0% found this document useful (0 votes)

318 views30 pages

SNMPV 3 and NNMi

Technical white paper SNMPv3 and NNMi A small introduction to SNMPv3 and how it works with Network Node Manager -i

Uploaded by

roshan Naik

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

318 views30 pages

SNMPV 3 and NNMi

Technical white paper SNMPv3 and NNMi A small introduction to SNMPv3 and how it works with Network Node Manager -i

Uploaded by

roshan Naik

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 30

P a g e |1

Technical white paper

SNMPv3 and NNMi

A small introduction to SNMPv3 and how it works with Network Node Manager -i

May 2015

Sign up for updates

hp.com/go/getupdated

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP
products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting
an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
P a g e |2

Contents
Contents .................................................................................................................................................................. 2
SNMPv3 Introduction ............................................................................................................................................. 4
SNMPv3 Enhancements.................................................................................................................................... 4
SNMPv3 Goals .................................................................................................................................................... 4
Authoritative and Non-authoritative SNMP entities ...................................................................................... 4
SNMPv3 Configuration Modes .............................................................................................................................. 5
No Authentication and No Privacy ................................................................................................................... 5
Authentication with No Privacy ........................................................................................................................ 5
Authentication with Privacy .............................................................................................................................. 6
Authentication and Privacy Protocols ............................................................................................................. 6
Communication Configuration ............................................................................................................................. 6
User Name .......................................................................................................................................................... 6
Context Name .................................................................................................................................................... 6
Authentication passphrase and protocol ....................................................................................................... 6
Privacy passphrase /protocol .......................................................................................................................... 7
Configuring a Cisco Router.................................................................................................................................... 7
No Authentication with No Privacy configuration mode ............................................................................... 7
Authentication with No Privacy configuration mode ..................................................................................... 8
Authentication with Privacy configuration mode .......................................................................................... 8
How to decrypt a SNMPv3 packet in Wireshark ................................................................................................. 9
SNMPv3 Objects ................................................................................................................................................... 11
SNMPv3 Discovery ............................................................................................................................................... 11
One-stage discovery and two-stage discovery ........................................................................................... 14
SNMPv3 Communication..................................................................................................................................... 18
USM Report Codes that can be observed in a SNMPv3 packet ...................................................................... 21
List of Report PDUs ......................................................................................................................................... 21
SNMPv3 RFCs ....................................................................................................................................................... 22
NNMi Node Discovery, Configuration and Status Poll ..................................................................................... 23
Discovery and Configuration Poll................................................................................................................... 23

Sign up for updates

hp.com/go/getupdated

Status Poll ........................................................................................................................................................ 23

Troubleshooting................................................................................................................................................... 24
Loggers ............................................................................................................................................................. 24
Communication Configuration ....................................................................................................................... 24
Packet Capture................................................................................................................................................. 25
Problem Examples............................................................................................................................................... 25
NNMi and SNMPv3 configuration ....................................................................................................................... 26
NNMi SNMP Security Levels ............................................................................................................................ 26
NNMi SNMPv3 Settings ................................................................................................................................... 26
SNMPv3 supported protocols ........................................................................................................................ 27
Configuring NNMi to use SNMPv3 .................................................................................................................. 27
Example configuration .................................................................................................................................... 28
SNMPv3 Traps .................................................................................................................................................. 28
SNMPv3 Informs .............................................................................................................................................. 29
For more information ...................................................................................................................................... 30

Sign up for updates

hp.com/go/getupdated

SNMPv3 Introduction
SNMP (Simple Network Management) is an internet standard protocol for managing devices on IP
networks. It supports both IPv4 and IPv6, and it is mostly used in network management systems (NMS) to
monitor network devices.

SNMPv3 Enhancements
SNMPv3 (SNMP version 3) provides security enhancements (over SNMP v1 and v2c) to the SNMP protocol
by adding the following to the SNMP packets that travel through the network

 Authentication (The use of a passphrase to authenticate with the agent/manager.)

 Encryption (The use of an encryption protocol to encrypt the payload.)

SNMPv3 Goals
From the RFC 3414 that describes the SNMPv3 protocol:
Provide for verification that each received SNMP message has not
been modified during its transmission through the network.

Provide for verification of the identity of the user on whose

behalf a received SNMP message claims to have been generated.

Provide for detection of received SNMP messages, which request or

contain management information, whose time of generation was not
recent.

Provide, when necessary, that the contents of each received SNMP

message are protected from disclosure.

USM for SNMPv3, RFC 3414 - http://www.ietf.org/rfc/rfc3414.txt

This enhances SNMPv1|2c where control was performed by community strings, sent in clear text through
the network.

The inconvenient is a more complex configuration needed on both sides, the agent and the manager.

Authoritative and Non-authoritative SNMP entities

The SNMPv3 protocol definition no longer refers to the concepts of “agent” and “manager”, instead it
refers to “SNMP Entities” that can be authoritative and non- authoritative.

The authoritative entities receive the SNMP requests (get, set, getnext and getbulk…) and the non-
authoritative entity request them.

In the NMS context, most of the time the manager is the non-authoritative entity and the agent the
authoritative one. For the purposes of this document, we will use the terms manager and non-
authoritative entity interchangeably. This also applies to agent and authoritative entity.

Sign up for updates

hp.com/go/getupdated

SNMPv3 Configuration Modes

The SNMPv3 protocol definition allows for several modes of operation.

The following are the different modes that are defined:

No Authentication and No Privacy

This is the simplest configuration mode and does not have a significant improved security over SNMPv1|2c
as there is no authentication and the payload is transferred in plain text over the network.

Example.

