search

netdisco / netdisco

A web-based network management tool.
http://netdisco.org/
BSD 3-Clause "New" or "Revised" License
659 stars 76 forks source link

Netdisco stopped receiving data from Juniper with SNMP v.3 after recent RHEL9 update. #1241

Closed romanstech closed 1 month ago

romanstech commented 3 months ago

Netdisco stopped receiving data from Juniper with SNMP v.3 after recent RHEL9 update.

Expected Behavior

$ ~/bin/netdisco-do discover -d <IP> -DI discovers the switch

Current Behavior

snmpwalk works:

$ snmpwalk -On -v3 -l authPriv -u user -x AES -a SHA -A 'pwd' -X 'pwd' <IP> .1.3.6.1.2.1.1.3.0
.1.3.6.1.2.1.1.3.0 = Timeticks: (1468888208) 170 days, 0:14:42.08
$ snmpwalk -On -v3 -l authPriv -u user -x AES -a SHA -A 'pwd' -X 'pwd' <IP> .1.3.6.1.2.1.25.1.1.0
.1.3.6.1.2.1.25.1.1.0 = Timeticks: (1468955700) 170 days, 0:25:57.00

Netdisco doesn't discover neither new nor old switches:

$ ~/bin/netdisco-do discover -d <IP> -DI
[15723] 2024-07-28 11:07:39  info App::Netdisco version 2.076005 loaded.
[15723] 2024-07-28 11:07:39  info discover: [132.69.252.170] started at Sun Jul 28 14:07:39 2024
[15723] 2024-07-28 11:07:40 debug discover: running with timeout 600s
[15723] 2024-07-28 11:07:40 debug //// CHECK \\\\ phase
[15723] 2024-07-28 11:07:40 debug ⮕ worker Internal::BackendFQDN p1000000
[15723] 2024-07-28 11:07:40 debug ⮕ worker Internal::SNMPFastDiscover p1000000
[15723] 2024-07-28 11:07:40 debug running with configured SNMP timeouts
[15723] 2024-07-28 11:07:40 debug ⮕ worker Discover p0
[15723] 2024-07-28 11:07:40 debug ⬅ (done) Discover is able to run.
[15723] 2024-07-28 11:07:40 debug //// EARLY \\\\ phase
[15723] 2024-07-28 11:07:40 debug ⮕ worker Discover::Properties p100
[15723] 2024-07-28 11:07:40 debug snmp reader cache warm: [132.69.252.170]
[15723] 2024-07-28 11:07:40 debug [132.69.252.170:161] try_connect with v: 3, t: 0.2, r: 0, class: SNMP::Info::Layer3::Juniper, comm: v3:user:SHA512/AES256
SNMP::Info::_global uptime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(uptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global hrSystemUptime : HOST-RESOURCES-MIB::hrSystemUptime.0 : .1.3.6.1.2.1.25.1.1.0
SNMP::Info::_global(hrSystemUptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global sysUpTime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(sysUpTime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
[15723] 2024-07-28 11:07:41 debug [132.69.252.170:161] try_connect with v: 3, t: 0.2, r: 0, class: SNMP::Info::Layer3::Juniper, comm: v3:user:SHA/AES
SNMP::Info::_global uptime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(uptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global hrSystemUptime : HOST-RESOURCES-MIB::hrSystemUptime.0 : .1.3.6.1.2.1.25.1.1.0
SNMP::Info::_global(hrSystemUptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global sysUpTime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(sysUpTime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
[15723] 2024-07-28 11:07:41 debug [132.69.252.170:161] try_connect with v: 3, t: 0.2, r: 0, class: SNMP::Info::Layer3::Juniper, comm: v3:Kiska:SHA/AES-256-C
SNMP::Info::_global uptime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(uptime) Unknown user name at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global hrSystemUptime : HOST-RESOURCES-MIB::hrSystemUptime.0 : .1.3.6.1.2.1.25.1.1.0
SNMP::Info::_global(hrSystemUptime) Unknown user name at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global sysUpTime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(sysUpTime) Unknown user name at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
[15723] 2024-07-28 11:07:41 debug [132.69.252.170:161] try_connect with v: 2, t: 0.2, r: 0, class: SNMP::Info::Layer3::Juniper, comm: public
SNMP::Info::_global uptime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(uptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global hrSystemUptime : HOST-RESOURCES-MIB::hrSystemUptime.0 : .1.3.6.1.2.1.25.1.1.0
SNMP::Info::_global(hrSystemUptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global sysUpTime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(sysUpTime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
[15723] 2024-07-28 11:07:42 debug [132.69.252.170:161] try_connect with v: 2, t: 0.2, r: 0, class: SNMP::Info::Layer3::Juniper, comm: public
SNMP::Info::_global uptime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(uptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global hrSystemUptime : HOST-RESOURCES-MIB::hrSystemUptime.0 : .1.3.6.1.2.1.25.1.1.0
SNMP::Info::_global(hrSystemUptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global sysUpTime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(sysUpTime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
[15723] 2024-07-28 11:07:43 debug [132.69.252.170:161] try_connect with v: 2, t: 0.2, r: 0, class: SNMP::Info::Layer3::Juniper, comm: commread
SNMP::Info::_global uptime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(uptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global hrSystemUptime : HOST-RESOURCES-MIB::hrSystemUptime.0 : .1.3.6.1.2.1.25.1.1.0
SNMP::Info::_global(hrSystemUptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global sysUpTime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(sysUpTime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
[15723] 2024-07-28 11:07:43 debug [132.69.252.170:161] try_connect with v: 2, t: 0.2, r: 0, class: SNMP::Info::Layer3::Juniper, comm: comnor69
SNMP::Info::_global uptime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(uptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global hrSystemUptime : HOST-RESOURCES-MIB::hrSystemUptime.0 : .1.3.6.1.2.1.25.1.1.0
SNMP::Info::_global(hrSystemUptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global sysUpTime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(sysUpTime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
[15723] 2024-07-28 11:07:44 debug [132.69.252.170:161] try_connect with v: 3, t: 3, r: 2, class: SNMP::Info::Layer3::Juniper, comm: v3:user:SHA512/AES256
SNMP::Info::_global uptime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0
SNMP::Info::_global(uptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global hrSystemUptime : HOST-RESOURCES-MIB::hrSystemUptime.0 : .1.3.6.1.2.1.25.1.1.0
SNMP::Info::_global(hrSystemUptime) Timeout at /home/netdisco/perl5/lib/perl5/App/Netdisco/Transport/SNMP.pm line 305.
SNMP::Info::_global sysUpTime : DISMAN-EVENT-MIB::sysUpTimeInstance : .1.3.6.1.2.1.1.3.0

