[mrtg] Fwd: MRTG& SNMPv3

Daniel McDonald dan.mcdonald at austinenergy.com
Thu Apr 25 12:55:49 CEST 2013




On 4/24/13 8:34 PM, "Tom Smyth" <tom.smyth at wirelessconnect.eu> wrote:

> Hi Daniel, 
> I really appreciate your Help
> 
> I carried out your suggestion and used TCP DUMP and Wire Shark
> 
> I found the Context engine ID which appears to be 80003a8c04

I think that's the engine ID (authoritative Engine) rather than the context
engine ID.  Contextengineid can only be used with contextname.

So, I think this will work:
 cfgmaker --enablesnmpv3 --engineid=0x80003a8c04
 --username=Read_Only_Secure --authpassword=testtest --authprotocol=sha
 --privpassword=testtest --privprotocol=des
 --snmp-options=:::::3 Read_Only_Secure at 10.17.1.250
 
I normally use hashed passwords.  I believe the snmpkey utility will
generate hashes for you.  Here are salient portions of the perl script I use
to generate my cfgmaker lines.



my $routers = $db->prepare("select host, rstring, dir, iftemplate,
interfaces,
        hosttemplate, ifref, options, iffilter, wstring, engineid,
privproto,
        authproto
        from snmp inner join classes using (classid)
        order by dir, host
        ");
$routers->execute;
while (my $rtr = $routers->fetchrow_hashref) {
        $$rtr{'options'} ||= '::2:1:1';
        my %v3opts;
         if ($$rtr{'options'} =~ /:3$/) {
                 use Net::SNMP::Security::USM 2.0.0;
                         my ($usm, $error) = Net::SNMP::Security::USM->new(
                                 -authoritative => 1, # Undocumented /
unsupported argument
                                 -username      => 'readonly',
                                 -authprotocol  => $$rtr{authproto},
                                 -authpassword  => $$rtr{rstring},
                                 -engineid      => $$rtr{engineid},
                                 -privprotocol  => $$rtr{privproto},
                                 -privpassword  => $$rtr{wstring},
                           );
                 if (!defined($usm)) {
                            exit($error);
                     }
                 $authkey=sprintf("0x%s", unpack('H*', $usm->auth_key));
                 $privkey=sprintf("0x%s", unpack('H*', $usm->priv_key));
                 $v3opts{username}='readonly';
                 $v3opts{authkey}=$authkey;
                 $v3opts{authprotocol}=$$rtr{authproto};
                 $v3opts{privkey}=$privkey;
                 $v3opts{privprotocol}=$$rtr{privproto};

         }
        my @line;
        $$rtr{'rstring'} =~ s/'/\\'/g;
        $$rtr{'options'} .= '';
        push @line, "/usr/bin/cfgmaker";
        push @line, "--if-template=$$rtr{'iftemplate'}"
                if ($$rtr{'interfaces'} eq 'interfaces')
                        and ($$rtr{'iftemplate'} =~ /\w+/);
        push @line, "--ifref=$$rtr{'ifref'}"
                if defined($$rtr{'ifref'});
        push @line, '--'.$$rtr{'interfaces'}
                if defined($$rtr{'interfaces'});
        push @line, "--host-template=$$rtr{'hosttemplate'}"
                if defined($$rtr{'hosttemplate'});
        my $subdir = join("/",$$rtr{'dir'},"HOSTNAME");
        push @line, "--subdir=$subdir";
         if ($$rtr{'options'} =~ /:3$/) {
                 push @line, "--username='readonly'";
                 push @line, "--authkey='$authkey'";
                 push @line, "--authproto=$$rtr{'authproto'}";
                 push @line, "--privkey='$privkey'";
                 push @line, "--privproto=$$rtr{'privproto'}";
         }
        push @line, $$rtr{'iffilter'}
                if defined($$rtr{'iffilter'});
        push @line, '--output='.$cfg;
        if ($$rtr{'options'} =~ /:3$/) {
                push @line, "'readonly'@".$$rtr{'host'}.$$rtr{'options'};
        } else {
                push @line,
"'".$$rtr{'rstring'}."'".'@'.$$rtr{'host'}.$$rtr{'options'};
        }
        next unless (($shorthost =~ /$criteria/) or ($$rtr{host} eq
$criteria)) ;
        print GENERATE join(" ", at line)."\n";

