[ZBX-13770] zabbix server/proxy MUST be restarted after changing SNMPv3 host credential parameters - document that Created: 2018 Apr 19  Updated: 2024 Apr 10  Resolved: 2018 May 24

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Documentation (D)
Affects Version/s: None
Fix Version/s: 4.0 (plan)

Type: Problem report Priority: Major
Reporter: Oleksii Zagorskyi Assignee: Sergejs Paskevics
Resolution: Fixed Votes: 0
Labels: cache, credentials, restart, snmpv3
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates ZBXNEXT-3940 Provide a way to flush SNMP cache for... Closed
Sub-task
part of ZBX-13769 inconsistent snmpV3 host availability... Closed
Team: Team C
Sprint: Sprint 32, Sprint 33, Sprint 34

 Description   

This is connected to a ZBX-13769, but I separate it to independent issue in an attempt to make zabbix users life easier.

Assume that I needed to change credentials (and/or AuthPriv params) for SNMPv3 devices in my network. I did it on devices side and in zabbix frontend too.
And ... I got very bad picture in hosts availability and/or unsupported item alerts (reasons are described in the ZBX-13769).

So, what I observed when performed those tests: similarly to EngineBoot<->EngineID per-process (*poller) memory, the same is actual for credentials!

Yes, each poller process *AFTER very first polling of a device (maybe key filed here is "Security name" with/without combination with EngineID - not tested. Later, below devs confirmed - EngineID involved too) - the process remembers "auth" data in library's cache and reuses it further.
It means that after some zabbix_server uptime, all (likely) poller processes will remember the "auth" data and any updates in frontend (for 4 fields) will not be actually applied. Note: unreachable pollers (likely) will not remember the "auth" data, they likely will catch new values.

The picture visually gets very similar to a case, when you have duplicated EngineIDs in the network.

Important detail:
Changing any of these 4 parameters:

Authentication protocol
Authentication passphrase
Privacy protocol
Privacy passphrase

without changing "Security name" - requires server/proxy daemons restart !!!
In other words - if "Security name" is changed as well - those 4 new params WILL BE applied after configuration reload without restart!

I'd add a note to documentation about required server/proxy daemons restart.

 Comments   
Comment by Raymond Kuiper [ 2018 Apr 20 ]

Good find!

Comment by Sergejs Paskevics [ 2018 May 14 ]

zabbix server generates a user with net-snmp library that make use of the User-based Security Model (USM) in SNMPv3. Authentication protocol, Authentication passphrase, Privacy protocol and Privacy passphrase are part of USM user data and they are cached in library for every EngineId the users. If there is an existing user for an EngineId and when zabbix try to open a new session with this user, net-snmp use the cached one. Necessary to clear the cached list of active users, but net-snmp API does not provide suitable function.

Comment by Sergejs Paskevics [ 2018 May 14 ]

(1) [D] Please, document that changes in "Authentication protocol", "Authentication passphrase", "Privacy protocol" and "Privacy passphrase" parameters (agent snmpv3) to take effect need to restart the server/proxy.

martins-v Documented for 4.0 and other supported versions. Please review.

s.paskevics I think OK. Thank you. CLOSED

Comment by Oleksii Zagorskyi [ 2019 Nov 26 ]

A few days ago I dived deep into net-snmp's code, regarding SNMPv3 AES256 support (remember - I'm not a developer) and after looking on that stuff, it looked to me too that mentioned function "free_etimelist()" is not related to generated "ku" (credential) caches.

Generated at Tue Apr 23 18:31:17 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.