[mrtg] Fwd: MRTG& SNMPv3
Daniel McDonald
dan.mcdonald at austinenergy.com
Thu Apr 25 12:55:49 CEST 2013
On 4/24/13 8:34 PM, "Tom Smyth" <tom.smyth at wirelessconnect.eu> wrote:
> Hi Daniel,
> I really appreciate your Help
>
> I carried out your suggestion and used TCP DUMP and Wire Shark
>
> I found the Context engine ID which appears to be 80003a8c04
I think that's the engine ID (authoritative Engine) rather than the context
engine ID. Contextengineid can only be used with contextname.
So, I think this will work:
cfgmaker --enablesnmpv3 --engineid=0x80003a8c04
--username=Read_Only_Secure --authpassword=testtest --authprotocol=sha
--privpassword=testtest --privprotocol=des
--snmp-options=:::::3 Read_Only_Secure at 10.17.1.250
I normally use hashed passwords. I believe the snmpkey utility will
generate hashes for you. Here are salient portions of the perl script I use
to generate my cfgmaker lines.
my $routers = $db->prepare("select host, rstring, dir, iftemplate,
interfaces,
hosttemplate, ifref, options, iffilter, wstring, engineid,
privproto,
authproto
from snmp inner join classes using (classid)
order by dir, host
");
$routers->execute;
while (my $rtr = $routers->fetchrow_hashref) {
$$rtr{'options'} ||= '::2:1:1';
my %v3opts;
if ($$rtr{'options'} =~ /:3$/) {
use Net::SNMP::Security::USM 2.0.0;
my ($usm, $error) = Net::SNMP::Security::USM->new(
-authoritative => 1, # Undocumented /
unsupported argument
-username => 'readonly',
-authprotocol => $$rtr{authproto},
-authpassword => $$rtr{rstring},
-engineid => $$rtr{engineid},
-privprotocol => $$rtr{privproto},
-privpassword => $$rtr{wstring},
);
if (!defined($usm)) {
exit($error);
}
$authkey=sprintf("0x%s", unpack('H*', $usm->auth_key));
$privkey=sprintf("0x%s", unpack('H*', $usm->priv_key));
$v3opts{username}='readonly';
$v3opts{authkey}=$authkey;
$v3opts{authprotocol}=$$rtr{authproto};
$v3opts{privkey}=$privkey;
$v3opts{privprotocol}=$$rtr{privproto};
}
my @line;
$$rtr{'rstring'} =~ s/'/\\'/g;
$$rtr{'options'} .= '';
push @line, "/usr/bin/cfgmaker";
push @line, "--if-template=$$rtr{'iftemplate'}"
if ($$rtr{'interfaces'} eq 'interfaces')
and ($$rtr{'iftemplate'} =~ /\w+/);
push @line, "--ifref=$$rtr{'ifref'}"
if defined($$rtr{'ifref'});
push @line, '--'.$$rtr{'interfaces'}
if defined($$rtr{'interfaces'});
push @line, "--host-template=$$rtr{'hosttemplate'}"
if defined($$rtr{'hosttemplate'});
my $subdir = join("/",$$rtr{'dir'},"HOSTNAME");
push @line, "--subdir=$subdir";
if ($$rtr{'options'} =~ /:3$/) {
push @line, "--username='readonly'";
push @line, "--authkey='$authkey'";
push @line, "--authproto=$$rtr{'authproto'}";
push @line, "--privkey='$privkey'";
push @line, "--privproto=$$rtr{'privproto'}";
}
push @line, $$rtr{'iffilter'}
if defined($$rtr{'iffilter'});
push @line, '--output='.$cfg;
if ($$rtr{'options'} =~ /:3$/) {
push @line, "'readonly'@".$$rtr{'host'}.$$rtr{'options'};
} else {
push @line,
"'".$$rtr{'rstring'}."'".'@'.$$rtr{'host'}.$$rtr{'options'};
}
next unless (($shorthost =~ /$criteria/) or ($$rtr{host} eq
$criteria)) ;
print GENERATE join(" ", at line)."\n";
>
> But there appears a difference between snmpwalk and cfgmaker + SNMPv3,
>
> after the initial discovery the authoritiveengine boots and
> authoritiveenginetime appears to be zeroed out when cfg maker is run (while
> the correct values are sent by snmp walk )
>
> ( I have attached packet captures below ( test1 is the packet capture with
> snmpwalk) test is the packet capture with cfgmaker
>
>
> I have? run the command below
>
> cfgmaker --enablesnmpv3 --contextengineid=0x80003a8c04
> --username=Read_Only_Secure --authpassword=testtest --authprotocol=sha
> --privpassword=testtest --privprotocol=des --community=Read_Only_Secure
> --snmp-options=:::::3 Read_Only_Secure at 10.17.1.250
>
> and I get this error? from cfgmaker
>
> SNMPWALK Problem for 1.3.6.1.2.1.1 on
> Read_Only_Secure at 10.17.1.250:::::3:v4only: Expected OCTET STRING, but found
> OBJECT IDENTIFIER at /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 1805
> ???????