Image 1. SNMPv3 Packet with No Authentication and No Privacy as seen in Wireshark

Authentication with No Privacy

This mode allows for user authentication between the manager and the agent. The authentication
passphrase is passed using a message digest but the packet’s payload (data to be transferred) is not
encrypted, therefore it can be intercepted easily.

Example.

Image 2. SNMPv3 Packet with Authentication and No Privacy as seen in Wireshark

Sign up for updates

hp.com/go/getupdated

Authentication with Privacy

This is the most secure mode as it allows for user authentication and an encrypted payload.

Example.

Image 3. SNMPv3 Packet as seen in Wireshark

Authentication and Privacy Protocols

The following are the encryption protocols supported. Some SNMPv3 devices may not support all of the
protocols

 Authentication encryption protocols: MD5 and SHA (message digest)

 Privacy encryption protocols: DES and AES (symmetric key data encryption)

Communication Configuration
In order to establish a communication with an authoritative SNMP entity, the following parameters need to
be known by the non-authoritative SNMP entity.

User Name
Status: Mandatory
Description: A SNMPv3 user that has access to certain MIBs in the device.
Notes: SNMPv3 users need to be configured locally in the devices.

Context Name
Status: Optional
Description: A context is a collection of MIBs that are accessible by a SNMPv3 user.
Notes: It is optional as it may or may not be configured on the agent side.

Authentication passphrase and protocol

Status: Optional
Description: Passphrase: The passphrase to authenticate against the SNMP agent.
Protocol: The protocol used to encrypt the passphrase.
Notes: If configured on the agent, then it needs to be specified on the manager.
Sign up for updates
hp.com/go/getupdated

Privacy passphrase /protocol

Status: Optional
Description: Passphrase: The passphrase used to encrypt the packet’s payload
Protocol: The protocol used to encrypt the payload.
Notes: If configured on the agent, then it needs to be specified on the manager.

Configuring a Cisco Router

The following are the configuration examples of SNMPv3 on a Cisco 3640 router.

Notes:

All commands below will be executed in the Cisco Configure Terminal Mode (configure terminal)

Text in blue is the command syntax and/or output

Text in orange are the configuration parameters

The Cisco 3640 router support the three SNMPv3 modes mentioned earlier

# snmp-server group test v3 ?

auth group using the authNoPriv Security Level
noauth group using the noAuthNoPriv Security Level
priv group using SNMPv3 authPriv security level

No Authentication with No Privacy configuration mode

Note: This is the simplest configuration mode and does not have a significant improved security over SNMPv1|2c

Step 1. Create an SNMP group

The SNMP group is used to specify the configuration mode, in this case, NoAuth

# snmp-server group TestGroupNoAuth v3 noauth

Step 2. Create an SNMP user

Create and attach the user to the recently created group (TestGroupNoAuth).

# snmp-server user TestUserNoAuth TestGroupNoAuth v3

Sign up for updates

hp.com/go/getupdated

Step 3. Test the configuration (CLI, from the NNMi Management Server)

nnmsnmpwalk.ovpl -v 3 -v3u TestUserNoAuth <device> sysDescr

sysDescr.0 : OCTET STRING- (ascii): Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-IK9S-M), Version 12.3(19), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Thu 11-May-06 17:

Authentication with No Privacy configuration mode

Note: Because the SNMPv3 with authentication and/or privacy configuration uses encrypted data, it is not stored in the normal
“running config” file in the device (because that file is stored as plain text) and therefore the configuration will not be in the output of
“show running config”.

Step 1. Create an SNMP group

The SNMP group is used to specify the configuration mode, in this case, AuthNoPriv

# snmp-server group TestGroupAuth v3 auth

Step 2. Create an SNMP user using MD5 as the authentication protocol

Create and attach the user to the recently created group (TestGroupAuth).

# snmp-server user TestUserAuth TestGroupAuth v3 auth md5 authPass

Step 3. Test the configuration (CLI, from the NNMi Management Server)

nnmsnmpwalk.ovpl -v 3 -v3u TestUserAuth -A authPass -a MD5 <device> sysDescr

sysDescr.0 : OCTET STRING- (ascii): Cisco Internetwork Operating System Software

Authentication with Privacy configuration mode

Note. Because the SNMPv3 with authentication and/or privacy configuration uses encrypted data, it is not stored in the normal
“running config” file in the device (because that file is stored as plain text) and therefore the configuration will not be in the output of
“show running config”

Sign up for updates

hp.com/go/getupdated

Step 1. Create an SNMP group

The SNMP group is used to specify the configuration mode, in this case, AuthPriv

# snmp-server group TestGroupPriv v3 priv

Step 2. Create an SNMP user using MD5 as the authentication protocol and DES for the privacy protocol

The user is attached to the recently created group (TestGroupPriv).

# snmp-server user TestUserPriv TestGroupPriv v3 auth md5 authPass priv des privPass

Step 3. Test the configuration (CLI, from the NNMi Management Server)

nnmsnmpwalk.ovpl -v 3 -v3u TestUserPriv -A authPass -a MD5 -X privPass -x DES <device>

sysDescr

sysDescr.0 : OCTET STRING- (ascii): Cisco Internetwork Operating System Software

How to decrypt a SNMPv3 packet in Wireshark

When the Privacy configuration mode is in use, Wireshark is unable to decrypt the packets unless it is
configured it with the agent’s pass-phrases and protocols. To configure Wireshark to decrypt an encrypted
v3 packet the following can be done:

Steps

1) Edit > Preferences >> 2) Protocols > SNMP

3) Users Table > Edit >> 4) Add New

4.a Engine ID
4.b Username

5) Authentication Model and Password, Privacy Protocol and Password

Note: The authentication and privacy protocols can be either obtained from the NNMi configuration or be provided by the
network team, but the password must be provided by the network admins as it is encrypted in the database.

