search

etingof / snmpfwd

SNMP Proxy Forwarder
http://snmplabs.com/snmpfwd/
BSD 2-Clause "Simplified" License
67 stars 18 forks source link

snmp forwarder - hitting ERROR failure sending SNMP notification #30

Open jackytoh opened 5 years ago

jackytoh commented 5 years ago

I am finding a tool that allow me to receive snmp trap from network devices and filter then unwanted snmp traps and forward the unfiltered snmp traps to target server.

Before starting trying the filtering, I am trying with forwarding feature.

I faced errors when processing snmpv2 cold start trap using IBM Netcool MIB manager.

But if I am using snmptrap command to send from another server, it seems working.

snmptrap -v2c -c public 10.53.17.197:1162 5000 1.3.6.1.6.3.1.1.5.1

Appreciate that you can help to check why it is not working?

because I would like to use IBM netcool mib manager to test different traps from different vendor mibs. I have no problem to use IBM netcool mib manager to send traps directly to target server and it able to works properly.

Below is the errors I am getting when I am running server/client with debug mode:

From server log:

2018-10-26 15:51:27,547 handle_read: transportAddress ('10.211.26.107', 59367) -> ('10.53.17.197', 1162) incomingMessage (70 octets) 00000: 30 44 02 01 01 04 06 70 75 62 6C 69 63 A7 37 02 00016: 04 0E 18 1A D7 02 01 00 02 01 00 30 29 30 17 06 00032: 0A 2B 06 01 06 03 01 01 04 01 00 06 09 2B 06 01 00048: 06 03 01 01 05 01 30 0E 06 08 2B 06 01 02 01 01 00064: 03 00 43 02 13 88 2018-10-26 15:51:27,549 receiveMessage: msgVersion 1, msg decoded 2018-10-26 15:51:27,550 prepareDataElements: Message: version=version-2c community=public data=PDUs: snmpV2-trap=SNMPv2TrapPDU: request-id=236460759 error-status=noError error-index=0 variable-bindings=VarBindList: VarBind: name=1.3.6.1.6.3.1.1.4.1.0 =_BindValue: value=ObjectSyntax: simple=SimpleSyntax: objectID-value=1.3.6.1.6.3.1.1.5.1

VarBind:
 name=1.3.6.1.2.1.1.3.0
 =_BindValue:
  value=ObjectSyntax:
   application-wide=ApplicationSyntax:
    timeticks-value=5000