> Net_SNMP_util::snmpwalk_flg('Read_Only_Secure at 10.17.1.250:::::3:v4only',
> undef, 'HASH(0x89d8ca8)', 1.3.6.1.2.1.1) called at
> /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 766
> ??????? Net_SNMP_util::snmpwalk('Read_Only_Secure at 10.17.1.250:::::3:v4only',
> 'HASH(0x89d8ca8)', 1.3.6.1.2.1.1) called at /usr/bin/cfgmaker line 950
> ??????? main::DeviceInfo('Read_Only_Secure at 10.17.1.250:::::3',
> 'HASH(0x89d8d08)', 'HASH(0x89d8ca8)') called at /usr/bin/cfgmaker line 137
> ??????? main::main() called at /usr/bin/cfgmaker line 155
> WARNING: Skipping Read_Only_Secure at 10.17.1.250:::::3 as no info could be
> retrieved
>
>
> I run the the exact same command beow? command below
>
>
> cfgmaker --enablesnmpv3 --contextengineid=0x80003a8c04
> --username=Read_Only_Secure --authpassword=testtest --authprotocol=sha
> --privpassword=testtest --privprotocol=des --community=Read_Only_Secure
> --snmp-options=:::::3 Read_Only_Secure at 10.17.1.250
>
> and I get this? *different* error? from cfgmaker
>
>
> SNMPWALK Problem for 1.3.6.1.2.1.1 on
> Read_Only_Secure at 10.17.1.250:::::3:v4only: The ASN.1 type 0x84 is unknown at
> /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 1805
> ???????
> Net_SNMP_util::snmpwalk_flg('Read_Only_Secure at 10.17.1.250:::::3:v4only',
> undef, 'HASH(0xa422ca8)', 1.3.6.1.2.1.1) called at
> /usr/bin/../lib/mrtg2/Net_SNMP_util.pm line 766
> ??????? Net_SNMP_util::snmpwalk('Read_Only_Secure at 10.17.1.250:::::3:v4only',
> 'HASH(0xa422ca8)', 1.3.6.1.2.1.1) called at /usr/bin/cfgmaker line 950
> ??????? main::DeviceInfo('Read_Only_Secure at 10.17.1.250:::::3',
> 'HASH(0xa422d08)', 'HASH(0xa422ca8)') called at /usr/bin/cfgmaker line 137
> ??????? main::main() called at /usr/bin/cfgmaker line 155
> WARNING: Skipping Read_Only_Secure at 10.17.1.250:::::3 as no info could be
> retrieved
>
>
>
> Below is the Debug output from our router ... which complains about Time
> windows and Engine Boots (even though I never configured them
>
> 02:18:59 snmp,debug v3 err: 3 unknown engine id
> 02:18:59 snmp packet from: 10.64.34.77 version: 3
> 02:18:59 snmp user: Read_Only_Secure
> 02:18:59 snmp,debug v3 err: 1 not in time window or incorrect engine boots
> 02:18:59 snmp packet from: 10.64.34.77 version: 3
> 02:18:59 snmp user: Read_Only_Secure
> 02:18:59 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
> 02:19:15 snmp packet from: 10.64.34.77 version: 3
> 02:19:15 snmp user:?
> 02:19:15 snmp,debug v3 err: 3 unknown engine id
> 02:19:15 snmp packet from: 10.64.34.77 version: 3
> 02:19:15 snmp user: Read_Only_Secure
> 02:19:15 snmp,debug v3 err: 1 not in time window or incorrect engine boots
> 02:19:15 snmp packet from: 10.64.34.77 version: 3
> 02:19:15 snmp user: Read_Only_Secure
> 02:19:15 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
> 02:20:11 snmp packet from: 10.64.34.77 version: 3
> 02:20:11 snmp user:?
> 02:20:11 snmp,debug v3 err: 3 unknown engine id
> 02:20:11 snmp packet from: 10.64.34.77 version: 3
> 02:20:11 snmp user: Read_Only_Secure
> 02:20:11 snmp,debug v3 err: 1 not in time window or incorrect engine boots
> 02:20:11 snmp packet from: 10.64.34.77 version: 3
> 02:20:11 snmp user: Read_Only_Secure
> 02:20:11 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
> 02:20:31 snmp packet from: 10.64.34.77 version: 3
> 02:20:31 snmp user:?