Sign up for updates

hp.com/go/getupdated

Image 4. Steps to decrypt a SNMPv3 packet in Wireshark

Result

Image 5. SNMPv3 decrypted packet as seen in Wireshark

Sign up for updates

hp.com/go/getupdated

SNMPv3 Objects
The non-authoritative engine needs to learn some values from the authoritative engine so that the
communication is allowed. Once that those values are learnt by the manager, then communication
(encrypted or plain text) can be initiated.

From the RFC 3414 that describes the SNMPv3 protocol:

Each SNMP engine maintains three objects:

- snmpEngineID …
- snmpEngineBoots …
- snmpEngineTime …

Each SNMP engine is always authoritative with respect to these objects

in its own SNMP entity. It is the responsibility of a non-
authoritative SNMP engine to synchronize with the authoritative SNMP
engine, as appropriate.

As mentioned in the RFC, it is the responsibility of the non-authoritative SNMP engine to synchronize with
the authoritative SNMP engine. This synchronization process is known as SNMPv3 discovery, described
next.

SNMPv3 Discovery
From the RFC 3414 that describes the SNMPv3 protocol:
The User-based Security Model requires that a discovery process
obtains sufficient information about other SNMP engines in order to
communicate with them. Discovery requires a non-authoritative SNMP
engine to learn the authoritative SNMP engine's snmpEngineID value
before communication may proceed.

So, to initiate communication, the non-authoritative entity needs first to learn the authoritative
snmpEngineID.

How does the non-authoritative SNMP engine learns the authoritative snmpEngineID required for SNMPv3
communication?

From the RFC 3414 that describes the SNMPv3 protocol:

This may be accomplished by generating a Request message with a
securityLevel of noAuthNoPriv, a msgUserName of zero-length, a
msgAuthoritativeEngineID value of zero length, and the varBindList left
empty. The response to this message will be a Report message
containing the snmpEngineID of the authoritative SNMP engine as the
value of the msgAuthoritativeEngineID field within the
msgSecurityParameters field. It contains a Report PDU with the
usmStatsUnknownEngineIDs counter in the varBindList.
Sign up for updates
hp.com/go/getupdated

The following images are packet captures that demonstrates the steps.

Request. A request is sent with no engineID, username, authentication or privacy information and the
varbind list left empty.

Image 6. SNMPv3 Packet as seen in Wireshark

Response. A response is received that includes the Authoritative EngineID and the expected
“usmStatsUnknownEngineIDs” report PDU.

Sign up for updates

hp.com/go/getupdated

Image 7. SNMPv3 Packet as seen in Wireshark

Communication. The communication is then established using the newly learned Authoritative EngineID.

Image 8. SNMPv3 Packet as seen in Wireshark

Sign up for updates

hp.com/go/getupdated

It can be observed in the process above that no user authentication was performed (observe the
msgAuthenticationParameters field). This is because Authentication Protocol and Passphrase was not
configured in the Authoritative entity.

Note: *** This is not a recommended configuration as it does not introduce any significant
improvement over the SNMPv1 or SNMPv2c. For all production systems Authentication Security Level should
be used.

In the case that the Authentication Security Level is configured in the Authoritative Entity, the RFC 3414
states the following

If authenticated communication is required, then the discovery

process should also establish time synchronization with the
authoritative SNMP engine.

To establish Time Synchronization two more values are needed to be learnt from the Authoritative entity:

snmpEngineBoots
snmpEngineTime

The need to learn these values introduce the one-stage or two-stage discovery process.

One-stage discovery and two-stage discovery

The following is a first response obtained from an Authoritative Entity as part of the discovery process. It
can be observed that the Authoritative Entity has provided the engineBoots and engineTime values on its
first response to the non-authoritative entity as part of the discovery process. At this time the non-
authoritative entity will be able to establish time synchronization and communication will be possible.

This process is known as one-stage discovery, as only one packet exchange between the manager and the
agent were required for the discovery process.

Sign up for updates

hp.com/go/getupdated

Response. It includes the engineID and the required values of engineBoots and engineTime

Image 9. SNMPv3 Packet as seen in Wireshark

However, there are occasions where the Authoritative Entity will not provide the engineBoots and
engineTime values on its first response. The following is an example.

Response. Notice that the engineID and the expected usmStatsUnknownEngineIDs report PDU are
received, but not the engineBoots and engineTime.

Image 10. SNMPv3 Packet as seen in Wireshark

Sign up for updates

hp.com/go/getupdated

How does the non-authoritative SNMP engine learns the authoritative engineBoots and engineTime
required to establish Time Synchronization?

From the RFC 3414 that describes the SNMPv3 protocol:

This may be accomplished by sending an authenticated Request message
with the value of msgAuthoritativeEngineID set to the newly learned
snmpEngineID and with the values of msgAuthoritativeEngineBoots and
msgAuthoritativeEngineTime set to zero. For an authenticated Request
message, a valid userName must be used in the msgUserName field. The
response to this authenticated message will be a Report message
containing the up to date values of the authoritative SNMP engine's
snmpEngineBoots and snmpEngineTime as the value of the
msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime fields
respectively. It also contains the usmStatsNotInTimeWindows counter
in the varBindList of the Report PDU.

It is required to send a second packet to the Authoritative Entity to obtain the information, hence the name
two-stage discovery.

