[c-nsp] SNMPv3 bug on 3550

Church, Charles Charles.Church at harris.com
Tue Apr 27 10:08:21 EDT 2010 

I can't find my notes on it, but I seem to remember it being a bug.  I
believe a later code fixed our issue.

 

Chuck Church
Network Planning Engineer, CCIE #8776

Southcom

Harris IT Services

1210 N. Parker Rd.

Greenville, SC 29609 
Office: 864-335-9473

Cell: 864-266-3978

E-mail:  <mailto:charles.church at harris.com> charles.church at harris.com

Southcom E-mail:  <mailto:charles.church.ctr at hq.southcom.mil>
charles.church.ctr at hq.southcom.mil

 

From: Ibrahim Abo Zaid [mailto:ibrahim.abozaid at gmail.com] 
Sent: Tuesday, April 27, 2010 7:15 AM
To: Peter Rathlev
Cc: Church, Charles; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] SNMPv3 bug on 3550

 

Hi All

Iam facing the same below issue on 7200 with 12.2(25)S image

does anyone face the same problem ? is it a bug ?


thanks
--Ibrahim



On Thu, Feb 7, 2008 at 1:33 AM, Peter Rathlev <peter at rathlev.dk> wrote:

Sorry about the "empty" mail before, was busy wiping up coffee from my
keyboard. :-)

I've tested the same on our 3550/SEE2's and with the same results. Trial
and error shows that if I exclude the "auth md5 blah" part of the user
definition, everything works as expected. It doesn't help using SHA.

When creating the user I get this log message by the way:

Feb  7 00:16:56.657 met: Configuring snmpv3 USM user, persisting
snmpEngineBoots. Please Wait...

It never gets further.

It also seems to be the "snmp-server host ..." command that creates the
"snmp-server group testuser" command. I'm no expert in SNMPv3, but that
may or may not be an error.

So I'd say it's a bug. (Just use v2c, hacky sacks never really died so
why should v2c? :-)

Regards,
Peter



On Wed, 2008-02-06 at 15:03 -0600, Church, Charles wrote:

> Thanks.  I did try it that way too.  Long log shows it doing this:
>
> PSRB-U00-OS-03(config)#do sh run | i test
>
> PSRB-U00-OS-03(config)#do sh snmp user
>
> PSRB-U00-OS-03(config)#do sh snmp group
>
> PSRB-U00-OS-03(config)#snmp-server group testgroup v3 auth access 98
>
> PSRB-U00-OS-03(config)#do sh run | i test
> snmp-server group testgroup v3 auth access 98
>
> PSRB-U00-OS-03(config)#snmp-server user testuser testgroup v3 auth md5
>  blah access 98
>
> PSRB-U00-OS-03(config)#do sh run | i test
> snmp-server group testgroup v3 auth access 98
>
> PSRB-U00-OS-03(config)#snmp-server host 172.24.4.5 version 3 auth testuser
> PSRB-U00-OS-03(config)#snmp-server host 172.24.5.6 version 3 auth testuser
> PSRB-U00-OS-03(config)#snmp-server host 172.26.4.7 version 3 auth testuser
>
> PSRB-U00-OS-03(config)#do sh run | i test
> snmp-server group testuser v3 auth notify
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
> snmp-server group testgroup v3 auth access 98
> snmp-server host 172.24.4.5 version 3 auth testuser
> snmp-server host 172.24.5.6 version 3 auth testuser
> snmp-server host 172.26.4.7 version 3 auth testuser
>
> PSRB-U00-OS-03(config)#do sh snmp group
> groupname: testuser                         security model:v3 auth
> readview : <no readview specified>          writeview: <no writeview
specified>
> notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
> row status: active
>
> groupname: testgroup                        security model:v3 auth
> readview : v1default                        writeview: <no writeview
specified>
> notifyview: <no notifyview specified>
> row status: active      access-list: 98
>
> PSRB-U00-OS-03(config)#do sh snmp user
>
> User name: testuser
> Engine ID: 800000090300000D65D8D281
> storage-type: nonvolatile        active access-list: 98
> Authentication Protocol: MD5
> Privacy Protocol: None
> Group-name: testgroup
>
> PSRB-U00-OS-03(config)#
>
>
> So it would appear that the configuration of the trap destinations is
>  what's causing the group with the user name to be created.  Same
>  result if you do the user first, and then the group.  Any ideas?
>
> Thanks,
>
> Chuck
>
> -----Original Message-----
> From: Tassos Chatzithomaoglou [mailto:achatz at forthnet.gr]
> Sent: Wednesday, February 06, 2008 3:42 PM
> To: Church, Charles
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] SNMPv3 bug on 3550
>
>
> I think you have to create group first, then user.
>
> --
> Tassos
>
>
> Church, Charles wrote on 6/2/2008 9:27 μμ:
> > Hey all,
> >
> >     I'm seeing the following behavior on 3550s running
> > c3550-ipbasek9-mz.122-25.SEE2.bin:
> >
> > Commands entered:
> > snmp-server user testuser testgroup v3 auth md5 (password) access 98
> > snmp-server group testgroup v3 auth not
> > *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFFFF access 98
> > snmp-server host 172.24.4.5 version 3 auth testuser
> >
> > Results of commands:
> > snmp-server group testuser v3 auth notify
> > *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
> > snmp-server group testgroup v3 auth notify
> > *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFFFF
> > snmp-server host 172.24.4.5 version 3 auth testuser
> >
> > So the configuration of a user called 'testuser' is creating a group
> > called 'testuser'.  We should only be seeing 'testgroup' exist as a
> > group, right?  I did a search through bug navigator, didn't see anything
> > involving snmp and user or group listed.  Is this a known issue?  We use
> > the same command set on 6500s running 12.2(18)SXF9, don't see that
> > happen.
> >
> > Thanks,
> >
> > Chuck Church
> > Principal Network Engineer, CCIE #8776
> > Harris Information Technology Services
> > EDS Contractor - Navy Marine Corps Intranet (NMCI)
> > 1210 N. Parker Rd. | Greenville, SC 29609
> > Office: 864-335-9473 | Cell: 864-266-3978
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6595 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100427/36e58d1a/attachment.bin>

More information about the cisco-nsp mailing list