CISCO switches (SNMP v.3) and Avaya switches (SNMP v.2) work without issues. If we configure SNMPv.2 community on Juniper switch it also returns to work as requested.

Small perl script works as well:

#! /usr/bin/perl
#

use strict;
use warnings;

use Net::SNMP;

my $OID_sysUpTime = '1.3.6.1.2.1.1.3.0';

my ($session, $error) = Net::SNMP->session(
   -hostname     => '10.1.1.1',
    -version      => 'snmpv3',
   -username     => 'user',
   -authprotocol => 'sha1',
   -authpassword      => 'pwd',
   -privprotocol => 'aes',
   -privpassword      => 'pwd',
);

if (!defined $session) {
   printf "Session ERROR: %s.\n", $error;
   exit 1;
}

my $result = $session->get_request(-varbindlist => [ $OID_sysUpTime ],);

if (!defined $result) {
   printf "Result ERROR: %s.\n", $session->error();
   $session->close();
   exit 1;
}

printf "The sysUpTime for host '%s' was set to '%s'.\n",
      $session->hostname(), $result->{$OID_sysUpTime};

$session->close();

exit 0;
$ pwd
/home/netdisco
$ tmp/perl_snmpv3.pl
The sysUpTime for host '10.1.1.1' was set to '5 days, 04:39:04.54'.
$ perl --version
This is perl 5, version 32, subversion 1 (v5.32.1) built for x86_64-linux-thread-multi
(with 53 registered patches, see perl -V for more detail)

Possible Solution

Temporary we can downgrade SNMP to v.2 on all JunOS switches but this creates huge security issue in our LAN.