The second packet will contain the newly learned engineID, a valid username, and the engineBoots and
engineTime values set to Zero. And in response, the Authoritative entity will respond with the engineTime,
engineBoots and the “usmStatsNotInTimeWindows” report PDU

Example of One-stage Discovery

Request

Image 11. SNMPv3 get-request packet as seen in Wireshark

Sign up for updates

hp.com/go/getupdated

Response

Image 12. SNMPv3 get-response packet as seen in Wireshark

Example of Two-stage discovery

Request

Image 13. SNMPv3 get-request packet as seen in Wireshark

Sign up for updates

hp.com/go/getupdated

Response

Image 14. SNMPv3 get-response packet as seen in Wireshark

Request

Image 15. SNMPv3 get-response packet as seen in Wireshark

SNMPv3 Communication
Once that the non-authoritative entity has learnt the required values to communicate, the communication
can start.

Depending on the SNMPv3 Configuration Mode (NoAuthNoPriv, AuthNoPriv, AuthPriv), the subsequent
packets after the discovery need to be properly encoded for that configuration mode.

From the RFC 3411 that describes the SNMPv3 protocol:

The msgUserName specifies the user (principal) on whose behalf the

message is being exchanged. Note that a zero-length userName will
not match any user, but it can be used for snmpEngineID discovery.

The msgAuthenticationParameters are defined by the authentication

protocol in use for the message, as defined by the usmUserAuthProtocol
column in the user's entry in the usmUserTable.

The msgPrivacyParameters are defined by the privacy protocol in use for

the message, as defined by the usmUserPrivProtocol column in the user's
entry in the usmUserTable).

Sign up for updates

hp.com/go/getupdated

All Configuration Modes

The msgUserName must be included in packets for all Configuration Modes, except during the Discovery
Process. If a Valid user name is not included in the requests then the agent will respond with an
“usmStatsUnknownUserNames” response PDU and terminate the communication.

Including a username does not provide Authentication, as the pass-phrase is the method use to
authenticate the user. Providing a username is a protocol requirement that is used to specify the user on
whose behalf the message is being exchanged, therefore, the user is required even when no
Authentication is configured.

Authentication Mode
If the User in question has been configured to use Authentication, then the msgAuthenticationParameters
must include the user’s authentication information. If the Authentication parameters are not included then
the agent will respond with an “usmStatsUnsupportedSecLevels” response PDU. Similarly, if the
information is incorrect then the agent will respond with an “usmStatsWrongDigests” response PDU. In
both scenarios, the agent terminates the communication.

Authentication and Privacy

If the User in question has also been configured for Privacy, then the msgPrivacyParameters must include
the user’s Privacy configuration and the packet’s Payload must be encrypted. If the privacy Parameters are
not included then the agent will respond with an “usmStatsUnsupportedSecLevels” response PDU.
Similarly, if the information is incorrect then the agent will respond with an “usmStatsDecryptionErrors”
response PDU. In both scenarios, the agent terminates the communication.

Communication Examples

No Authentication No Privacy Mode

Image 16. SNMPv3 get-response packet as seen in Wireshark

Sign up for updates

hp.com/go/getupdated

Authentication, No Privacy

Image 17. SNMPv3 get-response packet as seen in Wireshark

Authentication, Privacy

Image 18. SNMPv3 get-response packet as seen in Wireshark

Important to note about engineTime and engineBoots

Time synchronization is performed as a mechanism to protect from message replay. During

communication, the snmpEngineTime value has to be within 150 seconds (when compared with the local
notion of snmpEngineTime) and if the remote device is rebooted, then the device’s snmpEngineBoots
value must be incremented by one, so that the remote entity can interpret that a reboot occurred and
therefore the engineTime needs to be updated.
Sign up for updates
hp.com/go/getupdated

This allows for proper communication between the manager and the agent. This is described in the RFC
3414, Sub-section 3.2 “Processing an Incoming SNMP Message”. Increasing the snmpEngineBoots value
allows the manager to detect the reboot, and keeping the snmpEngineTime value within 150 seconds has
been defined in the same RFC as “the window of time in which a message generated on behalf of any user
is valid” Please refer to the RFC 3414 for more details.

USM Report Codes that can be observed in a SNMPv3 packet

When the authoritative entity detects a problem with a SNMPv3 request, it responds with a Report PDU
that contains one of the defined USM report codes defined below. The USM report codes are found within
the varbind list of the response packet.

If trying to run an nnmsnmpwalk.ovpl against a v3 device then the tool will output the error in human-
readable form.

CLI example for an un-existing user:

Image 19. CLI Example for a SNMPv3 Response

Packet example:

Image 23. SNMPv3 packet with a response code as seen in Wireshark

List of Report PDUs

usmStatsUnsupportedSecLevels | .1.3.6.1.6.3.15.1.1.1

Summary: The SecurityLevel was unknown to the SNMP engine

Possible reason: The security level, or configuration mode (noAuth, AuthNoPriv, Priv) in use is not
configured in the entity.

Sign up for updates

hp.com/go/getupdated

usmStatsNotInTimeWindows | .1.3.6.1.6.3.15.1.1.2

Summary: Outside of the authoritative SNMP engine's window

Possible reason: The engineTime is not the expected value.

usmStatsUnknownUserNames | .1.3.6.1.6.3.15.1.1.3

Summary: Packet referenced a user that was not known to the SNMP engine
Possible reason: The user does not exist

usmStatsUnknownEngineIDs | .1.3.6.1.6.3.15.1.1.4

Summary: Packet referenced a snmpEngineID that was not known to the SNMP engine
Possible reason: The engineID is that the expected one. This is normal during v3 discovery.

usmStatsWrongDigests | .1.3.6.1.6.3.15.1.1.5

Summary: Packet didn't contain the expected digest value

Possible reason: Digest values are used in the Authentication Protocol. Possibly the
Authentication Passphrase is incorrect.

usmStatsDecryptionErrors | .1.3.6.1.6.3.15.1.1.6

Summary: Packet could not be decrypted

Possible reason: Possibly the Privacy Passphrase is incorrect

SNMPv3 RFCs
The following is a list of SNMPv3 RFC documents that can become useful in the case that interoperability
issues occur or that it is desired to expand the knowledge of the protocol.

