Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-16916

SNMPv3 Network discovery confuses AES and DES privacy settings

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Unsupported version
    • Icon: Trivial Trivial
    • None
    • 4.0.14
    • Proxy (P)
    • None
    • zabbix-agent 4.0.14-1.el7 @centos7-base-x86_64
      zabbix-proxy-mysql 4.0.14-1.el7 @centos7-base-x86_64
      mariadb-server 1:5.5.64-1.el7 @base

      Steps to reproduce:

      1. Create a network discovery from a proxy including two SNMPv3 checks with the same credentials, checking oid "SNMPv2-MIB::sysObjectID.0". One check with SHA1+AES, the other with SHA1+DES. See Screenshots
      2. Let it run

      Result:

      1. SNMPv3 SHA1+AES Devices will be discovered, SNMPv3 SHA1+DES Devices will be never discovered.

      Expected:

      1. SNMPv3 SHA1+AES Devices and SNMPv3 SHA1+DES Devices should be discovered

      I did some traces and realized that the network discovery process on our proxy always sends SNMPv3 AES packets. I attached two traces and told wireshark to decrypt SNMPv3-Packets with our DES Keys. As you can see in the screenshots wireshark is not able to decrypt these packets. If I add our AES Keys to wireshark, it is able to decrypt both discoveries. Thus only AES is used!

      I configured it to try SNMPv3 with DES and then SNMPv3 with AES. If I look in the dchecks database table on our Proxy (other screenshot), it is correctly saved, AES+DES, as you can seen in the snmpv3_privprotocol field. But zabbix only uses AES.

      I tried already a lot to get this running, deleted the discoveries, recreated them, always the same result.
      The only way to workaround this bug, is to split the AES and DES discovery in two discoveries. But this has another drawback: Then both discoveries try SNMPv3-DES and SNMPv3-AES at the same time on the same host and It would double our network discoveries...

        1. zabbix_snmpv3_Proxy_DB_drules.png
          zabbix_snmpv3_Proxy_DB_drules.png
          6 kB
        2. zabbix_snmpv3_DES_discovery.png
          zabbix_snmpv3_DES_discovery.png
          57 kB
        3. zabbix_snmpv3_DES_decryption.png
          zabbix_snmpv3_DES_decryption.png
          230 kB
        4. zabbix_snmpv3_AES_discovery.png
          zabbix_snmpv3_AES_discovery.png
          57 kB
        5. zabbix_snmpv3_AES_decryption.png
          zabbix_snmpv3_AES_decryption.png
          221 kB
        6. SECOND_SNMP.jpg
          SECOND_SNMP.jpg
          136 kB
        7. FIRST_SNMP.jpg
          FIRST_SNMP.jpg
          122 kB

            arimdjonoks Artjoms Rimdjonoks
            h.l. H.L.
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: