TRAP forwarder, SNMPv1 to SNMPv3

[JorgeJuanTel]

Hi

I'm trying to configure SNMP Proxy Forwarder to receive SNMPv1 TRAPs and forward them as SNMPv3 TRAPs. But when the server receives a SNMPv1 TRAP, it fails with the next error:

2019-07-16 11:28:46,442 ERROR poll error: Traceback (most recent call last): ; File "c:\program files\python37\lib\site-packages\pysnmp\carrier\asyncore\dispatch.py", line 46, in runDispatcher use_poll=True, map=self.sockMap, count=1) ; File "c:\program files\python37\lib\asyncore.py", line 207, in loop poll_fun(timeout, map) ; File "c:\program files\python37\lib\asyncore.py", line 150, in poll read(obj) ; File "c:\program files\python37\lib\asyncore.py", line 87, in read obj.handle_error() ; File "c:\program files\python37\lib\asyncore.py", line 83, in read obj.handle_read_event() ; File "c:\program files\python37\lib\asyncore.py", line 422, in handle_read_event self.handle_read() ; File "c:\program files\python37\lib\site-packages\pysnmp\carrier\asyncore\dgram\base.py", line 170, in handle_read self._cbFun(self, transportAddress, incomingMessage) ; File "c:\program files\python37\lib\site-packages\pysnmp\carrier\base.py", line 70, in _cbFun self, transportDomain, transportAddress, incomingMessage ; File "c:\program files\python37\lib\site-packages\pysnmp\entity\engine.py", line 152, in receiveMessageCbFun self, transportDomain, transportAddress, wholeMsg ; File "c:\program files\python37\lib\site-packages\pysnmp\proto\rfc3412.py", line 433, in receiveMessage PDU, maxSizeResponseScopedPDU, stateReference) ; File "C:\Program Files\Python37\Scripts\snmpfwd-server.py", line 256, in processPdu msgId = trunkingManager.sendReq(trunkId, trunkReq, self.trunkCbFun, cbCtx) ; File "c:\program files\python37\lib\site-packages\snmpfwd\trunking\manager.py", line 32, in sendReq return trunk.sendReq(req, cbFun, cbCtx) ; File "c:\program files\python37\lib\site-packages\snmpfwd\trunking\client.py", line 53, in sendReq self.send(protocol.prepareRequestData(msgId, req, self.secret)) ; File "c:\program files\python37\lib\site-packages\snmpfwd\trunking\protocol.py", line 114, in prepareRequestData r['snmp-pdu'] = encoder.encode(req['snmp-pdu']) ; File "c:\program files\python37\lib\site-packages\pyasn1\codec\ber\encoder.py", line 763, in call substrate = concreteEncoder.encode(value, asn1Spec, self, options) ; File "c:\program files\python37\lib\site-packages\pyasn1\codec\ber\encoder.py", line 97, in encode value, asn1Spec, encodeFun, options ; File "c:\program files\python37\lib\site-packages\pyasn1\codec\ber\encoder.py", line 544, in encodeValue chunk = encodeFun(component, asn1Spec, **options) ; File "c:\program files\python37\lib\site-packages\pyasn1\codec\ber\encoder.py", line 763, in call substrate = concreteEncoder.encode(value, asn1Spec, self, options) ; File "c:\program files\python37\lib\site-packages\pyasn1\codec\ber\encoder.py", line 97, in encode value, asn1Spec, encodeFun, options ; File "c:\program files\python37\lib\site-packages\pyasn1\codec\ber\encoder.py", line 162, in encodeValue if value == 0: ; File "c:\program files\python37\lib\site-packages\pyasn1\type\univ.py", line 241, in eq__ return self._value == value ; File "c:\program files\python37\lib\site-packages\pyasn1\type\base.py", line 199, in plug raise error.PyAsn1Error('Attempted "%s" operation on ASN.1 schema object' % name) ;pyasn1.error.PyAsn1Error: Attempted "eq" operation on ASN.1 schema object caused by <class 'pyasn1.error.PyAsn1Error'>: Attempted "eq" operation on ASN.1 schema object