2018-10-26 15:51:27,551 _com2sec: securityName candidates for communityName 'public' are [(<SnmpAdminString value object at 0x2943e90 subtypeSpec <ConstraintsIntersection object at 0x293bf50 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba50 consts 0, 255>, <ValueSizeConstraint object at 0x293bed0 consts 1, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding utf-8 payload [public]>, <SnmpEngineID value object at 0x2945210 subtypeSpec <ConstraintsIntersection object at 0x292bad0 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba90 consts 5, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding iso-8859-1 payload [0x0102030405070809]>, <SnmpAdminString value object at 0x2945050 subtypeSpec <ConstraintsIntersection object at 0x293e110 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba50 consts 0, 255>, <ValueSizeConstraint object at 0x293e090 consts 0, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding utf-8 payload []>)]; choosing securityName 'public' 2018-10-26 15:51:27,551 processIncomingMsg: looked up securityName <SnmpAdminString value object at 0x2943e90 subtypeSpec <ConstraintsIntersection object at 0x293bf50 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba50 consts 0, 255>, <ValueSizeConstraint object at 0x293bed0 consts 1, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding utf-8 payload [public]> securityModel 2 contextEngineId <SnmpEngineID value object at 0x2945210 subtypeSpec <ConstraintsIntersection object at 0x292bad0 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba90 consts 5, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding iso-8859-1 payload [0x0102030405070809]> contextName <SnmpAdminString value object at 0x2945050 subtypeSpec <ConstraintsIntersection object at 0x293e110 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba50 consts 0, 255>, <ValueSizeConstraint object at 0x293e090 consts 0, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding utf-8 payload []> by communityName <OctetString value object at 0x294bd50 tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding iso-8859-1 payload [public]> AND transportInformation (<ObjectName value object at 0x2943c10 tagSet <TagSet object at 0x23d76d0 tags 0:0:6> payload [1.3.6.1.6.1.1.100]>, ('10.211.26.107', 59367)) 2018-10-26 15:51:27,552 processIncomingMsg: generated maxSizeResponseScopedPDU 65379 securityStateReference 2173643 2018-10-26 15:51:27,552 prepareDataElements: SM returned securityEngineId <SnmpEngineID value object at 0x2943a10 subtypeSpec <ConstraintsIntersection object at 0x292bad0 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba90 consts 5, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding iso-8859-1 payload [0x0102030405070809]> securityName <SnmpAdminString value object at 0x2943e90 subtypeSpec <ConstraintsIntersection object at 0x293bf50 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba50 consts 0, 255>, <ValueSizeConstraint object at 0x293bed0 consts 1, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding utf-8 payload [public]> 2018-10-26 15:51:27,552 receiveMessage: MP succeded 2018-10-26 15:51:27,552 receiveMessage: PDU SNMPv2TrapPDU: request-id=236460759 error-status=noError error-index=0 variable-bindings=VarBindList: VarBind: name=1.3.6.1.6.3.1.1.4.1.0 =_BindValue: value=ObjectSyntax: simple=SimpleSyntax: objectID-value=1.3.6.1.6.3.1.1.5.1

VarBind: name=1.3.6.1.2.1.1.3.0 =_BindValue: value=ObjectSyntax: application-wide=ApplicationSyntax: timeticks-value=5000

2018-10-26 15:51:27,552 receiveMessage: pduType <TagSet object at 0x2431490 tags 128:32:7> 2018-10-26 15:51:27,554 DEBUG received SNMP message, forwarded as trunk message #43 callflow-id=8610df6037 snmp-engine-id=0x0102030405070809 snmp-transport-domain=1.3.6.1.6.1.1.100 snmp-bind-address=10.53.17.197 snmp-bind-port=1162 snmp-security-model=2 snmp-security-level=1 snmp-security-name=public snmp-credentials-id=agent-1 snmp-context-engine-id=0x0102030405070809 snmp-context-name= snmp-context-id=any-context snmp-pdu=SNMPv2TrapPDU#1.3.6.1.6.3.1.1.4.1.0:'1.3.6.1.6.3.1.1.5.1',1.3.6.1.2.1.1.3.0:'5000', snmp-content-id=trap-content snmp-peer-address=10.211.26.107 snmp-peer-port=59367 snmp-peer-id=100 2018-10-26 15:51:27,554 receiveMessage: processPdu succeeded 2018-10-26 15:51:27,561 INFO received trunk message #43, remote end reported error-indication "failure sending SNMP notification", NOT responding

From client log:

2018-10-26 15:51:27,558 v2ToV1: v2Pdu SNMPv2TrapPDU: request-id=236460759 error-status=noError error-index=0 variable-bindings=VarBindList: VarBind: name=1.3.6.1.6.3.1.1.4.1.0 =_BindValue: value=ObjectSyntax: simple=SimpleSyntax: objectID-value=1.3.6.1.6.3.1.1.5.1

VarBind: name=1.3.6.1.2.1.1.3.0 =_BindValue: value=ObjectSyntax: application-wide=ApplicationSyntax: timeticks-value=5000