The list of RFCs has been taken from the following source:
http://www.snmp.com/protocol/snmp_rfcs.shtml (SNMP Research International, Inc, 2015)

RFC 3410. Introduction and Applicability Statements for Internet Standard Management Framework
RFC 3411. An Architecture for Describing SNMP Management Frameworks
RFC 3412. Message Processing and Dispatching
RFC 3413. SNMP Applications
RFC 3414. User-based Security Model
RFC 3415. View-based Access Control Model
RFC 3416. Version 2 of SNMP Protocol Operations
RFC 3417. Transport Mappings
Sign up for updates
hp.com/go/getupdated

NNMi Node Discovery, Configuration and Status Poll

Discovery and Configuration Poll
During initial discovery, re-discovery and configuration poll, NNMi goes through the SNMPv3 discovery
process.

The information collected during the SNMPv3 discovery process is cached within NNMi memory and used
for subsequent status polling.

Example of a Configuration Poll for a v3 node that has been already discovered by NNMi:

Image 20. SNMPv3 packets as seen in Wireshark during an NNMi Configuration Poll

Status Poll
During on demand or scheduled status poll, NNMi uses the cached SNMPv3 parameters for
communication.

Example of a Status Poll for a v3 node that has been already discovered by NNMi:

Image 21. SNMPv3 packets as seen in Wireshark during an NNMi Status Poll

Sign up for updates

hp.com/go/getupdated

Troubleshooting
Loggers
Use the loggers with caution since they may create a massive amount of data in an environment with
thousands of nodes being monitored

nnmsetlogginglevel.ovpl com.hp.ov.snmp
nnmsetlogginglevel.ovpl com.hp.ov.nms.comm
nnmsetlogginglevel.ovpl com.hp.ov.nms.snmp

Communication Configuration
Use the Actions > Configuration Details > Communication Configuration UI menu or the following command
to retrieve the communication settings for the node in question

nnmcommconf.ovpl -proto snmp -host <device>

Example:

[root@server ~]# nnmcommconf.ovpl -proto snmp -host <device>

SNMP Configuration Entry:
name = <device>
management address = <IP>
addressForced = true
preferredVersion = null
minimum security level = Authentication, Privacy
readCommunity = null
writeCommunity = null
timeout = 5000
retries =2
port = 161
proxyPort = null
proxyAddress = null
SNMPv3 user names = TestUserPriv
SNMPv3 context names =
enabled = true
address disco enabled = false
get bulk enabled = true
region name = null
node setting description = null
active address = 172.16.10.73
active readCommunity = null
active SNMPv3 user = TestUserPriv
active SNMPv3 context = null

Sign up for updates

hp.com/go/getupdated

Packet Capture
Use Wireshark on Windows, snoop on Solaris, nettl on HPUX or tcpdump on Linux to capture the
communication.

Then use Wireshark to decode the packets (if encrypted) as shown earlier on this document.

Problem Examples
usmStatsUnsupportedSecLevels - Configuration Poll

1) NNMi does send the discovery packet

2) The device does respond with the usual “usmStatsUnknownEngineIDs” report
(1.3.6.1.6.3.15.1.1.4)
3) NNMi then sends a get request with the username, engine ID but it sends it in plain text, it
does not use the authentication/privacy configuration
4) The agent responds with “usmStatsUnsupportedSecLevels” “1.3.6.1.6.3.15.1.1.1”
5) The node discovery ends here and it is discovered as non-SNMP.

Possible Reason: NNMi is not configured with the correct privacy/authentication mode.
Solution: Configure NNMi properly

usmStatsNotInTimeWindows - Status Poll

1) The device is already discovered therefore NNMi sends a request packet with the known v3
parameters.
2) The agent responds with “usmStatsNotInTimeWindows” “1.3.6.1.6.3.15.1.1.2”
3) The status poll fails

Possible Reason: The agent restarted, it did not update the engineBootCount and the engineTime
known by NNMi is incorrect.
Solution: Run a configuration poll against the device

Sign up for updates

hp.com/go/getupdated

NNMi and SNMPv3 configuration

NNMi SNMP Security Levels
NNMi supports several security levels for SNMP communication. A security level is a combination of
allowed SNMP versions that can be tried to communicate with an agent.

The detailed description of the available security levels are documented in the NNMi 10.00 Deployment
Reference, page 49, section “SNMP Version Preferences”.

The following are the available security levels and a brief description:

Community Only (SNMPv1 only) NNMi will only use SNMPv1 to communicate with a device
Community Only (SNMPv1 or v2c) NNMi will try SNMPv2 first and if no response, NNMi will try
SNMPv1 to communicate with a device

Community NNMi attempts SNMPv2 communication first, if no response, it

tries with SNMPv1 and if no response, it finally tries SNMPv3.
No Authentication, No Privacy NNMi attempts to use SNMPv3 only, with the noAuthNoPriv mode.
Authentication, No Privacy NNMi attempts to use SNMPv3 only, with the AuthNoPriv mode.
Authentication, Privacy NNMi attempts to use SNMPv3 only, with the AuthPriv mode.

Security levels can be configured at the Communication Settings > Default and Regional levels only. For
the Communication > Specific Node Settings, the user must choose one explicit protocol to communicate.

NNMi SNMPv3 Settings

An NNMi SNMPv3 Settings is a table entry that contains the following information.

