[erlang-questions] SNMP v3 usmStatsNotInTimeWindows error

Devangana Tarafdar devangana@REDACTED
Sun Sep 11 16:46:30 CEST 2016


Hello Dominik,

Thanks you for the reply.

I  sent another sync_get after the first as you suggested. The wireshark
trace shows the manager has updated the 'msgAuthoritativeEngineBoots' and
'msgAuthoritativeEngineTime' to the values sent by the Agent as you pointed
out. But now the agent does not respond at all and the sync_get fails with
a timeout. I tried adding a second's sleep between the 2 gets as well. I
don't have access currently to the agent's logs or configuration but have
you seen this before ?

Thanks !
Devangana


On Sat, Sep 10, 2016 at 6:09 PM, Dominik Pawlak <dominik_pawlak@REDACTED>
wrote:

> Hello Devangana,
> Basically, you just have to perform the sync_get once more. I observed
> similar behavior in OTP 17.1 (snmp 4.25.1). The first request will always
> fail because the manager is not fully configured to communicate with the
> agent (more on that below).
>
> A longer explanation:
>
> In snmp v3 there is a process called 'discovery', which should be
> performed before secure communication with the agent can be established. It
> is described here:
>
> https://tools.ietf.org/html/rfc3414#section-4
>
> The snmp library in OTP does not implement that process (at least not as
> described in the RFC).
> This process has two steps: 'snmpEngineID discovery' and 'time
> synchronization'.
> The first step is skipped altogether in OTP - you have to provide engine
> id upfront.
> The second step is performed by the first request - it will always fail
> with the 'usmStatsNotInTimeWindows' error report message, but it will set
> the required 'msgAuthoritativeEngineBoots' and 'msgAuthoritativeEngineTime'
> in the manager.
>
> Best,
> Dominik
>
>
> On 10.09.2016 06:48, Devangana Tarafdar wrote:
>
> Hello,
>
> I am trying to connect to a third party SNMP agent, using snmp manager
> (snmp v3) ( in the erlang 19 release snmp 5.2.3) and I am running into a
> problem where the agent is returning this error on the manager calling
> sync_get:
>
>
> *** [2016:09:08 21:26:00 830] SNMP M-SERVER TRACE ***
>    handle_snmp_report -> entry with
>    Domain:  snmpUDPDomain
>    Addr:    {{xx,xxx,xxx,xxx},161}
>    ReqId:   37078226
>    Rep:     {invalid_sec_info,[{sec_level,3,1},
>                                {request_id,37078226,2147483647}]}
>    Pdu:     {pdu,report,2147483647,noError,0,
>                  [{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',33,1}]}
> *** [2016:09:08 21:26:00 830] SNMP M-SERVER DEBUG ***
>    handle_snmp_report -> found corresponding request:
>    reply to sync request
>    Ref:    #Ref<0.0.4.210>
>    ModRef: #Ref<0.0.4.211>
>    From:   {<0.3.0>,#Ref<0.0.4.202>}
> *** [2016:09:08 21:26:00 830] SNMP M-SERVER TRACE ***
>    handle_snmp_pdu(get-response) -> Remaining: 4979
> *** [2016:09:08 21:26:00 830] SNMP M-SERVER TRACE ***
>    handle_snmp_report -> deliver reply
>
> {error,{invalid_sec_info,[{sec_level,3,1},{request_id,37078226,2147483647
> }],{noError,0,[{varbind,[1,3,6,1,6,3,15,1,1,2,0],'Counter32',33,1}]}}}
>
> *** [2016:09:08 21:26:00 831]
>
> Where [1,3,6,1,6,3,15,1,1,2,0]  maps to "usmStatsNotInTimeWindows" (from
> http://www.oid-info.com/)
>
> I have attached a  wireshark trace for the snmp part of this exchange.
>
> I am invoking the snmpm module functions through a basic script as follows
> (using tips from the tutorial at
> https://erlangcentral.org/wiki/index.php?title=SNMP_Quick_Start )
> .........
> ..........
>
>   ok = application:start(crypto),
>   ok = application:start(snmp),
>
>   Userid = "snmp3user",
>   Agent_target = "testagent",
>   Agent_engine_id = [128,0,0,8,2,0,0,26,84,40,108,176],
>   Agent_ip = {xx,xxx,xxx,xxx},
>   Agent_port = 161 ,
>   Secure_name= Userid,
>
>   Security_level = 'authPriv',
>   Security_model = 'usm',
>   Agent_version = 'v3',
>   Auth_protocol = 'usmHMACSHAAuthProtocol',
>   Priv_protocol = 'usmAesCfb128Protocol',
>
>   % this is 16 in length
>   Priv_key_local = snmp:passwd2localized_key(md5, Priv_key , Agent_engine_id),
>
>   % this is 20 in length
>   Auth_key_local = snmp:passwd2localized_key(sha, Auth_key , Agent_engine_id),
>
>   ok = snmpm:register_user(Userid,snmpm_user_default,[]),
>
>   ok = snmpm:register_usm_user(Agent_engine_id, Userid, [
>                               {auth, Auth_protocol},
>                               {auth_key,Auth_key_local},
>                               {priv, Priv_protocol},
>                               {priv_key,Priv_key_local },
>                               {sec_name, Secure_name}
>                         ]),
>   ok = snmpm:register_agent(Userid, Agent_target ,[
>                                                    {engine_id,Agent_engine_id},
>                                                    {address, Agent_ip},
>                                                    {port, Agent_port},
>                                                    {version,Agent_version},
>                                                    {sec_model,Security_model},
>                                                    {sec_name,Secure_name},
>                                                    {sec_level, Security_level}
>
>                                ]),
>   Res0 = snmpm:sync_get(Userid, Agent_target, [[1,3,6,1,4,1,9,10,19,1,1,9,1,3,7,2]]),   ........................
>
>   ........................
>
> Can anyone please tell me what I am doing wrong here ? Any tips would be appreciated !
>
>
>
> Thanks,
> Devangana
>
>
>
>
>
>
>
>
> _______________________________________________
> erlang-questions mailing listerlang-questions@REDACTED://erlang.org/mailman/listinfo/erlang-questions
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160911/659c5e82/attachment.htm>


More information about the erlang-questions mailing list