2018-10-26 15:51:27,559 ERROR failure sending SNMP notification callflow-id=8610df6037 trunk-id=trunk-1 server-snmp-engine-id=0x0102030405070809 server-snmp-transport-domain=1.3.6.1.6.1.1.100 server-snmp-peer-address=10.211.26.107 server-snmp-peer-port=59367 server-snmp-bind-address=10.53.17.197 server-snmp-bind-port=1162 server-snmp-security-model=2 server-snmp-security-level=1 server-snmp-security-name=public server-snmp-context-engine-id=0x0102030405070809 server-snmp-context-name= server-snmp-pdu=SNMPv2TrapPDU#1.3.6.1.6.3.1.1.4.1.0:'1.3.6.1.6.3.1.1.5.1',1.3.6.1.2.1.1.3.0:'5000', server-snmp-entity-id=agent-1 server-snmp-credentials-id=agent-1 server-snmp-context-id=any-context server-snmp-content-id=trap-content server-snmp-peer-id=100 server-classification-id=any-classification snmp-peer-id=snmplabs-v2 snmp-bind-address=0.0.0.0 snmp-bind-port=0 snmp-peer-address=10.53.17.197 snmp-peer-port=162 snmp-context-engine-id= snmp-context-name= 2018-10-26 15:51:27,559 INFO received SNMP error-indication "failure sending SNMP notification" callflow-id=8610df6037 snmp-pdu=****

Below is some capture when sending coldStart trap via snmptrap command.

('10.212.6.102', 58739) -> ('10.53.17.197', 1162) incomingMessage (70 octets) 00000: 30 44 02 01 01 04 06 70 75 62 6C 69 63 A7 37 02 00016: 04 0E DF 39 93 02 01 00 02 01 00 30 29 30 0E 06 00032: 08 2B 06 01 02 01 01 03 00 43 02 13 88 30 17 06 00048: 0A 2B 06 01 06 03 01 01 04 01 00 06 09 2B 06 01 00064: 06 03 01 01 05 01 2018-10-26 15:59:11,710 receiveMessage: msgVersion 1, msg decoded 2018-10-26 15:59:11,713 prepareDataElements: Message: version=version-2c community=public data=PDUs: snmpV2-trap=SNMPv2TrapPDU: request-id=249510291 error-status=noError error-index=0 variable-bindings=VarBindList: VarBind: name=1.3.6.1.2.1.1.3.0 =_BindValue: value=ObjectSyntax: application-wide=ApplicationSyntax: timeticks-value=5000

VarBind:
 name=1.3.6.1.6.3.1.1.4.1.0
 =_BindValue:
  value=ObjectSyntax:
   simple=SimpleSyntax:
    objectID-value=1.3.6.1.6.3.1.1.5.1