> 02:20:31 snmp,debug v3 err: 3 unknown engine id
> 02:20:31 snmp packet from: 10.64.34.77 version: 3
> 02:20:31 snmp user: Read_Only_Secure
> 02:20:31 snmp,debug v3 err: 1 not in time window or incorrect engine boots
> 02:20:31 snmp packet from: 10.64.34.77 version: 3
> 02:20:31 snmp user: Read_Only_Secure
> 02:20:31 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
>
>
>
> On Wed, Apr 24, 2013 at 3:22 PM, Daniel McDonald
> <dan.mcdonald at austinenergy.com> wrote:
>>
>> On 4/23/13 7:47 PM, "Tom Smyth" <tom.smyth at wirelessconnect.eu> wrote:
>>
>>>
>>> Hi Lads,
>>>
>>> I was wondering if someone could help me, I have a query about how to get
>>> Cfgmaker and MRTG to talk SNMPv3
>>>
>>> with Privacy and Authentication enabled, to a Router.
>>>
>>> I can snmp walk the router? fine...? I just cant get mrtg + snmpv3
>>> working...
>>>
>>> I know it may not be straight forward but Im looking for a fully worked snmp
>>> example... I am willing to pay someone for this so you can contact me on my
>>> email regarding this...? or if you dont want to be paid more money I will
>>> Dontate more money to the project...
>>
>> I normally sniff an interactive poll to determine the engineid. ?The
>> net-snmp-utils library doesn¹t detect it properly, but snmpwalk does. ? You
>> don't even need correct credentials:
>>
>> $ tcpdump -vvv -x host somehost &
>> tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535
>> bytes
>> $ snmpwalk -v3 -u foofoo -l authpriv -A 12345678 -X 12345678 somehost
>>
>> 09:13:05.621967 IP (tos 0x0, ttl 64, id 9037, offset 0, flags [none], proto
>> UDP (17), length 92, bad cksum 0 (->85d0)!)
>> ? ? 10.10.207.244.57070 > elroy-probe.austin-energy.net.snmp: [bad udp cksum
>> 6c33!] ?{ SNMPv3 { F=r } { USM B=0 T=0 U= } { ScopedPDU E= ?C= {
>> GetRequest(14) R=1116332740 ?} } }
>> ? ? 0x0000: ?4500 005c 234d 0000 4011 0000 0a0a cff4
>> ? ? 0x0010: ?0a02 ed73 deee 00a1 0048 d1cd 303e 0201
>> ? ? 0x0020: ?0330 1102 0455 d8d3 a002 0300 ffe3 0401
>> ? ? 0x0030: ?0402 0103 0410 300e 0400 0201 0002 0100
>> ? ? 0x0040: ?0400 0400 0400 3014 0400 0400 a00e 0204
>> ? ? 0x0050: ?4289 e2c4 0201 0002 0100 3000
>> 09:13:05.683814 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto UDP
>> (17), length 120)
>> ? ? elroy-probe.austin-energy.net.snmp > 10.10.207.244.57070: [udp sum ok]
>> { SNMPv3 { F= } { USM B=7 T=2922798 U= } { ScopedPDU E= ?C= { Report(29) R=0
>> S:snmpUsmMIB.usmMIBObjects.usmStats.usmStatsUnknownEngineIDs.0=11458 } } }
>> ? ? 0x0000: ?4500 0078 0000 4000 f711 b200 0a02 ed73
>> ? ? 0x0010: ?0a0a cff4 00a1 deee 0064 10f6 305a 0201
>> ? ? 0x0020: ?0330 1102 0455 d8d3 a002 0300 ffe3 0401
>> ? ? 0x0030: ?0002 0103 041d 301b 040b 8000 43dd 0300
>> ? ? 0x0040: ?1985 e03e ce02 0107 0203 2c99 2e04 0004
>> ? ? 0x0050: ?0004 0030 2304 0004 00a8 1d02 0100 0201
>> ? ? 0x0060: ?0002 0100 3012 3010 060a 2b06 0106 030f
>> ? ? 0x0070: ?0101 0400 4102 2cc2
>> 09:13:05.684078 IP (tos 0x0, ttl 64, id 3357
>>
>> The engineID is in offset 0x003A and the length is specified in 0x0039.
>> Wireshark will break that out for you... TCPdump not-so-much... ?In this
>> case:
>> 800043dd03001985e03ece
>>
>> Now I can add --engineid=800043dd03001985e03ece to cfgmaker and discover it
>> fine.