> 
> But there appears a difference between snmpwalk and cfgmaker + SNMPv3,
> 
> after the initial discovery the authoritiveengine boots and
> authoritiveenginetime appears to be zeroed out when cfg maker is run (while
> the correct values are sent by snmp walk )
> 
> ( I have attached packet captures below ( test1 is the packet capture with
> snmpwalk) test is the packet capture with cfgmaker
> 
> 
> I have? run the command below
> 
> cfgmaker --enablesnmpv3 --contextengineid=0x80003a8c04
> --username=Read_Only_Secure --authpassword=testtest --authprotocol=sha
> --privpassword=testtest --privprotocol=des --community=Read_Only_Secure
> --snmp-options=:::::3 Read_Only_Secure at 10.17.1.250
> 
> and I get this error? from cfgmaker
> 
> SNMPWALK Problem for 1.3.6.1.2.1.1 on
> Read_Only_Secure at 10.17.1.250:::::3:v4only: Expected OCTET STRING, but found
> OBJECT IDENTIFIER at /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 1805
> ??????? 
> Net_SNMP_util::snmpwalk_flg('Read_Only_Secure at 10.17.1.250:::::3:v4only',
> undef, 'HASH(0x89d8ca8)', 1.3.6.1.2.1.1) called at
> /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 766
> ??????? Net_SNMP_util::snmpwalk('Read_Only_Secure at 10.17.1.250:::::3:v4only',
> 'HASH(0x89d8ca8)', 1.3.6.1.2.1.1) called at /usr/bin/cfgmaker line 950
> ??????? main::DeviceInfo('Read_Only_Secure at 10.17.1.250:::::3',
> 'HASH(0x89d8d08)', 'HASH(0x89d8ca8)') called at /usr/bin/cfgmaker line 137
> ??????? main::main() called at /usr/bin/cfgmaker line 155
> WARNING: Skipping Read_Only_Secure at 10.17.1.250:::::3 as no info could be
> retrieved
> 
> 
> I run the the exact same command beow? command below
> 
> 
> cfgmaker --enablesnmpv3 --contextengineid=0x80003a8c04
> --username=Read_Only_Secure --authpassword=testtest --authprotocol=sha
> --privpassword=testtest --privprotocol=des --community=Read_Only_Secure
> --snmp-options=:::::3 Read_Only_Secure at 10.17.1.250
> 
> and I get this? *different* error? from cfgmaker
> 
> 
> SNMPWALK Problem for 1.3.6.1.2.1.1 on
> Read_Only_Secure at 10.17.1.250:::::3:v4only: The ASN.1 type 0x84 is unknown at
> /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 1805
> ??????? 
> Net_SNMP_util::snmpwalk_flg('Read_Only_Secure at 10.17.1.250:::::3:v4only',
> undef, 'HASH(0xa422ca8)', 1.3.6.1.2.1.1) called at
> /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 766
> ??????? Net_SNMP_util::snmpwalk('Read_Only_Secure at 10.17.1.250:::::3:v4only',
> 'HASH(0xa422ca8)', 1.3.6.1.2.1.1) called at /usr/bin/cfgmaker line 950
> ??????? main::DeviceInfo('Read_Only_Secure at 10.17.1.250:::::3',
> 'HASH(0xa422d08)', 'HASH(0xa422ca8)') called at /usr/bin/cfgmaker line 137
> ??????? main::main() called at /usr/bin/cfgmaker line 155
> WARNING: Skipping Read_Only_Secure at 10.17.1.250:::::3 as no info could be
> retrieved
> 
> 
> 
> Below is the Debug output from our router ... which complains about Time
> windows and Engine Boots (even though I never configured them
> 
> 02:18:59 snmp,debug v3 err: 3 unknown engine id
> 02:18:59 snmp packet from: 10.64.34.77 version: 3
> 02:18:59 snmp user: Read_Only_Secure
> 02:18:59 snmp,debug v3 err: 1 not in time window or incorrect engine boots
> 02:18:59 snmp packet from: 10.64.34.77 version: 3
> 02:18:59 snmp user: Read_Only_Secure
> 02:18:59 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
> 02:19:15 snmp packet from: 10.64.34.77 version: 3
> 02:19:15 snmp user:?
> 02:19:15 snmp,debug v3 err: 3 unknown engine id
> 02:19:15 snmp packet from: 10.64.34.77 version: 3
> 02:19:15 snmp user: Read_Only_Secure
> 02:19:15 snmp,debug v3 err: 1 not in time window or incorrect engine boots
> 02:19:15 snmp packet from: 10.64.34.77 version: 3
> 02:19:15 snmp user: Read_Only_Secure
> 02:19:15 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
> 02:20:11 snmp packet from: 10.64.34.77 version: 3