2018-10-26 15:59:11,714 _com2sec: securityName candidates for communityName 'public' are [(<SnmpAdminString value object at 0x2943e90 subtypeSpec <ConstraintsIntersection object at 0x293bf50 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba50 consts 0, 255>, <ValueSizeConstraint object at 0x293bed0 consts 1, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding utf-8 payload [public]>, <SnmpEngineID value object at 0x2945210 subtypeSpec <ConstraintsIntersection object at 0x292bad0 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba90 consts 5, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding iso-8859-1 payload [0x0102030405070809]>, <SnmpAdminString value object at 0x2945050 subtypeSpec <ConstraintsIntersection object at 0x293e110 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba50 consts 0, 255>, <ValueSizeConstraint object at 0x293e090 consts 0, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding utf-8 payload []>)]; choosing securityName 'public' 2018-10-26 15:59:11,715 processIncomingMsg: looked up securityName <SnmpAdminString value object at 0x2943e90 subtypeSpec <ConstraintsIntersection object at 0x293bf50 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba50 consts 0, 255>, <ValueSizeConstraint object at 0x293bed0 consts 1, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding utf-8 payload [public]> securityModel 2 contextEngineId <SnmpEngineID value object at 0x2945210 subtypeSpec <ConstraintsIntersection object at 0x292bad0 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba90 consts 5, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding iso-8859-1 payload [0x0102030405070809]> contextName <SnmpAdminString value object at 0x2945050 subtypeSpec <ConstraintsIntersection object at 0x293e110 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba50 consts 0, 255>, <ValueSizeConstraint object at 0x293e090 consts 0, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding utf-8 payload []> by communityName <OctetString value object at 0x294ba50 tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding iso-8859-1 payload [public]> AND transportInformation (<ObjectName value object at 0x2943c10 tagSet <TagSet object at 0x23d76d0 tags 0:0:6> payload [1.3.6.1.6.1.1.100]>, ('10.212.6.102', 58739)) 2018-10-26 15:59:11,715 processIncomingMsg: generated maxSizeResponseScopedPDU 65379 securityStateReference 2173645 2018-10-26 15:59:11,716 prepareDataElements: SM returned securityEngineId <SnmpEngineID value object at 0x2943a10 subtypeSpec <ConstraintsIntersection object at 0x292bad0 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba90 consts 5, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding iso-8859-1 payload [0x0102030405070809]> securityName <SnmpAdminString value object at 0x2943e90 subtypeSpec <ConstraintsIntersection object at 0x293bf50 consts <ValueSizeConstraint object at 0x241b690 consts 0, 65535>, <ValueSizeConstraint object at 0x292ba50 consts 0, 255>, <ValueSizeConstraint object at 0x293bed0 consts 1, 32>> tagSet <TagSet object at 0x23d71d0 tags 0:0:4> encoding utf-8 payload [public]> 2018-10-26 15:59:11,716 receiveMessage: MP succeded 2018-10-26 15:59:11,716 receiveMessage: PDU SNMPv2TrapPDU: request-id=249510291 error-status=noError error-index=0 variable-bindings=VarBindList: VarBind: name=1.3.6.1.2.1.1.3.0 =_BindValue: value=ObjectSyntax: application-wide=ApplicationSyntax: timeticks-value=5000

VarBind: name=1.3.6.1.6.3.1.1.4.1.0 =_BindValue: value=ObjectSyntax: simple=SimpleSyntax: objectID-value=1.3.6.1.6.3.1.1.5.1

2018-10-26 15:59:11,717 receiveMessage: pduType <TagSet object at 0x2431490 tags 128:32:7> 2018-10-26 15:59:11,720 DEBUG received SNMP message, forwarded as trunk message #53 callflow-id=623a9b8efb snmp-engine-id=0x0102030405070809 snmp-transport-domain=1.3.6.1.6.1.1.100 snmp-bind-address=10.53.17.197 snmp-bind-port=1162 snmp-security-model=2 snmp-security-level=1 snmp-security-name=public snmp-credentials-id=agent-1 snmp-context-engine-id=0x0102030405070809 snmp-context-name= snmp-context-id=any-context snmp-pdu=SNMPv2TrapPDU#1.3.6.1.2.1.1.3.0:'5000',1.3.6.1.6.3.1.1.4.1.0:'1.3.6.1.6.3.1.1.5.1', snmp-content-id=trap-content snmp-peer-address=10.212.6.102 snmp-peer-port=58739 snmp-peer-id=100 2018-10-26 15:59:11,721 receiveMessage: processPdu succeeded 2018-10-26 15:59:11,732 DEBUG received trunk message #53 -- unconfirmed SNMP message

etingof commented 5 years ago

The thing you are trying to do should be feasible with snmpfwd. Though it depends on what kind of filtering you are looking for...?

The error message in $subj means that the SNMP message you've received can't be routed based on your configuration (either client or server). Perhaps you need to see (in the log) which key does not get a match what prevented further routing table look up.

I can't find that error message in the log you've pasted so I can't give you any more specific hints yet. ;-)

jackytoh commented 5 years ago

Sorry, my title was giving wrong error message, it was due to I was sending SNMPv1 trap to SNMPv2 server.

But now I am sending SNMPv2 trap, faced different errors. Please read through the logs again.

