Product and Software: This article applies to all MMS versions and ArubaOS 3.x and later.
Time is very important to MMS. The primary reason is that MMS uses SNMPv3 to exchange information with network devices. SNMPv3 is a security-enhanced version of its predecessors (SNMPv2 and v1). The two basic enhancements are: 1) Message authentication and encryption. In SNMP v1+2, messages were sent in clear text and could be read by anyone, and they could even be changed along the way! In v3, messages are encrypted and the sender is verified. 2) The second part of the message verification is the idea that a message should be delivered within a reasonable time window. This article explains this second enhancement.
When SNMP starts on the MMS or on the controllers there is an initial handshake. During this handshake two objects are created, snmpEngineTime and snmpEngineBoot. Both are set to zero and the snmpEngineTime is incremented every second by one second and signifies the number of seconds since the last SNMPd boot. These values are used together to provide a notion of time with respect to the message originator. These values are included in the message and used by the receiver to discern whether the message arrived in a timely manner. The acceptable difference between these values is 150 seconds, which includes the time needed to traverse the network. In this respect, when the message is received first the snmpEngineBoots value is checked: 1) If the snmpEngineBoots is greater than receiver's notion of it, then the receiver's notion of snmpEngineBoots and snmpEngineTime is updated. 2) If the snmpEngineBoots is less than the receiver's notion of it, then the message is considered to be stale and is discarded. 3) If the snmpEngineBoot value is equal to the receiver's value of it, then the message snmpEngineTime is compared to the receiver's value. If snmpEngineTime is less than 150 seconds, the update is accepted; if not, it is discarded and this error message is displayed:
|snmp| SNMP V3 >> Message parse error: Not in life time window failure: Possible >> Privacy password mismatch. 663
The relevant part of the message is the "Not in the life time window". This is one reason for networks to use NTP as a time source control. Using unsynchronized time sources across the network may cause time to drift and slip outside the time life window. It should also be noted that if time is changed on a device, then the snmp process on that device should be restarted. In the case of MMS, the application should be restarted from the admin server page. On a controller, the snmpd process should be restarted. Use the command: process restart snmpd
For more information, check the SNMP v3 RFCs.