> 02:20:11 snmp user:?
> 02:20:11 snmp,debug v3 err: 3 unknown engine id
> 02:20:11 snmp packet from: 10.64.34.77 version: 3
> 02:20:11 snmp user: Read_Only_Secure
> 02:20:11 snmp,debug v3 err: 1 not in time window or incorrect engine boots
> 02:20:11 snmp packet from: 10.64.34.77 version: 3
> 02:20:11 snmp user: Read_Only_Secure
> 02:20:11 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
> 02:20:31 snmp packet from: 10.64.34.77 version: 3
> 02:20:31 snmp user:?
> 02:20:31 snmp,debug v3 err: 3 unknown engine id
> 02:20:31 snmp packet from: 10.64.34.77 version: 3
> 02:20:31 snmp user: Read_Only_Secure
> 02:20:31 snmp,debug v3 err: 1 not in time window or incorrect engine boots
> 02:20:31 snmp packet from: 10.64.34.77 version: 3
> 02:20:31 snmp user: Read_Only_Secure
> 02:20:31 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
> 
> 
> 
> On Wed, Apr 24, 2013 at 3:22 PM, Daniel McDonald
> <dan.mcdonald at austinenergy.com> wrote:
>> 
>> On 4/23/13 7:47 PM, "Tom Smyth" <tom.smyth at wirelessconnect.eu> wrote:
>> 
>>> 
>>> Hi Lads,
>>> 
>>> I was wondering if someone could help me, I have a query about how to get
>>> Cfgmaker and MRTG to talk SNMPv3
>>> 
>>> with Privacy and Authentication enabled, to a Router.
>>> 
>>> I can snmp walk the router? fine...? I just cant get mrtg + snmpv3
>>> working...
>>> 
>>> I know it may not be straight forward but Im looking for a fully worked snmp
>>> example... I am willing to pay someone for this so you can contact me on my
>>> email regarding this...? or if you dont want to be paid more money I will
>>> Dontate more money to the project...
>> 
>> I normally sniff an interactive poll to determine the engineid. ?The
>> net-snmp-utils library doesn¹t detect it properly, but snmpwalk does. ? You
>> don't even need correct credentials:
>> 
>> $ tcpdump -vvv -x host somehost &
>> tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535
>> bytes
>> $ snmpwalk -v3 -u foofoo -l authpriv -A 12345678 -X 12345678 somehost
>> 
>> 09:13:05.621967 IP (tos 0x0, ttl 64, id 9037, offset 0, flags [none], proto
>> UDP (17), length 92, bad cksum 0 (->85d0)!)
>> ? ? 10.10.207.244.57070 > elroy-probe.austin-energy.net.snmp: [bad udp cksum
>> 6c33!] ?{ SNMPv3 { F=r } { USM B=0 T=0 U= } { ScopedPDU E= ?C= {
>> GetRequest(14) R=1116332740 ?} } }
>> ? ? 0x0000: ?4500 005c 234d 0000 4011 0000 0a0a cff4
>> ? ? 0x0010: ?0a02 ed73 deee 00a1 0048 d1cd 303e 0201
>> ? ? 0x0020: ?0330 1102 0455 d8d3 a002 0300 ffe3 0401
>> ? ? 0x0030: ?0402 0103 0410 300e 0400 0201 0002 0100
>> ? ? 0x0040: ?0400 0400 0400 3014 0400 0400 a00e 0204
>> ? ? 0x0050: ?4289 e2c4 0201 0002 0100 3000
>> 09:13:05.683814 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto UDP
>> (17), length 120)
>> ? ? elroy-probe.austin-energy.net.snmp > 10.10.207.244.57070: [udp sum ok]
>> { SNMPv3 { F= } { USM B=7 T=2922798 U= } { ScopedPDU E= ?C= { Report(29) R=0
>> S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=11458 } } }
>> ? ? 0x0000: ?4500 0078 0000 4000 f711 b200 0a02 ed73
>> ? ? 0x0010: ?0a0a cff4 00a1 deee 0064 10f6 305a 0201
>> ? ? 0x0020: ?0330 1102 0455 d8d3 a002 0300 ffe3 0401
>> ? ? 0x0030: ?0002 0103 041d 301b 040b 8000 43dd 0300
>> ? ? 0x0040: ?1985 e03e ce02 0107 0203 2c99 2e04 0004
>> ? ? 0x0050: ?0004 0030 2304 0004 00a8 1d02 0100 0201
>> ? ? 0x0060: ?0002 0100 3012 3010 060a 2b06 0106 030f
>> ? ? 0x0070: ?0101 0400 4102 2cc2
>> 09:13:05.684078 IP (tos 0x0, ttl 64, id 3357
>> 
>> The engineID is in offset 0x003A and the length is specified in 0x0039.
>> Wireshark will break that out for you... TCPdump not-so-much... ?In this
>> case:
>> 800043dd03001985e03ece
>> 
>> Now I can add --engineid=800043dd03001985e03ece to cfgmaker and discover it
>> fine.
>> 
>> 
>>> 
>>> I currently have the following packages installed? on a Centos 6.4 i386 box
>>> mrtg-2.16.2-7.el6.i686
