Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-13769

inconsistent snmpV3 host availability detection in case of wrong credential parameters

    Details

    • Team:
      Team C
    • Sprint:
      Sprint 32, Sprint 33, Sprint 34

      Description

      For SNMP v3 items we have 5 parameters to configure authentication (we asume we use AuthPriv mode):

      frontend field name (commmand line param for snmpget):

      Security name (-u ...)
      Authentication protocol (-a MD5 or SHA)
      Authentication passphrase (-A ....)
      Privacy protocol (-x DES or AES)
      Privacy passphrase (-X ...)

      Image that some of these parametr(s) is configured in correctly.
      What we expect form zabbix? Yes, at least logical and consistent behavior! Which is not the case ...

      Here are conclusions based on tests performed in command line and on zabbix server (restarted each time after changes in frontend because of ZBX-13770).

      1. Wrong "Security name" -u causes item became unsupported with error: Cannot connect to "127.0.0.1:161": Unknown user name.
      Note: SNMP-USER-BASED-SM-MIB::usmStatsUnknownUserNames.0 (1.3.6.1.6.3.15.1.1.3.0) is increasing on the device and immediately returned as unencrypted REPORT in response.

      2. Incorect auth -a OR wrong -A value causes item becoming unsupported with error: Cannot connect to "127.0.0.1:161": Authentication failure (incorrect password, community or key).
      Note: SNMP-USER-BASED-SM-MIB::usmStatsWrongDigests.0 (1.3.6.1.6.3.15.1.1.5.0) is increasing on the device and immediately returned as unencrypted REPORT in response.
      snmpget gives result: Authentication failure (incorrect password, community or key)

      3. Incorrect mode -x causes SNMP agent/interface availability error: Cannot connect to "127.0.0.1:161": Decryption error.
      Note: SNMP-USER-BASED-SM-MIB::usmStatsDecryptionErrors.0 (1.3.6.1.6.3.15.1.1.6.0) is increasing on the device and immediately returned as unencrypted REPORT in response.
      snmpget gives result: Decryption error

      4. Wrong "Privacy passphrase" -X causes real timeout and SNMP agent/interface availability error: Timeout while connecting to "127.0.0.1:161".

      Conclusion:

      • considering all items as not supported in case of incorrect "Auth*" parameters, is unexpected.
      • or vice versa - considering SNMP agent/interface as unavailable in case of wrong "Privacy protocol", is unexpected.
        Note - in both these cases we have a real immediate responce (report) from SNMP agent.

      What would be correct to fix for these two - really hard to say, should be discussed. I personally, after this investigation, cannot select the optimal answer.

      This is highly related to the mentioned ZBX-13770.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                s.paskevics Sergejs Paskevics
                Reporter:
                zalex_ua Oleksiy Zagorskyi
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: