|
I am also facing the same with AES256C.
For clarity, I am trying to add a fortigate device to Zabbix and trying to monitor it with AES 256C. But I am facing the issue mentioned above
|
|
It means Zabbix server was compiled without AES256C support, this can be due to outdated snmp library used during compilation, where was this package downloaded from ?
|
|
Hi Vladislavs,
Thanks a lot for you swift response.
The package was downloaded for Zabbix website.
Is it possible for you to guide me on update the SNMP library in order for it to Support AES 256, AES 256C and AES 192C?
|
|
Please specify which one exactly and we will check if it is built with up to date snmp
|
|
Can you comment on this yurii ?
This check seems to fail in netsnmp.m4
#include <net-snmp/net-snmp-config.h>
#include <net-snmp/net-snmp-includes.h>
],[
struct snmp_session session;
session.securityPrivProto = usmAES256PrivProtocol;
],[
AC_DEFINE(HAVE_NETSNMP_STRONG_PRIV, 1, [Define to 1 if strong AES priv protocols are supported.])
AC_MSG_RESULT(yes)
],[
AC_MSG_RESULT(no)
])
meaning that package was compiled without latest NetSNMP
|
|
I will give you details on what I did.
Previously I was using 5.0.15 and I updated it to 5.4.8.
I used this script to Upgrade the server
upgrade_zabbix.sh
|
|
I used this script because when I try to use the following commands I get this error
This is why I had to use the script
|
|
Hello, Sai.
Could you please check the NET-SNMP library version you have installed?
Run the command below in the Zabbix Server you are trying to monitor you device with:
Also check which Zabbix Packages were installed in your server.
Regarding your script, it doesn't seem to do much different from what you were doing.
Just to check, could you run the command below and get the version of your Ubuntu server:
|
|
NET-SNMP version is :
I am not getting any results for ldconfig | grep snmp
Output for lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
|
|
Sai,
Could you please list the packages installed in your system too?
About the ldconfig command, please use as follow:
|
|
Please find the text file attached to this comment to know the packages installed in the machine
packages.txt
|
|
Please, use the command below to list the installed Zabbix packages:
dpkg --list | grep zabbix
|
|
This is the output for
dpkg --list | grep zabbix
|
|
Sai,
What is the exact version of Zabbix that you are using in your environment?
|
|
Zabbix 5.4.8
|
|
Is it possible for you to tell me in which environment you tested AES-256? If you can provide the exact environment details then I will test accordingly
|
|
Are you running Zabbix on an all-in-one installation, or do you have a separated server for web?
|
|
It is all in one installation
|
|
Sai,
According to the output of the command dpkg --list, it seems that the version of your zabbix-apache-conf package differs from the other components.
Could you please perform an update for this package to the same version as the others, and check for the problem again?
|
|
Is it possible for you to give me the command to update zabbix-apache-conf ?
|
|
Sai,
As described in our documentation, you can perform the update of zabbix-apache-conf using the following command:
sudo apt install --only-upgrade zabbix-apache-conf
|
|
I have updated the apache-conf.
While using AES-256 I am getting the same error
|
|
Hi Sai,
Could you please perform a simple verification?
Please run the commands below on your Ubuntu OS and paste the return here:
cat /lib/x86_64-linux-gnu/libsnmp.so.35 | grep -ia sha-256
cat /lib/x86_64-linux-gnu/libsnmp.so.35 | grep -ia aes-256
|
cat /lib/x86_64-linux-gnu/libsnmp.so.35 | grep -ia sha-256
cat /lib/x86_64-linux-gnu/libsnmp.so.35 | grep -ia aes-256
No output
|
|
Hi Sai.
cat /lib/x86_64-linux-gnu/libsnmp.so.35 | grep -ia aes-256
No output
Based on this information, it seems that your Ubuntu operation system does not have compiled aes-256, making it impossible to work out.
Concerning Zabbix Server side, it cannot be treated as a bug or issue related to the Software, but to the Operating System.
Best regards,
Victor.
|
|
Since Zabbix is depended on NETSNMP,
Is it possible for you to give me step by step guide on how to install NETSNMP as there is no proper documentation given by Zabbix or NETSNMP?
|
|
Hey Sai,
Sorry, I don't have a step by step guide on that.
To enable this algorithm you'll need to recompile the net-snmp with AES256 support.
Best regards,
Victor.
|
|
Is it possible for you to guide me on how I can recompile net-snmp?
|
|
It is supported on RHEL8/CentOS8/OL8 you can also try it in docker, for example with alpine:
https://hub.docker.com/r/zabbix/zabbix-proxy-sqlite3
|
|
Okay thanks.
Does this means that AES-256 and AES-256C doesn't work for Ubuntu 20.04?
|
|
But if I install Zabbix on Centos8, do I have to install NETSNMP separately or it's libraries will installed when I install Zabbix 5.4?
|
|
Yes, Ubuntu 20.04 uses older net-snmp, this will be added to documentation.
|
But if I install Zabbix on Centos8, do I have to install NETSNMP separately or it's libraries will installed when I install Zabbix 5.4?
It should be installed automatically as a dependency.
|
|
Great then, will get back to you if I face any issues
|
|
Just a chime in here, I was experiencing this on Debian 11, I installed testing version of snmp lib snmp-lib v3.9.1.
Snmpwalk now works locally on zabbix proxy and zabbix server (server is frontend, dB, and server).
however still see the problem if I do AES256 with SHA256.
I have multiple snmp V3 accounts on device I am using for testing (Checkpoint Firewall):
sha256/AES128 works
sha256/AES256 from zabbix fails with
- Unsupported privacy protocol[3]
however snmpwalk works just fine.
snmpwalk -v3 -a SHA-256 -A abcd1234 -l authPriv -x AES-256 -X abcd1234 -u U256256 10.20.20.2 1.3.6.1.2.1.2.2.1.8.5
iso.3.6.1.2.1.2.2.1.8.5 = INTEGER: 1
root@hostname:~# snmpwalk --version
NET-SNMP version: 5.9.1
root@hostname:~# zabbix_server --version
zabbix_server (Zabbix) 6.0.4
Revision 3d787ff402e 3 May 2022, compilation time: Apr 6 2022 13:22:31
Copyright (C) 2022 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).
Compiled with OpenSSL 1.1.1k 25 Mar 2021
Running with OpenSSL 1.1.1n 15 Mar 2022
|
|
Hi Ted,
Thanks a lot for your honest remark and opinion.
There are a lot of great features in Zabbix but, this could be a major drawback as this could compromise an organization's security. It would be great if you could fix this as soon as possible.
|
|
Added details about strong encryption support depending on the OS and net-snmp version to the documentation in 7.0, 7.2
|
Generated at Sat May 03 07:13:58 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.
SNMP-Walk Options.png
packages.txt
upgrade_zabbix.sh
Team D
