[ZBX-8539] random finished snmp v3 sessions by zabbix server Created: 2014 Jul 28  Updated: 2020 May 07  Resolved: 2019 Aug 27

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Proxy (P), Server (S)
Affects Version/s: 2.2.3
Fix Version/s: None

Type: Incident report Priority: Minor
Reporter: Oleksii Zagorskyi Assignee: Unassigned
Resolution: Won't fix Votes: 0
Labels: snmpv3
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate

 Description   

During investigation several snmpv3 related issue I once discovered strange behavior of zabbix server/proxy which worth to be reported as separate issue.

See detailed description in first comment.



 Comments   
Comment by Oleksii Zagorskyi [ 2014 Jul 29 ]

Originally tcpdump was captured on zabbix proxy by "tcpdump -w /tmp/all-snmp.pcap "udp and port 161" and then filtered in Wireshark by "ip.addr eq 213.XXX.XX.XXX" filter and saved as "strange_cisco.pcap". So the dump contains snmp sessions not only considered below but all snmp traffic for the monitored host, including success sessions.
To investigate the dump on my side I start Wireshark with as "TZ=Europe/Paris wireshark", or w/o timezone env variable but then configure time shift in wireshark's settings.

This is a zabbix proxy with Timeout=25. In zabbix_proxy.log we see timestamps of unexpectedly finished sessions and they are the same as in the dump.
Note how network error looks correctly: in a case when there was single "get-request" w/o received "report" (for example UDP packet is indeed lost in network) - in this case "network error" record in log file appears only after Timeout.

Take into account packets 5,6:
UDP stream filter: "udp.port eq 40620 and udp.port eq 161"

No.     Time            Source                Destination           Length Protocol Info                                                            SRC port   Engine-Boots Engine-Time Priv       Auth   
      5 12:27:28.236041 192.168.244.10        213.XXX.XX.XXX        106    SNMP     get-request                                                     40620      0            0           Not set    Not set
      6 12:27:28.252953 213.XXX.XX.XXX        192.168.244.10        175    SNMP     report SNMP-USER-BASED-SM-MIB::usmStatsUnknownEngineIDs.0       161        0            0           Not set    Not set

Corresponding log records:

6249:20140703:122728.274 SNMP agent item "ifHCInOctets[Adaptive Security Appliance 'inside' interface]" on host "FW01" failed: first network error, wait for 60 seconds
6268:20140703:122829.329 resuming SNMP agent checks on host "FW01": connection restored

And with the same symptoms also packets 23,25:
UDP stream filter: "udp.port eq 41251 and udp.port eq 161"

No.     Time            Source                Destination           Length Protocol Info                                                            SRC port   Engine-Boots Engine-Time Priv       Auth    
     23 12:32:28.512010 192.168.244.10        213.XXX.XX.XXX        106    SNMP     get-request                                                     41251      0            0           Not set    Not set
     25 12:32:28.524886 213.XXX.XX.XXX        192.168.244.10        175    SNMP     report SNMP-USER-BASED-SM-MIB::usmStatsUnknownEngineIDs.0       161        0            0           Not set    Not set

Corresponding log records:

6235:20140703:123228.554 SNMP agent item "ifHCInOctets[Adaptive Security Appliance 'Ethernet0/1' interface]" on host "FW01" failed: first network error, wait for 60 seconds
6274:20140703:123328.966 resuming SNMP agent checks on host "FW01": connection restored

In both these examples we see "get-request" with received "report - usmStatsUnknownEngineIDs" and then this snmp session is finished immediately what indicated in proxy log.
How is it possible that zabbix proxy (libnetsnmp) does NOT do next "get-request" according to snmp v3 protocol ?

Comment by Oleksii Zagorskyi [ 2014 Jul 29 ]

The traffic was captured 2014-07-03 on vanilla zabbix v2.2.3. This is proxy 001 and it (plus its state) can be seen on graphs in ZBX-8528.

Generated at Fri Mar 29 14:13:34 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.