Loading...

XML

Word

Printable

Type: Problem report
Resolution: Duplicate
Priority: Trivial
Fix Version/s: 4.0 (plan)
Affects Version/s: 3.0.16, 3.4.8
Component/s: Documentation (D)
Labels:

Sprint:
Sprint 32, Sprint 33, Sprint 34

For SNMP v3 items we have 5 parameters to configure authentication (we asume we use AuthPriv mode):

frontend field name (commmand line param for snmpget):

Security name (-u ...)
Authentication protocol (-a MD5 or SHA)
Authentication passphrase (-A ....)
Privacy protocol (-x DES or AES)
Privacy passphrase (-X ...)

Imagine that some of these parametr(s) is configured incorrectly.
What we expect form zabbix? Yes, at least logical and consistent behavior! Which is not the case ...

Here are conclusions based on tests performed in command line and on zabbix server (restarted each time after changes in frontend because of ~~ZBX-13770~~).

1. Wrong "Security name" -u causes item became unsupported with error:
Cannot connect to "127.0.0.1:161": Unknown user name.
Note: SNMP-USER-BASED-SM-MIB::usmStatsUnknownUserNames.0 (1.3.6.1.6.3.15.1.1.3.0) is increasing on the device and immediately returned as unencrypted REPORT in response.

2. Incorect auth -a OR wrong -A value causes item becoming unsupported with error:
Cannot connect to "127.0.0.1:161": Authentication failure (incorrect password, community or key).
Note: SNMP-USER-BASED-SM-MIB::usmStatsWrongDigests.0 (1.3.6.1.6.3.15.1.1.5.0) is increasing on the device and immediately returned as unencrypted REPORT in response.
snmpget gives result: Authentication failure (incorrect password, community or key)

3. Incorrect mode -x causes SNMP agent/interface availability error:
Cannot connect to "127.0.0.1:161": Decryption error.
Note: SNMP-USER-BASED-SM-MIB::usmStatsDecryptionErrors.0 (1.3.6.1.6.3.15.1.1.6.0) is increasing on the device and immediately returned as unencrypted REPORT in response.
snmpget gives result: Decryption error

4. Wrong "Privacy passphrase" -X causes real timeout and SNMP agent/interface availability error:
Timeout while connecting to "127.0.0.1:161".

Conclusion:

considering all items as unsupported in case of incorrect "Auth*" parameters, is unexpected.
or vice versa - considering SNMP agent/interface as unavailable in case of wrong "Privacy protocol", is unexpected.
Note - in both these cases we have a real immediate responce (report) from SNMP agent.

What would be correct to fix for these two - really hard to say, should be discussed. I personally, after this investigation, cannot select the optimal answer.

This is highly related to the mentioned ~~ZBX-13770~~.

depends on

ZBX-13770 zabbix server/proxy MUST be restarted after changing SNMPv3 host credential parameters - document that

Closed

duplicates

ZBX-5414 Zabbix mis-handles items that have incorrect SNMPv3 username/passwords set up

Closed

Assignee:: Martins Valkovskis

Reporter:: Oleksii Zagorskyi

Team:: Team C

Votes:: 5 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2018 Apr 19 20:34

Updated:: 2024 Apr 10 17:18

Resolved:: 2024 Jan 05 21:56

Details

Description

Attachments

Issue Links

Activity

People

Dates