2018-10-26 15:51:27,561 INFO received trunk message #43, remote end reported error-indication "failure sending SNMP notification", NOT responding

etingof commented 5 years ago

That log still does not give much information. Does it come from the server part? Anything interesting in client's log?

jackytoh commented 5 years ago

Client part getting this error: 2018-10-26 15:51:27,559 ERROR failure sending SNMP notification callflow-id=8610df6037 trunk-id=trunk-1 server-snmp-engine-id=0x0102030405070809 server-snmp-transport-domain=1.3.6.1.6.1.1.100 server-snmp-peer-address=10.211.26.107 server-snmp-peer-port=59367 server-snmp-bind-address=10.53.17.197 server-snmp-bind-port=1162 server-snmp-security-model=2 server-snmp-security-level=1 server-snmp-security-name=public server-snmp-context-engine-id=0x0102030405070809 server-snmp-context-name= server-snmp-pdu=SNMPv2TrapPDU#1.3.6.1.6.3.1.1.4.1.0:'1.3.6.1.6.3.1.1.5.1',1.3.6.1.2.1.1.3.0:'5000', server-snmp-entity-id=agent-1 server-snmp-credentials-id=agent-1 server-snmp-context-id=any-context server-snmp-content-id=trap-content server-snmp-peer-id=100 server-classification-id=any-classification snmp-peer-id=snmplabs-v2 snmp-bind-address=0.0.0.0 snmp-bind-port=0 snmp-peer-address=10.53.17.197 snmp-peer-port=162 snmp-context-engine-id= snmp-context-name= 2018-10-26 15:51:27,559 INFO received SNMP error-indication "failure sending SNMP notification" callflow-id=8610df6037 snmp-pdu

etingof commented 5 years ago

Still not much information there. Let's run client part with --debug all to see what causes this?

jackytoh commented 5 years ago

The captured logs was running with --debug all

etingof commented 5 years ago

The client log seems to include just one PDU printout prior to the final error message. Does it report anything else there?

jackytoh commented 5 years ago

I think this is the only message when I sent the SNMP v2 trap. I can try reproduce on Monday and provide logs again.

jackytoh commented 5 years ago

server.log client.log

I running with both snmp and asn1 debug =all. See attached logs file for both server and client.

netcool 13521 1 0 08:22 ? 00:00:00 python ./snmpfwd-client.py --config-file=/home/netcool/snmpfwd-0.4.1/conf/trap-forwarding-snmpv2c-to-snmpv2c/client.conf --debug-snmp=all --debug-asn1=all --logging-method=file:/home/netcool/snmpfwd-0.4.1/client.log --daemonize netcool 13633 1 0 08:26 ? 00:00:00 python ./snmpfwd-server.py --config-file=/home/netcool/snmpfwd-0.4.1/conf/trap-forwarding-snmpv2c-to-snmpv2c/server.conf --log-level=debug --debug-snmp=all --debug-asn1=all --logging-method=file:/home/netcool/snmpfwd-0.4.1/server.log --daemonize

jackytoh commented 5 years ago

troubleshoot.zip snmpcoldstart

See attached snmp packets that I have captured.

The 1st packet is sent via ibm netcool mib manager and 2nd packet is sent via snmptrap command. 1st packet will causing error but 2nd packet will processed properly and forwarded to target server.

It seems the position for oid is different. Does this causing the problem here?

Is snmpfwd tools expecting 1.3.6.1.2.1.1.3.0 oid always always on 1st position and follow by oid related to the trap?

jackytoh commented 5 years ago

regarding the snmp trap filtering,

I am looking for filtering the value of the oid, is it possible?

Example, for a snmp v2 link down trap, I would like to only want to allow Ifindex = 5 , 6 and 7, the rest of the Ifindex, I would like to filter out as no interested to look at those interface.

I tried to use snmp-pdu-oid-prefix-pattern-list to filter, it seems only working for oid, not value of oid.

I also tried out oidfilter plugin, it seems not suitable for snmp trap as well.

If this is supported, could you please help to provide some sample configuration which working to filter the value of the oid?

