[ZBX-8539] random finished snmp v3 sessions by zabbix server Created: 2014 Jul 28 Updated: 2020 May 07 Resolved: 2019 Aug 27 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Proxy (P), Server (S) |
Affects Version/s: | 2.2.3 |
Fix Version/s: | None |
Type: | Incident report | Priority: | Minor |
Reporter: | Oleksii Zagorskyi | Assignee: | Unassigned |
Resolution: | Won't fix | Votes: | 0 |
Labels: | snmpv3 | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
Description |
During investigation several snmpv3 related issue I once discovered strange behavior of zabbix server/proxy which worth to be reported as separate issue. See detailed description in first comment. |
Comments |
Comment by Oleksii Zagorskyi [ 2014 Jul 29 ] |
Originally tcpdump was captured on zabbix proxy by "tcpdump -w /tmp/all-snmp.pcap "udp and port 161" and then filtered in Wireshark by "ip.addr eq 213.XXX.XX.XXX" filter and saved as "strange_cisco.pcap". So the dump contains snmp sessions not only considered below but all snmp traffic for the monitored host, including success sessions. This is a zabbix proxy with Timeout=25. In zabbix_proxy.log we see timestamps of unexpectedly finished sessions and they are the same as in the dump. Take into account packets 5,6: No. Time Source Destination Length Protocol Info SRC port Engine-Boots Engine-Time Priv Auth 5 12:27:28.236041 192.168.244.10 213.XXX.XX.XXX 106 SNMP get-request 40620 0 0 Not set Not set 6 12:27:28.252953 213.XXX.XX.XXX 192.168.244.10 175 SNMP report SNMP-USER-BASED-SM-MIB::usmStatsUnknownEngineIDs.0 161 0 0 Not set Not set Corresponding log records: 6249:20140703:122728.274 SNMP agent item "ifHCInOctets[Adaptive Security Appliance 'inside' interface]" on host "FW01" failed: first network error, wait for 60 seconds 6268:20140703:122829.329 resuming SNMP agent checks on host "FW01": connection restored And with the same symptoms also packets 23,25: No. Time Source Destination Length Protocol Info SRC port Engine-Boots Engine-Time Priv Auth 23 12:32:28.512010 192.168.244.10 213.XXX.XX.XXX 106 SNMP get-request 41251 0 0 Not set Not set 25 12:32:28.524886 213.XXX.XX.XXX 192.168.244.10 175 SNMP report SNMP-USER-BASED-SM-MIB::usmStatsUnknownEngineIDs.0 161 0 0 Not set Not set Corresponding log records: 6235:20140703:123228.554 SNMP agent item "ifHCInOctets[Adaptive Security Appliance 'Ethernet0/1' interface]" on host "FW01" failed: first network error, wait for 60 seconds 6274:20140703:123328.966 resuming SNMP agent checks on host "FW01": connection restored In both these examples we see "get-request" with received "report - usmStatsUnknownEngineIDs" and then this snmp session is finished immediately what indicated in proxy log. |
Comment by Oleksii Zagorskyi [ 2014 Jul 29 ] |
The traffic was captured 2014-07-03 on vanilla zabbix v2.2.3. This is proxy 001 and it (plus its state) can be seen on graphs in ZBX-8528. |