Unique Name Internal record name to refer

to the configuration. Not used
by the SNMPv3 protocol during
communication.
User Name SNMPv3 User Name
Context Name SNMPv3 Context (if needed)
Authentication Protocol SNMPv3 Authentication
Protocol
Passphrase SNMPv3 Authentication
Passphrase
Privacy Protocol SNMPv3 Privacy Protocol
Passphrase SNMPv3 Privacy Passphrase
Image 23. NNMi SNMPv3 Settings form

Every SNMPv3 Settings entry can be used at any Communication Configuration level (Default, Region, and
Specific Node Settings).

Sign up for updates

hp.com/go/getupdated

SNMPv3 supported protocols

The following are the SNMPv3 supported protocols in NNMi 10.00

For SNMPv3 authentication:

 HMAC-MD5-96
 HMAC-SHA-1

For SNMPv3 privacy:

 DES-CBC
 TripleDES
 AES-128
 AES-192
 AES-256

Configuring NNMi to use SNMPv3

The configuration can be done at the Default, Regional or Specific Node Settings level in the NNMi
Communication Configuration works-space.

Image 24. NNMi Communication Configuration works-space

If using the Default or Region configuration levels, then the SNMP Minimum Security Level needs to be set
to “”Community” or one of the SNMPv3 Specific Security Levels (Authentication, Privacy and their
combinations).

Sign up for updates

hp.com/go/getupdated

If “Community” is chosen, and a valid SNMP Community String is also configured at the level, then NNMi
will succeed to communicate using SNMPv2c or SNMPv1 before it attempts to use SNMPv3, therefore
SNMPv3 will not be used.

In that case, if you need NNMi to use SNMPv3 you can try one of the following possible solutions:

 Configure the agent to only support SNMPv3 (do not respond to the community string)
 Configure NNMi to use a SNMPv3 Specific Security Level (at a Regional or Specific Level)

Example configuration
The image below shows an example configuration in the Regional Communication Configuration. The
SNMP Minimum Security Level has been set to the SNMPv3 Specific Level “Authentication, Privacy” and a
new SNMPv3 Settings entry has been added “testSNMPv3Setting”.

Under this configuration, for every node contained in this region, NNMi will try to communicate specifically
with SNMPv3 using the parameters in the “testSNMPv3Setting”configuration.

Image 25. NNMi Communication Configuration for Region

SNMPv3 Traps
The following has been taken from the NNMi 10.00 Deployment Reference

Sign up for updates

hp.com/go/getupdated

When NNMi uses SNMPv3 to communicate with a device, it uses a discovery process to identify the
Engine ID, boot count, and engine time of the device. NNMi then uses this information, along with
the configured user and protocol details, to start sending messages to the device. When the device
sends a trap to NNMi, the device may not have the NNMi information, and because a trap is a single-
packet transaction, it has no way to get the necessary information. Therefore, it uses its own Engine
ID, boot count and engine time in the trap, along with the user name and protocol details. These
device details must be the same as those configured for the device in NNMi. You cannot configure
multiple SNMPv3 users per device in NNMi.

NNMi 10.00 Deployment Reference, page 50, “SNMPv3 Traps and Informs”

A SNMP trap is an unsolicited message sent from the managed node to the management server, it is a
single transaction and because of that it does not try to perform a SNMPv3 information discovery to
obtain the management server’s Engine ID, Boot Count or engine time. As a result, when sending a
SNMPv3 trap, the device uses its own values. For NNMi to be able to process a SNMPv3 trap, the node
sending the trap needs to have been discovered by NNMi as a SNMPv3 device, this way, NNMi will have
cached the device’s Engine Time, Engine ID and Boot Count and NNMi will also know the managed node’s
user and protocol configuration. NNMi will use this information to process the incoming trap. Without the
information NNMi will be unable to process the trap.

The User and Protocol configuration information in the trap must match what has been configured in NNMi
for the device, otherwise NNMi will be unable to process the trap (i.e won’t be able to decrypt the
information).

SNMPv3 Informs

The following has been taken from the NNMi 10.00 Deployment Reference

An inform is an acknowledged packet, so this is more like an SNMP request that NNMi would make
to the device except, this time, it is the device initiating the first packet and NNMi responding with the
acknowledgment. The device, therefore, performs the discovery to NNMi to learn NNMi’s Engine ID,
boot count and engine time. The user name and protocol configuration that the device uses must
match what is configured in the NNMi trap forwarding configuration—this is, in effect, NNMi’s
SNMPv3 agent configuration

NNMi 10.00 Deployment Reference, page 50, “SNMPv3 Traps and Informs”

Sign up for updates

hp.com/go/getupdated

The SNMPv3 Inform, as opposed to a trap, does perform a SNMP discovery. The process will be similar to
the one described on this document under the “SNMPv3 Discovery” section. On this scenario, the device is
initiating the connection and it will be responsible to perform the SNMPv3 information discovery (Engine
Time, Engine ID, Boot Count). To be able to communicate with NNMi, the managed device will have to
know the NNMi User and Configuration Protocols. Just like NNMi needs to know the same information
when initiating communication with a managed v3 device.

The device needs to be configured to use the NNMi’s user and protocol information. The NNMi user and
protocol information can be found by accessing the following configuration page in the NNMI Web
Console:

Configuration > Incidents > Trap Server > Trap Forwarding Configuration

By default, the username is “NNMi” and the protocol information is not configured as seen below

Image 26. NNMi Trao Forwarding Configuration page

After defining the Authentication and Privacy settings in NNMI, configure the remote device sending the
SNMPv3 informs to use these settings as well.

For more information

For more information about configuring NNMi to work with SNMPv3, please refer to the NNMi Deployment
Reference for your NNMi version.