>>> mrtg-libs-2.16.2-7.el6.i686
>>> 
>>> net-snmp-utils-5.5-44.el6.i686
>>> net-snmp-perl-5.5-44.el6.i686
>>> net-snmp-5.5-44.el6.i686
>>> net-snmp-libs-5.5-44.el6.i686
>>> net-snmp-devel-5.5-44.el6.i686
>>> 
>>> rrdtool-devel-1.3.8-6.el6.i686
>>> rrdtool-1.3.8-6.el6.i686
>>> rrdtool-perl-1.3.8-6.el6.i686
>>> 
>>> 
>>> 
>>> My router SNMP v3 config
>>> /snmp community
>>> set [ find default=yes ] addresses=10.0.0.0/8 <http://10.0.0.0/8>
>>> <http://10.0.0.0/8>
>>> authentication-password=testtest? authentication-protocol=SHA1
>>> encryption-password=testtest name=Read_Only security=private
>>> /snmp
>>> set contact=support at wirelessconnect.eu enabled=yes trap-community=
>>> ??? Read_Only trap-target=0.0.0.0 trap-version=3
>>> 
>>> 
>>> What Im looking for is a working example of
>>> MRTG Cfgmaker commnand that would successfully connect to a router with the
>>> configuration above with Auth and Priv enabled for a given context ID ...?
>>> on
>>> SNMPv3
>>> 
>>> If you have to do something funky with context ID ...? for example
>>> 
>>> 
>>> I get weird unrecognised ASN.1 errors? from the Cfgmaker script with
>>> hexidecimal references that change every time I modify the cfgmaker command.
>>> 
>>> I have tried many things and I just want some one . give me assistance to
>>> get
>>> the Cfgmaker command working...
>>> 
>>> I can snmp walk the router? fine...? I just cant get mrtg + snmpv3
>>> working...
>>> 
>>> 
>>> Below ... is some mails with more information
>>> 
>>> On Mon, Apr 22, 2013 at 7:29 AM, Tom Smyth <tom.smyth at wirelessconnect.eu>
>>> wrote:
>>>> Hi lads,
>>>> 
>>>> Does any one have tips here for me I just dont get how to get around the
>>>> Context ID,
>>>> 
>>>> I can snmpwalk no problem without the context ID.. (which is not set on the
>>>> router as it is optional)
>>>> 
>>>> But everytime I set it on the router and I set it on the command
>>>> 
>>>> on Mrtg Server I set the following command
>>>> ?cfgmaker --enablesnmpv3 --contextengineid "" --username=Read_Only
>>>> --authpassword=testtest --authprotocol=sha --privpassword=testtest
>>>> --privprotocol=des --ifref=ip --community=Read_Only 10.17.1.250:::::3
>>>> 
>>>> 
>>>> I get this error on the router
>>>> 
>>>> 07:21:39 snmp,debug v3 err: 3 unknown engine id
>>>> 07:21:39 snmp packet from: 10.64.34.77 version: 3
>>>> 07:21:39 snmp user: Read_Only_Secure
>>>> 07:21:39 snmp,debug v3 err: 1 not in time window or incorrect engine boots
>>>> 07:21:39 snmp packet from: 10.64.34.77 version: 3
>>>> 07:21:39 snmp user: Read_Only_Secure
>>>> 07:21:39 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
>>>> 
>>>> 
>>>> Any Help or advice would be appreciated
>>>> 
>>>> 
>>>> On Thu, Jan 24, 2013 at 11:00 PM, Tom Smyth <tom.smyth at wirelessconnect.eu>
>>>> wrote:
>>>>> Hi lads,
>>>>> 
>>>>> Does anyone have any tips for running MRTG and SNMPv3? (with Auth and
>>>>> Priv)
>>>>> SHA & DES
>>>>> 
>>>>> I have been having issues with Cfgmaker not accepting my command without?
>>>>> mandatory ? Context ID? (even tho context ID is Optional)
>>>>> I have tried commenting out the Die if Context is not set lines in
>>>>> cfgmaker
>>>>> 
>>>>> I have been able to SNMP walk with SNmp tools and I have been able to
>>>>> communicate with routers with Cacti...
>>>>> 
>>>>> but no matter what I try I cant get MRTG cfgmaker to work....with SNMPv3
>>>>> 
>>>>> 
>>>>> I have tried with v2.17.4 and with the standard mrtg package on Centos 6.2
>>>>> 
>>>>> 
>>>>> if anyone can help me with this...
>>>>> 
>>>>> anything at all ... even a sample manual mrtg.cfg file for snmpv3 would be
>>>>> cool
>>>>> 
>>>>> Thanks for your time
>>>>> 
>>>>> 
>> 
>> _______________________________________________
>> mrtg mailing list
>> mrtg at lists.oetiker.ch
>> https://lists.oetiker.ch/cgi-bin/listinfo/mrtg
> 
> 



More information about the mrtg mailing list