zabbix-agent 4.0.14-1.el7 @centos7-base-x86_64
zabbix-proxy-mysql 4.0.14-1.el7 @centos7-base-x86_64
mariadb-server 1:5.5.64-1.el7 @base
Steps to reproduce:
- Create a network discovery from a proxy including two SNMPv3 checks with the same credentials, checking oid "SNMPv2-MIB::sysObjectID.0". One check with SHA1+AES, the other with SHA1+DES. See Screenshots
- Let it run
- SNMPv3 SHA1+AES Devices will be discovered, SNMPv3 SHA1+DES Devices will be never discovered.
- SNMPv3 SHA1+AES Devices and SNMPv3 SHA1+DES Devices should be discovered
I did some traces and realized that the network discovery process on our proxy always sends SNMPv3 AES packets. I attached two traces and told wireshark to decrypt SNMPv3-Packets with our DES Keys. As you can see in the screenshots wireshark is not able to decrypt these packets. If I add our AES Keys to wireshark, it is able to decrypt both discoveries. Thus only AES is used!
I configured it to try SNMPv3 with DES and then SNMPv3 with AES. If I look in the dchecks database table on our Proxy (other screenshot), it is correctly saved, AES+DES, as you can seen in the snmpv3_privprotocol field. But zabbix only uses AES.
I tried already a lot to get this running, deleted the discoveries, recreated them, always the same result.
The only way to workaround this bug, is to split the AES and DES discovery in two discoveries. But this has another drawback: Then both discoveries try SNMPv3-DES and SNMPv3-AES at the same time on the same host and It would double our network discoveries...