Steps to Reproduce (for bugs)

  1. ~/bin/netdisco-do discover -d -DI, where IP = Juniper switch IP with SNMPv.3 configured
  2. snmpwalk -On -v3 -l authPriv -u user -x AES -a SHA -A 'pwd' -X 'pwd' .1.3.6.1.2.1.1.3.0 works
  3. The same issue with new or old (the switches which already were discovered before and worked earlier without any issues) Juniper switches
  4. CISCO with SNMPv.3 worked and continue working
  5. If we change Juniper switches to SNMPv.2 they again work wityh Netdisco
  6. Netdisco v.2.74.1 had the same issue. So I've upgraded it but it didn't help.

Context

Your Environment

Software Version

[App::Netdisco](http://netdisco.org/)   2.76.5
[SNMP::Info](https://github.com/netdisco/snmp-info) 3.970.1
[DB Schema](https://metacpan.org/module/netdisco-db-deploy) 87
[PostgreSQL](http://www.postgresql.org/)    16.00.3
[Perl](http://www.perl.org/)    5.32.1

Config info (deployment.yml)

device_auth:
  - tag: 'v2_readonly'
    community: 'public'
    read: true
    write: false

  # Used for Juniper because RHEL9 doesn't support DES
  - tag: 'v3_SHA-AES_netdisco_ro'
    user: 'user' 
    auth:
     pass: 'pwd'
     proto: SHA
    priv:
     pass: 'pwd'
     proto: AES

  # Used for Cisco
  - tag: 'v3_CISCO_SHA-AES-256-C_ro'
    user: 'user' 
    auth:
     pass: 'pwd'
     proto: SHA
    priv:
     pass: 'pwd'
     proto: AES-256-C

Device information

JunOS of different models and different JunOS versions.

romanstech commented 3 months ago

More data: JunOS supports DES, 3DES, AES128 authentication protocols. RHEL9 supports only AES128 from the list. I tried both privacy protocols SHA1 and MD5 with the same results.

Our Netdisco already deleted all JunOS switches from the system and left only those 2 that I configured SNMPv.2 for tests (((

romanstech commented 3 months ago

One more update: I've installed the latest Netdisco on RHEL8 and all Juniper returned to work because of RHEL8 still supporting DES.

If you need to test with RHEL9, old Netdisco still available and I can test it.

ollyg commented 1 month ago

You can try on RHEL9 to install a different net-snmp:

~netdisco/bin/localenv cpanm Alien::SNMP

This might fix it.

romanstech commented 1 month ago

Hi,

I’ve installed this but it didn’t help (

-- Regards, Roman Safonov Network and Security Engineer Computer and Information Systems Technion, Haifa Tel. 07-3378-4992 Email: @.**@.> Think before you ink.

From: Oliver Gorwits @.> Date: Tuesday, 1 October 2024 at 10:16 To: netdisco/netdisco @.> Cc: ספונוב רומן @.>, Author @.> Subject: Re: [netdisco/netdisco] Netdisco stopped receiving data from Juniper with SNMP v.3 after recent RHEL9 update. (Issue #1241)

You can try on RHEL9 to install a different net-snmp:

~netdisco/bin/localenv cpanm Alien::SNMP

This might fix it.

— Reply to this email directly, view it on GitHubhttps://protect.checkpoint.com/v2/r02/___https://github.com/netdisco/netdisco/issues/1241%23issuecomment-2384979403___.YzJlOnRlY2huaW9uOmM6bzpmZTlkMDRiYmI5YjA2OGY0NjU3N2Q0NjEwMzA3MWI4ODo3OmVkNmE6NmUwMGI0NzAwMjNlYWQxMzAxOTk5OWQyMWJkN2U1ZjM4MmJmMTNlMjE1OTVlYWYxODYwMDIwODUzMWJiZmRmODpoOlQ6Tg, or unsubscribehttps://protect.checkpoint.com/v2/r02/___https://github.com/notifications/unsubscribe-auth/APBX24CMDFDGHXURLZON5DDZZJD5PAVCNFSM6AAAAABLSW6CKGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBUHE3TSNBQGM___.YzJlOnRlY2huaW9uOmM6bzpmZTlkMDRiYmI5YjA2OGY0NjU3N2Q0NjEwMzA3MWI4ODo3OjZiYWE6M2E5OGYwNTQwODIwYjc5OTZhMTQyYjFjM2UyYTY2MDBiMTQ5MDlkNjcyMWZjMmJmNmUzZmVlNTEzOTVmZGVjNTpoOlQ6Tg. You are receiving this because you authored the thread.Message ID: @.***>

External e-mail, be judicious when opening attachments or links