>>
>>
>>>
>>> I currently have the following packages installed? on a Centos 6.4 i386 box
>>> mrtg-2.16.2-7.el6.i686
>>> mrtg-libs-2.16.2-7.el6.i686
>>>
>>> net-snmp-utils-5.5-44.el6.i686
>>> net-snmp-perl-5.5-44.el6.i686
>>> net-snmp-5.5-44.el6.i686
>>> net-snmp-libs-5.5-44.el6.i686
>>> net-snmp-devel-5.5-44.el6.i686
>>>
>>> rrdtool-devel-1.3.8-6.el6.i686
>>> rrdtool-1.3.8-6.el6.i686
>>> rrdtool-perl-1.3.8-6.el6.i686
>>>
>>>
>>>
>>> My router SNMP v3 config
>>> /snmp community
>>> set [ find default=yes ] addresses=10.0.0.0/8 <http://10.0.0.0/8>
>>> <http://10.0.0.0/8>
>>> authentication-password=testtest? authentication-protocol=SHA1
>>> encryption-password=testtest name=Read_Only security=private
>>> /snmp
>>> set contact=support at wirelessconnect.eu enabled=yes trap-community=
>>> ??? Read_Only trap-target=0.0.0.0 trap-version=3
>>>
>>>
>>> What Im looking for is a working example of
>>> MRTG Cfgmaker commnand that would successfully connect to a router with the
>>> configuration above with Auth and Priv enabled for a given context ID ...?
>>> on
>>> SNMPv3
>>>
>>> If you have to do something funky with context ID ...? for example
>>>
>>>
>>> I get weird unrecognised ASN.1 errors? from the Cfgmaker script with
>>> hexidecimal references that change every time I modify the cfgmaker command.
>>>
>>> I have tried many things and I just want some one . give me assistance to
>>> get
>>> the Cfgmaker command working...
>>>
>>> I can snmp walk the router? fine...? I just cant get mrtg + snmpv3
>>> working...
>>>
>>>
>>> Below ... is some mails with more information
>>>
>>> On Mon, Apr 22, 2013 at 7:29 AM, Tom Smyth <tom.smyth at wirelessconnect.eu>
>>> wrote:
>>>> Hi lads,
>>>>
>>>> Does any one have tips here for me I just dont get how to get around the
>>>> Context ID,
>>>>
>>>> I can snmpwalk no problem without the context ID.. (which is not set on the
>>>> router as it is optional)
>>>>
>>>> But everytime I set it on the router and I set it on the command
>>>>
>>>> on Mrtg Server I set the following command
>>>> ?cfgmaker --enablesnmpv3 --contextengineid "" --username=Read_Only
>>>> --authpassword=testtest --authprotocol=sha --privpassword=testtest
>>>> --privprotocol=des --ifref=ip --community=Read_Only 10.17.1.250:::::3
>>>>
>>>>
>>>> I get this error on the router
>>>>
>>>> 07:21:39 snmp,debug v3 err: 3 unknown engine id
>>>> 07:21:39 snmp packet from: 10.64.34.77 version: 3
>>>> 07:21:39 snmp user: Read_Only_Secure
>>>> 07:21:39 snmp,debug v3 err: 1 not in time window or incorrect engine boots
>>>> 07:21:39 snmp packet from: 10.64.34.77 version: 3
>>>> 07:21:39 snmp user: Read_Only_Secure
>>>> 07:21:39 snmp,debug getnextgetbulk .1.3.6.1.2.1.1 reps:c nonreps:0
>>>>
>>>>
>>>> Any Help or advice would be appreciated
>>>>
>>>>
>>>> On Thu, Jan 24, 2013 at 11:00 PM, Tom Smyth <tom.smyth at wirelessconnect.eu>
>>>> wrote:
>>>>> Hi lads,
>>>>>
>>>>> Does anyone have any tips for running MRTG and SNMPv3? (with Auth and
>>>>> Priv)
>>>>> SHA & DES
>>>>>
>>>>> I have been having issues with Cfgmaker not accepting my command without?
>>>>> mandatory ? Context ID? (even tho context ID is Optional)
>>>>> I have tried commenting out the Die if Context is not set lines in
>>>>> cfgmaker
>>>>>
>>>>> I have been able to SNMP walk with SNmp tools and I have been able to
>>>>> communicate with routers with Cacti...
>>>>>
>>>>> but no matter what I try I cant get MRTG cfgmaker to work....with SNMPv3
>>>>>
>>>>>
>>>>> I have tried with v2.17.4 and with the standard mrtg package on Centos 6.2
>>>>>
>>>>>
>>>>> if anyone can help me with this...
>>>>>
>>>>> anything at all ... even a sample manual mrtg.cfg file for snmpv3 would be
>>>>> cool
>>>>>
>>>>> Thanks for your time
>>>>>
>>>>>
>>
>> _______________________________________________
>> mrtg mailing list
>> mrtg at lists.oetiker.ch
>> https://lists.oetiker.ch/cgi-bin/listinfo/mrtg
>
>
More information about the mrtg
mailing list