Sign up for updates

hp.com/go/getupdated

HUAWEI USG Series Firewalls Configuration Guide For VPN
No ratings yet
HUAWEI USG Series Firewalls Configuration Guide For VPN
525 pages
03 - Alteon ADC Level 1 Lab Manual - High Availability
100% (1)
03 - Alteon ADC Level 1 Lab Manual - High Availability
12 pages
05 SNMP Fundamentals and Practices
100% (1)
05 SNMP Fundamentals and Practices
42 pages
Dell EMC Networking N-Series Configuracion
No ratings yet
Dell EMC Networking N-Series Configuracion
1,766 pages
Parallel and Distributed Computing
No ratings yet
Parallel and Distributed Computing
33 pages
VxRail Appliance - VxRail Customer Installation Procedures-2-ALL
No ratings yet
VxRail Appliance - VxRail Customer Installation Procedures-2-ALL
192 pages
Spring Boot Interview Questions: Click Here
No ratings yet
Spring Boot Interview Questions: Click Here
15 pages
Aruba Os Switch and Aruba Os CX Transceiver Guide
No ratings yet
Aruba Os Switch and Aruba Os CX Transceiver Guide
62 pages
Configuring MicroSCADA For Modbus Slave Protocol
No ratings yet
Configuring MicroSCADA For Modbus Slave Protocol
46 pages
HPN-B2 Cisco Interoperability and Migration Scenario
No ratings yet
HPN-B2 Cisco Interoperability and Migration Scenario
109 pages
Cisco Identity Services Engine User Guide, Release 1.2
No ratings yet
Cisco Identity Services Engine User Guide, Release 1.2
786 pages
Common Dell Emc Networking Os10ee Deployment Guide With Cisco Aci
No ratings yet
Common Dell Emc Networking Os10ee Deployment Guide With Cisco Aci
34 pages
Ocs352 Iot Unit 1
No ratings yet
Ocs352 Iot Unit 1
29 pages
Aruba MM MC and Clearplass
No ratings yet
Aruba MM MC and Clearplass
38 pages
Cisco+300-715 001
No ratings yet
Cisco+300-715 001
55 pages
AOS-CX Switch Simulator - NetEdit 2.1 Part 1 Lab Guide
100% (1)
AOS-CX Switch Simulator - NetEdit 2.1 Part 1 Lab Guide
13 pages
NuDesign SNMPv3 Tutorial & Demo Manual PDF
No ratings yet
NuDesign SNMPv3 Tutorial & Demo Manual PDF
44 pages
Dell EMC Networking
No ratings yet
Dell EMC Networking
72 pages
Killing My Sessions in Oracle
No ratings yet
Killing My Sessions in Oracle
6 pages
5.2.2.6 Lab - Configuring SNMP
No ratings yet
5.2.2.6 Lab - Configuring SNMP
12 pages
Configuring The SRX300 Services Gateway Using The CLI
No ratings yet
Configuring The SRX300 Services Gateway Using The CLI
3 pages
Docker Most Asked Interview Questions With Answers
No ratings yet
Docker Most Asked Interview Questions With Answers
19 pages
Lab 5.5.1: Basic Spanning Tree Protocol: Topology Diagram
No ratings yet
Lab 5.5.1: Basic Spanning Tree Protocol: Topology Diagram
10 pages
PCNSE Study Guide NEW 8 Notes PDF
No ratings yet
PCNSE Study Guide NEW 8 Notes PDF
134 pages
Introduction To Server Side Programming
No ratings yet
Introduction To Server Side Programming
10 pages
NM SNMP Snmpv3
No ratings yet
NM SNMP Snmpv3
10 pages
Cisco Sd-Wan Vmanage Cluster Creation and Troubleshooting
No ratings yet
Cisco Sd-Wan Vmanage Cluster Creation and Troubleshooting
27 pages
How Does A Generic Datasource Communicates
No ratings yet
How Does A Generic Datasource Communicates
16 pages
2008 04 04 SNMP On ERS 8600 TCG NN48500564
No ratings yet
2008 04 04 SNMP On ERS 8600 TCG NN48500564
44 pages
DE Week-1, Lecture
No ratings yet
DE Week-1, Lecture
3 pages
Jncia Lab Guide
No ratings yet
Jncia Lab Guide
18 pages
Snmpv3 Community Mib Support: Finding Feature Information
No ratings yet
Snmpv3 Community Mib Support: Finding Feature Information
10 pages
Cisco SD-Access Workbook
No ratings yet
Cisco SD-Access Workbook
29 pages
Talend ESB
No ratings yet
Talend ESB
114 pages
Nnmi Integration Operations Manager 9.20
No ratings yet
Nnmi Integration Operations Manager 9.20
46 pages
9.1 New Question Update 28 MAY
No ratings yet
9.1 New Question Update 28 MAY
26 pages
JUNOS OSPF Configuring Route Optimizations
No ratings yet
JUNOS OSPF Configuring Route Optimizations
31 pages
PAN OS 31 CLI Reference Guide
No ratings yet
PAN OS 31 CLI Reference Guide
322 pages
Avaya Ethernet Routing Switching Implementation
No ratings yet
Avaya Ethernet Routing Switching Implementation
76 pages
DC1
No ratings yet
DC1
4 pages
Document Guide For Barracuda NG Firewall & Control Center
No ratings yet
Document Guide For Barracuda NG Firewall & Control Center
184 pages
Port Security Questions: Answer
No ratings yet
Port Security Questions: Answer
28 pages
AOS-CX Simulator - VRF Part 1 Lab Guide
No ratings yet
AOS-CX Simulator - VRF Part 1 Lab Guide
17 pages
Securing Your Network With Pfsense: Ilta-U Dale Qualls Pattishall, Mcauliffe, Newbury, Hilliard & Geraldson LLP
No ratings yet
