti...<br>
>>><br>
>>> but no matter what I try I cant get MRTG cfgmaker to work....with SNMPv3<br>
>>><br>
>>><br>
>>> I have tried with v2.17.4 and with the standard mrtg package on Centos 6.2<br>
>>><br>
>>><br>
>>> if anyone can help me with this...<br>
>>><br>
>>> anything at all ... even a sample manual mrtg.cfg file for snmpv3 would be<br>
>>> cool<br>
>>><br>
>>> Thanks for your time<br>
>>><br>
>>><br>
<br>
</div></div>_______________________________________________<br>
mrtg mailing list<br>
<a href="mailto:mrtg@lists.oetiker.ch" target="_blank">mrtg@lists.oetiker.ch</a><br>
<a href="https://lists.oetiker.ch/cgi-bin/listinfo/mrtg" target="_blank">https://lists.oetiker.ch/cgi-bin/listinfo/mrtg</a><br>
</blockquote></div><br><br clear="all"><br></div></div><div class="im">-- <br>Kindest regards,<br>Tom Smyth<br><br>Mobile: <a href="tel:%2B353%2087%206193172" value="+353876193172" target="_blank">+353 87 6193172</a><br>
---------------------------------<br>PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL<br>This email contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, be aware that<br>
any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify me by telephone or by electronic mail immediately. Any opinions expressed are those of the author, not the company's .This email does not constitute either offer or acceptance of any contractually binding agreement. Such offer or acceptance must be communicated in<br>
writing. You are requested to carry out your own virus check before opening any attachment. Thomas Smyth accepts no liability for any loss or damage which may be caused by malicious software or attachments.
</div></div>
</div><br><br clear="all"><br>-- <br>Kindest regards,<br>Tom Smyth<br><br>Mobile: +353 87 6193172<br>---------------------------------<br>PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL<br>This email contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, be aware that<br>
any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify me by telephone or by electronic mail immediately. Any opinions expressed are those of the author, not the company's .This email does not constitute either offer or acceptance of any contractually binding agreement. Such offer or acceptance must be communicated in<br>
writing. You are requested to carry out your own virus check before opening any attachment. Thomas Smyth accepts no liability for any loss or damage which may be caused by malicious software or attachments.
</div>