Thanks.

etingof commented 5 years ago

It seems the position for oid is different. Does this causing the problem here?

With SNMPv2 TRAP PDU the only important thing is to have TRAP OID (1.3.6.1.6.3.1.1.4.1.0) at the second position in the var-bindings list. If it is not there, v2c->v1 PDU conversion would fail.

I have added some more logging to snmpfwd (current GitHub master), if you try the latest code it may log the exact SNMP error that occurs.

This PDU contents requirement comes from SNMP RFC, that's not exactly pysnmp quirk.

etingof commented 5 years ago

Example, for a snmp v2 link down trap, I would like to only want to allow Ifindex = 5 , 6 and 7, the rest of the Ifindex, I would like to filter out as no interested to look at those interface.

Let me ask you this: do you receive a single linkDown TRAP PDU for multiple interfaces? So you want to purge some OIDs out of this PDU sending what's remaining alone?

What confuses me here is that the interface information is probably carried in OIDs (the tail pieces), not values as you've mentioned, no?

In that case we should probably look into oidfilter plugin to make it handling notifications...

Or, if you want to block the entire PDU whenever it contains the unwanted OIDs, you should be able to set up a regexp in snmp-pdu-oid-prefix-pattern-list for that.

jackytoh commented 5 years ago

Let me ask you this: do you receive a single linkDown TRAP PDU for multiple interfaces? So you want to purge some OIDs out of this PDU sending what's remaining alone?

linkDown Trap is just an simple example. The actual snmp v2 traps that I am going to filter, contains 20 plus of snmp variables and I am looking for filtering snmp traps based on the value from 1 or multiple variables... So, In this linkDown example, Each PDU will only point to one interface, I will receive multiple PDUs for different interfaces. What I want is white list, example, i want to allow interface 5, 6, 7 to forward, the rest discard.

What confuses me here is that the interface information is probably carried in OIDs (the tail pieces), not values as you've mentioned, no?

What I am looking for is filtering on snmp oid value, not the tail pierce of the oid.

See the wireshark captured for this command:

snmptrap -v 2c -c public 10.53.17.197:1163 5000 .1.3.6.1.6.3.1.1.5.3 ifIndex i 5 ifAdminStatus i 1 ifOperStatus i 1

image

jackytoh commented 5 years ago

I have added some more logging to snmpfwd (current GitHub master), if you try the latest code it may log the exact SNMP error that occurs.

I have downloaded the master build and trigger the snmpv2 coldStart trap from ibm netcool mib manager. See attached logs client.log server.log

etingof commented 5 years ago

Here we go:

2018-11-01T15:20:30.05 snmpfwd-client: ERROR trunk message #6, SNMP error: Second OID not snmpTrapOID callflow-id=8b2ad914b8 trunk-id=trunk-1 server-snmp-engine-id=0x0102030405070809 server-snmp-transport-domain=1.3.6.1.6.1.1.100 server-snmp-peer-address=10.211.26.107 server-snmp-peer-port=60067 server-snmp-bind-address=10.53.17.197 server-snmp-bind-port=1163 server-snmp-security-model=2 server-snmp-security-level=1 server-snmp-security-name=public server-snmp-context-engine-id=0x0102030405070809 server-snmp-context-name= server-snmp-pdu=SNMPv2TrapPDU#1.3.6.1.6.3.1.1.4.1.0:'1.3.6.1.6.3.1.1.5.1',1.3.6.1.2.1.1.3.0:'5000', server-snmp-entity-id=agent-1 server-snmp-credentials-id=agent-1 server-snmp-context-id=any-context server-snmp-content-id=trap-content server-snmp-peer-id=100 server-classification-id=any-classification snmp-peer-id=snmplabs-v2 snmp-bind-address=0.0.0.0 snmp-bind-port=0 snmp-peer-address=10.53.17.197 snmp-peer-port=162 snmp-context-engine-id= snmp-context-name=

My understanding is that this TRAP PDU is malformed what is only noticed at the proxy when it tries to process/translate the PDU. If it would get through, similar error should probably be seen at the ultimate receiving end.