Securing Your Network With Pfsense: Ilta-U Dale Qualls Pattishall, Mcauliffe, Newbury, Hilliard & Geraldson LLP
86 pages
300 725 SWSA v1.1
No ratings yet
300 725 SWSA v1.1
3 pages
18CSC364J - Information Security Without Answer
No ratings yet
18CSC364J - Information Security Without Answer
6 pages
PRELIM EXAMINATION - Database Management System 1
No ratings yet
PRELIM EXAMINATION - Database Management System 1
10 pages
AOS-CX Simulator - MSTP Lab Guide
No ratings yet
AOS-CX Simulator - MSTP Lab Guide
14 pages
Symantec Lab Exercise
100% (1)
Symantec Lab Exercise
136 pages
Untitled
No ratings yet
Untitled
3 pages
New Question 8june2021
No ratings yet
New Question 8june2021
6 pages
Setting Up (35D) : Core Data Services-Based Extraction With SAP S/4HANA Cloud
No ratings yet
Setting Up (35D) : Core Data Services-Based Extraction With SAP S/4HANA Cloud
28 pages
Cisco Ucs Servers
No ratings yet
Cisco Ucs Servers
112 pages
2022 Decentralized and Self-Sovereign Identity in The Era of Blockchain A Survey
No ratings yet
2022 Decentralized and Self-Sovereign Identity in The Era of Blockchain A Survey
8 pages
HPE Aruba Tutorials
No ratings yet
HPE Aruba Tutorials
1 page
Cisco UCS Admin MGMT Guide For FW3.1
No ratings yet
Cisco UCS Admin MGMT Guide For FW3.1
152 pages
Cacti Installation - Public
No ratings yet
Cacti Installation - Public
4 pages
Thank You For Downloading C - TS411 - 2021 Exam PDF Demo
No ratings yet
Thank You For Downloading C - TS411 - 2021 Exam PDF Demo
5 pages
HP 5900AF Initial Setup & IRF Configuration
No ratings yet
HP 5900AF Initial Setup & IRF Configuration
13 pages
How To Load A Config File Onto A Cisco Router
No ratings yet
How To Load A Config File Onto A Cisco Router
1 page
Install Guide FirePower Module On Cisco ASA v1.1
100% (1)
Install Guide FirePower Module On Cisco ASA v1.1
22 pages
PASSLEADER BY aNTON DUMP CCNA SEC
No ratings yet
PASSLEADER BY aNTON DUMP CCNA SEC
36 pages
HP-UX Security Checklist
No ratings yet
HP-UX Security Checklist
7 pages
ASA VPN Posture With CSD DAP and AnyCon PDF
No ratings yet
ASA VPN Posture With CSD DAP and AnyCon PDF
19 pages
An Overview of Trend Micro Deep Security Solution Components
No ratings yet
An Overview of Trend Micro Deep Security Solution Components
7 pages
2013 Anz PDF BRKCOM-1001 - UCS Fabric Fundamentals
No ratings yet
2013 Anz PDF BRKCOM-1001 - UCS Fabric Fundamentals
72 pages
En Security SBA Student Training Ans Key
100% (1)
En Security SBA Student Training Ans Key
43 pages
Nvram Parameter Configuration Instructions
No ratings yet
Nvram Parameter Configuration Instructions
75 pages
08-Describin and Implementing Cisco Wireless Network Architecture
No ratings yet
08-Describin and Implementing Cisco Wireless Network Architecture
20 pages
Palo Alto Networks PANOS 6 0 CEF Configuration Guide 2014
No ratings yet
Palo Alto Networks PANOS 6 0 CEF Configuration Guide 2014
18 pages
First Stuffs Todo
No ratings yet
First Stuffs Todo
3 pages
8.4.1.2 Packet Tracer - Configure and Verify A Site-To-Site IPsec VPN Using CLI
No ratings yet
8.4.1.2 Packet Tracer - Configure and Verify A Site-To-Site IPsec VPN Using CLI
5 pages
Juniper Commands v2
No ratings yet
Juniper Commands v2
29 pages
Brkcam 2007
No ratings yet
Brkcam 2007
111 pages
Lenteur SSL Palo Alto
No ratings yet
Lenteur SSL Palo Alto
17 pages
Slackware PKG Presentation
No ratings yet
Slackware PKG Presentation
33 pages
HCIE-Routing & Switching V3.0 Mock Exam
100% (1)
HCIE-Routing & Switching V3.0 Mock Exam
4 pages
Solarwinds SNMPv2 and v3 Configuration Guide
No ratings yet
Solarwinds SNMPv2 and v3 Configuration Guide
7 pages
Modular Policy Framework - MPF
No ratings yet
Modular Policy Framework - MPF
10 pages
What Are The Primary Components of An Accounting Information System (AIS) ?
No ratings yet
What Are The Primary Components of An Accounting Information System (AIS) ?
3 pages
Archive Log Issues Oracle 11g
No ratings yet
Archive Log Issues Oracle 11g
5 pages
Ai Agent
No ratings yet
Ai Agent
8 pages
Digital Forensics - Getting Started With File Systems
No ratings yet
Digital Forensics - Getting Started With File Systems
38 pages
LogicMonitor - Customer - Jan 2024
No ratings yet
LogicMonitor - Customer - Jan 2024
16 pages
Akash Deep Saha: Education Skills
No ratings yet
Akash Deep Saha: Education Skills
1 page
CST1340 - Section1GOALs - M00986493 - Amaan Khan
No ratings yet
CST1340 - Section1GOALs - M00986493 - Amaan Khan
9 pages
SecurityPlus Domain4 Notes
No ratings yet
SecurityPlus Domain4 Notes
3 pages
User Access Permissions
No ratings yet
User Access Permissions
8 pages
Paritosh Sharma Resume
No ratings yet
Paritosh Sharma Resume
2 pages
Shreya Updated Resume
No ratings yet
Shreya Updated Resume
1 page