[ZBX-13769] inconsistent snmpV3 host availability detection in case of wrong credential parameters Created: 2018 Apr 19  Updated: 2024 Apr 10  Resolved: 2024 Jan 05

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Documentation (D)
Affects Version/s: 3.0.16, 3.4.8
Fix Version/s: 4.0 (plan)

Type: Problem report Priority: Trivial
Reporter: Oleksii Zagorskyi Assignee: Martins Valkovskis
Resolution: Duplicate Votes: 5
Labels: availability, consistency, credentials, notsupported, snmpv3
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates ZBX-5414 Zabbix mis-handles items that have in... Closed
Sub-task
depends on ZBX-13770 zabbix server/proxy MUST be restarted... Closed
Team: Team C
Team: Team C
Sprint: Sprint 32, Sprint 33, Sprint 34

 Description   

For SNMP v3 items we have 5 parameters to configure authentication (we asume we use AuthPriv mode):

frontend field name (commmand line param for snmpget):

Security name (-u ...)
Authentication protocol (-a MD5 or SHA)
Authentication passphrase (-A ....)
Privacy protocol (-x DES or AES)
Privacy passphrase (-X ...)

Imagine that some of these parametr(s) is configured incorrectly.
What we expect form zabbix? Yes, at least logical and consistent behavior! Which is not the case ...

Here are conclusions based on tests performed in command line and on zabbix server (restarted each time after changes in frontend because of ZBX-13770).

1. Wrong "Security name" -u causes item became unsupported  with error:
 Cannot connect to "127.0.0.1:161": Unknown user name.
Note: SNMP-USER-BASED-SM-MIB::usmStatsUnknownUserNames.0 (1.3.6.1.6.3.15.1.1.3.0) is increasing on the device and immediately returned as unencrypted REPORT in response.

2. Incorect auth -a OR wrong -A value causes item becoming unsupported  with error:
 Cannot connect to "127.0.0.1:161": Authentication failure (incorrect password, community or key).
Note: SNMP-USER-BASED-SM-MIB::usmStatsWrongDigests.0 (1.3.6.1.6.3.15.1.1.5.0) is increasing on the device and immediately returned as unencrypted REPORT in response.
snmpget gives result: Authentication failure (incorrect password, community or key)

3. Incorrect mode -x causes SNMP agent/interface availability  error:
 Cannot connect to "127.0.0.1:161": Decryption error.
Note: SNMP-USER-BASED-SM-MIB::usmStatsDecryptionErrors.0 (1.3.6.1.6.3.15.1.1.6.0) is increasing on the device and immediately returned as unencrypted REPORT in response.
snmpget gives result: Decryption error

4. Wrong "Privacy passphrase" -X causes real timeout and SNMP agent/interface availability  error:
 Timeout while connecting to "127.0.0.1:161".

Conclusion:

  • considering all items as unsupported  in case of incorrect "Auth*" parameters, is unexpected.
  • or vice versa - considering SNMP agent/interface as unavailable  in case of wrong "Privacy protocol", is unexpected.
    Note - in both these cases we have a real immediate responce (report) from SNMP agent.

What would be correct to fix for these two - really hard to say, should be discussed. I personally, after this investigation, cannot select the optimal answer.

This is highly related to the mentioned ZBX-13770.

 Comments   
Comment by Oleksii Zagorskyi [ 2018 Apr 20 ]

ZBX-8385 probably is related in meaning of how libnetsnmp represents response to zabbix code.
I think it will be useful to keep it in mind.

Comment by Oleksii Zagorskyi [ 2018 Apr 23 ]

One more thing - as for SNMP agent I used a Linux box with net-smp v5.7 for snmpd daemon.
So, I think, those replies (with report) cannot be guaranteed for all possible SNMP devices.

Original issue was discovered on Cisco F5 device.

Comment by Dimitri Bellini [ 2018 Jul 13 ]

I have noticed the same behaviour on Nexans switch.

From the Zabbix Server log i can read:

item "Switch5:system.uptime" became not supported: Cannot connect to "xxx.xxx.xxx.xxx:161": Unknown user name.

But the Zabbix availability icon is green.... I think we need to put the icon on "RED"

Comment by Oleksii Zagorskyi [ 2019 Nov 13 ]

There is mistake in documentation change.
Both - Privacy passphrase and Privacy protocol will cause interface timeout, as stated initially in description.
All related documentation versions should be fixed.

I'd write the sentence this way:

In case of wrong SNMPv3 credentials (security name, authentication protocol/passphrase) Zabbix receives an ERROR from net-snmp and marks item as not supported, except for wrong Privacy protocol/passphrase in which case Zabbix receives a DECRYPTION_ERROR/TIMEOUT from net-snmp and marks host interface as not available.

REOPENED

Comment by Ilya Ableev [ 2020 Jul 16 ]

Up?

Comment by Oleg Ivanivskyi [ 2022 May 02 ]

5. Too "simple" authentication passphrase (-X) may cause "network errors"/timeouts and flapping SNMP agent availability for Cisco. 

Had an issue with "flapping" SNMP agent availability on hundreds Cisco switches and routers (red > green > red > ...). All devices were configured with a simple "1234567890" auth passphrase for SNMP v3 user (e.g. "-l authPriv -u TestUser1 -a SHA -A Example@22 -x AES -X 1234567890"). I was able to poll devices via SNMP from CLI (no errors at all). At the same time, Zabbix 4.4 generated many "network errors" in the log continuously for "random" SNMP items. All of device performance graphs had gups.

This issue was fixed by changing "1234567890" auth passphrase to a more complex one (e.g. "AuthPass1!"). SNMP status isn't flapping any more. No gaps on the graphs.

Comment by Oleksii Zagorskyi [ 2022 May 02 ]

Oleg, I believe that "1234567890" is absolutely fine as a value for auth/encryption. I do not see any possible scenario why it might cause availability flapping.
I fee like your issue resolved because those devices possibly got new (random/unique?) EngineIDs when you updated v3 related settings.

Comment by Oleg Ivanivskyi [ 2022 May 02 ]

Note, I am talking about ~700 Cisco devices. I checked the EngineID for all of them. There were no duplicates.
I can't explain it. I added that comment just because it may be useful to someone.

Comment by Richard Ostrochovský [ 2023 Sep 27 ]

Isn't this related also to ZBX-20845 SNMP host is green when port is available but credentials are incorrect - ZABBIX SUPPORT ?

Comment by Oleksii Zagorskyi [ 2024 Jan 05 ]

Looks like the ZBX-20845 is indeed fixed the inconsistency I posted here.

So, this should be closed as Duplicate. Done.

Generated at Fri Apr 19 11:04:54 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.