Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-13769

inconsistent snmpV3 host availability detection in case of wrong credential parameters

XMLWordPrintable

    • Sprint 32, Sprint 33, Sprint 34

      For SNMP v3 items we have 5 parameters to configure authentication (we asume we use AuthPriv mode):

      frontend field name (commmand line param for snmpget):

      Security name (-u ...)
      Authentication protocol (-a MD5 or SHA)
      Authentication passphrase (-A ....)
      Privacy protocol (-x DES or AES)
      Privacy passphrase (-X ...)

      Imagine that some of these parametr(s) is configured incorrectly.
      What we expect form zabbix? Yes, at least logical and consistent behavior! Which is not the case ...

      Here are conclusions based on tests performed in command line and on zabbix server (restarted each time after changes in frontend because of ZBX-13770).

      1. Wrong "Security name" -u causes item became unsupported  with error:
       Cannot connect to "127.0.0.1:161": Unknown user name.
      Note: SNMP-USER-BASED-SM-MIB::usmStatsUnknownUserNames.0 (1.3.6.1.6.3.15.1.1.3.0) is increasing on the device and immediately returned as unencrypted REPORT in response.

      2. Incorect auth -a OR wrong -A value causes item becoming unsupported  with error:
       Cannot connect to "127.0.0.1:161": Authentication failure (incorrect password, community or key).
      Note: SNMP-USER-BASED-SM-MIB::usmStatsWrongDigests.0 (1.3.6.1.6.3.15.1.1.5.0) is increasing on the device and immediately returned as unencrypted REPORT in response.
      snmpget gives result: Authentication failure (incorrect password, community or key)

      3. Incorrect mode -x causes SNMP agent/interface availability  error:
       Cannot connect to "127.0.0.1:161": Decryption error.
      Note: SNMP-USER-BASED-SM-MIB::usmStatsDecryptionErrors.0 (1.3.6.1.6.3.15.1.1.6.0) is increasing on the device and immediately returned as unencrypted REPORT in response.
      snmpget gives result: Decryption error

      4. Wrong "Privacy passphrase" -X causes real timeout and SNMP agent/interface availability  error:
       Timeout while connecting to "127.0.0.1:161".

      Conclusion:

      • considering all items as unsupported  in case of incorrect "Auth*" parameters, is unexpected.
      • or vice versa - considering SNMP agent/interface as unavailable  in case of wrong "Privacy protocol", is unexpected.
        Note - in both these cases we have a real immediate responce (report) from SNMP agent.

      What would be correct to fix for these two - really hard to say, should be discussed. I personally, after this investigation, cannot select the optimal answer.

      This is highly related to the mentioned ZBX-13770.

            martins-v Martins Valkovskis
            zalex_ua Oleksii Zagorskyi
            Team C
            Votes:
            5 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: