search

vincentbernat / snimpy

interactive SNMP tool with Python
http://snimpy.readthedocs.org/
185 stars 44 forks source link

SNMPv3 request fails #63

Closed johnsondnz closed 7 years ago

johnsondnz commented 7 years ago

Hi there,

Firstly, thank you for this excellent tool. It simplifies queries very nicely.

It however appears snimpy doesn't support all the SNMPv3 fields as described in: http://www.net-snmp.org/tutorial/tutorial-5/commands/snmpv3.html

In particular there appears to be no way to set securityLevel. I have also found that no matter the secname the username 'public' always gets submitted along with 'noauth' securityLevel. My Cisco devices are alsways configured with 'authPriv'

The reuslt is the following exception which is consistent with the Cisco debug also below. snimpy.snmp.SNMPException: unknownUserName

Output from Cisco debug; Incoming SNMP packet Dec 2 02:04:48.290 UTC: v3 packet security model: v3 security level: noauth Dec 2 02:04:48.290 UTC: username: public Dec 2 02:04:48.290 UTC: snmpEngineID: 800000090300AABBCC000100 Dec 2 02:04:48.290 UTC: snmpEngineBoots: 0 snmpEngineTime: 0 Dec 2 02:04:48.290 UTC: SNMP: Report, reqid 2147483647, errstat 0, erridx 0 internet.6.3.15.1.1.3.0 = 34 Dec 2 02:04:48.294 UTC: SNMP: Packet sent via UDP to 172.23.1.113 process_mgmt_req_int: UDP packet being de-queued

*Dec 2 02:04:48.297 UTC: SNMP: Packet received via UDP from 172.23.1.113 on Ethernet0/0SrParseV3SnmpMessage:Wrong User Name. SrParseV3SnmpMessage: Failed. SrDoSnmp: authentication failure, Unknown User Name

Parameters passed into snimpy function {'secname': 'test', 'authprotocol': 'SHA1', 'privprotocol': 'AES128', 'host': '10.252.1.1', 'version': 3, 'privpassword': '12345678', 'authpassword': '12345678'}

I'm setting all the snimpy parameters as per docs plus some extra ones for my custom class and data storage.

SNMPv2 works like a charm; {'host': '10.252.1.1', 'version': 2, 'community': 'public'} (7, 'Loopback0', 'up(1)', '10.252.1.1', '255.255.255.255', 1514, '', '0:00:05.280000') ifDescr : 7 ifOperStatus : Loopback0 ipAdEntAddr : up(1) ipAdEntNetMask : 10.252.1.1 ifMtu : 255.255.255.255 ifPhysAddress : 1514 ifLastChange : (2, 'Ethernet0/1', 'up(1)', '10.254.1.239', '255.255.255.0', 1500, 'aa:bb:cc:0:1:10', '0:00:06.320000') ifDescr : 2 ifOperStatus : Ethernet0/1 ipAdEntAddr : up(1) ipAdEntNetMask : 10.254.1.239 ifMtu : 255.255.255.0 ifPhysAddress : 1500 ifLastChange : aa:bb:cc:0:1:10 (1, 'Ethernet0/0', 'up(1)', '172.22.1.239', '255.255.255.0', 1500, 'aa:bb:cc:0:1:0', '0:00:06.310000') ifDescr : 1 ifOperStatus : Ethernet0/0 ipAdEntAddr : up(1) ipAdEntNetMask : 172.22.1.239 ifMtu : 255.255.255.0 ifPhysAddress : 1500 ifLastChange : aa:bb:cc:0:1:0

SNMPv3 seems like it needs a little more attention, or I'm terrible and mis-reading the documentation :)

Thanks Donald

johnsondnz commented 7 years ago

Further to this. Configuring a 'public' secname on the cisco device gets around this problem. snimpy appears to not pass the secname argument through when generating the SNMPv3 get request.

snimpy output {'secname': 'test', 'authprotocol': 'SHA1', 'privprotocol': 'AES128', 'host': '10.252.1.1', 'version': 3, 'privpassword': '12345678', 'authpassword': '12345678'} (7, 'Loopback0', 'up(1)', '10.252.1.1', '255.255.255.255', 1514, '', '0:00:05.280000') ifDescr : 7 ifOperStatus : Loopback0 ipAdEntAddr : up(1) ipAdEntNetMask : 10.252.1.1 ifMtu : 255.255.255.255 ifPhysAddress : 1514 ifLastChange : (2, 'Ethernet0/1', 'up(1)', '10.254.1.239', '255.255.255.0', 1500, 'aa:bb:cc:0:1:10', '0:00:06.320000') ifDescr : 2 ifOperStatus : Ethernet0/1 ipAdEntAddr : up(1) ipAdEntNetMask : 10.254.1.239 ifMtu : 255.255.255.0 ifPhysAddress : 1500 ifLastChange : aa:bb:cc:0:1:10 (1, 'Ethernet0/0', 'up(1)', '172.22.1.239', '255.255.255.0', 1500, 'aa:bb:cc:0:1:0', '0:00:06.310000') ifDescr : 1 ifOperStatus : Ethernet0/0 ipAdEntAddr : up(1) ipAdEntNetMask : 172.22.1.239 ifMtu : 255.255.255.0 ifPhysAddress : 1500 ifLastChange : aa:bb:cc:0:1:0

Cisco output Incoming SNMP packet Dec 2 02:11:58.315 UTC: v3 packet LABs-Border# security model: v3 security level: priv Dec 2 02:11:58.315 UTC: username: public Dec 2 02:11:58.315 UTC: snmpEngineID: 800000090300AABBCC000100 Dec 2 02:11:58.315 UTC: snmpEngineBoots: 1 snmpEngineTime: 17077 Dec 2 02:11:58.437 UTC: Incoming SNMP packet Dec 2 02:11:58.437 UTC: v3 packet security model: v3 security level: priv Dec 2 02:11:58.437 UTC: username: public Dec 2 02:11:58.437 UTC: snmpEngineID: 800000090300AABBCC000100 Dec 2 02:11:58.437 UTC: snmpEngineBoots: 1 snmpEngineTime: 17077 Dec 2 02:11:58.560 UTC:

Thanks Donald

johnsondnz commented 7 years ago

user error. Sorry to trouble you. Always read code backwards :) secname was not being set correctly and as a result secname = community as per line 145 of snmp.py

vincentbernat commented 7 years ago

If something is not clear enough, we can add a few words in the documentation. It's likely to affect other users.

johnsondnz commented 7 years ago

It would be a good idea to document the default parameters if they are not set.