Do you know why your TRAP emitter does not include (supposedly mandatory) TRAP OID?

etingof commented 5 years ago

Each PDU will only point to one interface, I will receive multiple PDUs for different interfaces. What I want is white list, example, i want to allow interface 5, 6, 7 to forward, the rest discard.

So the logic here is all-or-nothing meaning you either proxy the whole PDU untouched or drop it completely? You do not want to drop just some OIDs from the passing PDU?

What I am looking for is filtering on snmp oid value, not the tail pierce of the oid.

Somehow I assumed that the interfaces you are looking into are organized into some SNMP table (like ifTable) where each interface column is addressed by the very last sub-OID of the OID. I understand this is not how it works in your case, right?

jackytoh commented 5 years ago

My understanding is that this TRAP PDU is malformed what is only noticed at the proxy when it tries to process/translate the PDU. If it would get through, similar error should probably be seen at the ultimate receiving end.

Do you know why your TRAP emitter does not include (supposedly mandatory) TRAP OID?

SNMPv2TrapPDU#1.3.6.1.6.3.1.1.4.1.0:'1.3.6.1.6.3.1.1.5.1',1.3.6.1.2.1.1.3.0:'5000'

If you checked the payload, it did include the mandatory trap oid, I suspect the code is looking for 1.3.6.1.6.3.1.1.4.1.0 as 2nd OID, but it is on 1st OID ?

jackytoh commented 5 years ago

So the logic here is all-or-nothing meaning you either proxy the whole PDU untouched or drop it completely? You do not want to drop just some OIDs from the passing PDU?

It should be either untouch or drop the whole PDU. Dropping some OID from a PDU will cause the target server to discard the trap as missing the required variable.

Somehow I assumed that the interfaces you are looking into are organized into some SNMP table (like ifTable) where each interface column is addressed by the very last sub-OID of the OID. I understand this is not how it works in your case, right?

This is correct when referring the snmp mib table where the last piece of the oid normally addressing the index of the instances. But it not same for snmp trap i think.

etingof commented 5 years ago

If you checked the payload, it did include the mandatory trap oid, I suspect the code is looking for 1.3.6.1.6.3.1.1.4.1.0 as 2nd OID, but it is on 1st OID ?

Ah, yes! The required OID is there, but on the wrong position.

Interestingly, this seems to be documented by IBM as the right layout, while RFC3416 says:

The first two variable bindings in the variable binding list of an SNMPv2-
Trap-PDU are sysUpTime.0 [RFC3418] and snmpTrapOID.0 [RFC3418]
 respectively.

I am curious if this could be changed in Netcool by configuration...?

etingof commented 5 years ago

It should be either untouch or drop the whole PDU. Dropping some OID from a PDU will cause the target server to discard the trap as missing the required variable.

That's a very good point!

This is correct when referring the snmp mib table where the last piece of the oid normally addressing the index of the instances. But it not same for snmp trap i think.

I do not think so... There is no dedicated set of managed objects applicable just for SNMP notifications. I think TRAP PDU operates on the very same OIDs as any other SNMP PDU.

If this is correct, you might just need to regexp your PDU for the offending OIDs e.g. snmp-pdu-oid-prefix-pattern-list and do not route them anywhere by snmpfwd configuration.

Does it make sense?

jackytoh commented 5 years ago

I am curious if this could be changed in Netcool by configuration...?

can't find where to change. But if I got time , i will try to capture some sample snmp traps from real devices from different vendor and check how 's position.

If this is correct, you might just need to regexp your PDU for the offending OIDs e.g. snmp-pdu-oid-prefix-pattern-list and do not route them anywhere by snmpfwd configuration.

My understanding, this is filter PDU based on OID, not based on PDU OID 's value.

Anyway, I have found my solution using other way. Thanks for the support.