My configuration files are the next:

``` # # SNMP TRAP forwarder: Manager part configuration # config-version: 2 program-name: snmpfwd-server snmp-credentials-group { snmp-transport-domain: 1.3.6.1.6.1.1.100 snmp-bind-address: 10.124.14.153:162 snmp-engine-id: 0x0102030405070809 snmp-community-name: public snmp-security-name: public snmp-security-model: 1 snmp-security-level: 1 snmp-credentials-id: snmp-credentials } context-group { snmp-context-engine-id-pattern: .*? snmp-context-name-pattern: .*? snmp-context-id: any-context } content-group { snmp-pdu-type-pattern: TRAPv1 snmp-pdu-oid-prefix-pattern-list: .*? snmp-content-id: trap-content } peers-group { snmp-transport-domain: 1.3.6.1.6.1.1.100 snmp-bind-address-pattern-list: .*? snmp-peer-address-pattern-list: .*? snmp-peer-id: 100 } trunking-group { trunk-bind-address: 127.0.0.1 trunk-peer-address: 127.0.0.1:30301 trunk-ping-period: 60 trunk-connection-mode: client trunk-id: trunk-1 } routing-map { matching-snmp-credentials-id-list: snmp-credentials matching-snmp-context-id-list: any-context matching-snmp-content-id-list: trap-content matching-snmp-peer-id-list: 100 using-trunk-id-list: trunk-1 } ``` ``` # # SNMP TRAP forwarder: Agent part configuration # config-version: 2 program-name: snmpfwd-client peers-group { # Our SNMP engine ID becomes authoritative for the purpose of # sending SNMPv3 TRAPs snmp-engine-id: 0x8000000001020304 # snmp-engine-id: 0x8000031201ac14c8c8 # SNMPv3 TRAP would pick up security-engine-id instead of snmp-engine-id # snmp-engine-id: 0x80000000FFFFFFFF # snmp-security-engine-id: 0x8000000001020304 snmp-transport-domain: 1.3.6.1.6.1.1.1 snmp-bind-address: 0.0.0.0:0 # time out SNMP request in 1 second snmp-peer-timeout: 100 snmp-peer-retries: 0 snmp-security-model: 3 snmp-security-level: 2 snmp-security-name: authUser snmp-usm-user: authUser snmp-usm-auth-protocol: md5 snmp-usm-auth-key: 12345678 snmp-usm-priv-protocol: des snmp-usm-priv-key: 12345678 snmp-peer-address: 172.20.127.1:162 snmp-peer-id: snmplabs-v3 } trunking-group { trunk-bind-address: 127.0.0.1:30301 trunk-ping-period: 60 trunk-connection-mode: server trunk-id: } original-snmp-peer-info-group { orig-snmp-bind-address-pattern: .*? orig-snmp-context-name-pattern: .*? orig-snmp-pdu-type-pattern: TRAPv1 orig-snmp-oid-prefix-pattern: .*? orig-snmp-engine-id-pattern: .*? orig-snmp-context-engine-id-pattern: .*? orig-snmp-transport-domain-pattern: .*? orig-snmp-peer-address-pattern: .*? orig-snmp-security-level-pattern: .*? orig-snmp-security-name-pattern: .*? orig-snmp-security-model-pattern: .*? orig-snmp-peer-id: agent-1 } server-classification-group { server-snmp-credentials-id-pattern: .*? server-snmp-context-id-pattern: .*? server-snmp-content-id-pattern: .*? server-snmp-peer-id-pattern: .*? server-classification-id: any-classification } routing-map { matching-trunk-id-list: trunk-1 matching-orig-snmp-peer-id-list: agent-1 matching-server-classification-id-list: any-classification using-snmp-peer-id-list: snmplabs-v3 } ``` The version that I'm using is: ``` SNMP Proxy Forwarder version 0.4.4, written by Ilya Etingof Using foundation libraries: pysnmp 4.4.9, pyasn1 0.4.5. Python interpreter: 3.7.1 (v3.7.1:260ec2c36a, Oct 20 2018, 14:57:15) [MSC v.1915 64 bit (AMD64)] ``` Any idea what I'm doing wrong? Thanks in advance. Best regards, Jorge

[etingof]

That feels like a bug... If you can share debug log produced when snmpfwd-server.py --debug-asn1 command-line option is given, that would be helpful. Keep in mind that your SNMP keys can appear in the log.

[JorgeJuanTel]

Here I attach the log file generated by snmpfwd-server with the command-line option --debug-asn1=all

server.log

Thank you

[etingof]

I am trying to find what's wrong here, but it's not obvious. The failure occurs after TRAPv1 PDU turned into TRAPv2c PDU, then everything blows up on new PDU serialization attempt...

Any chance you could share a raw tcpdump packet containing the original TRAPv1 message causing this havoc? ;-)

[etingof]

Hold on, could you please try this pysnmp commit or just HEAD of this branch? I hope that fixes this crash. I'd make pysnmp release if that helps.

[JorgeJuanTel]

With that new version of pysnmp, it works now. Thank you very much. Sorry for not answering before, last week I wasn't in the office.

Best regards, Jorge Juan Fernando

[etingof]

Also cherry-picked to master.