Authorization Error 'SR_NO_GROUP_ERROR' While Trying To Query For A Particular Snmpv3 User On Switch

By esupport posted Jul 26, 2020 07:29 PM

  
Problem:

Switch debug shows "SR_NO_GROUP_ERROR: cannot find security name: test6[ sec model: 3 in vacmSecurityToGroupTable" when trying to query for a particular snmpv3 user



Diagnostics:

Below is the SNMP configuration on switch:
 

no snmp-server enable
snmp-server response-source 10.23.227.1
snmp-server trap-source 10.23.227.1
snmp-server contact "Aruba-Network-Team" location "abc"
snmpv3 enable
snmpv3 only
snmpv3 restricted-access
snmpv3 group operatorauth user "HP" sec-model ver3
snmpv3 user "aruba"

 

On the snmp server, we try to query for snmpv3 user "aruba" and below is the error received:
 

 

Switch debug shows the below:
 

0039:09:20:48.68 SNMP mSnmpRcv:recv pkt: from: 10.20.64.26:55852 to:
   10.23.227.24 ifIndex:5481 packet size:132
0039:09:20:48.68 SNMP mSnmpCtrl:********Start pdu processing*********
0039:09:20:48.68 SNMP mSnmpCtrl:Incoming Packet: addr = 10.20.64.26:55852,length
   = 132
0039:09:20:48.68 SNMP mSnmpCtrl:Version: 3
0039:09:20:48.68 SNMP mSnmpCtrl:30 81 81 02 01 03 30 11 02 04 50 3b bb 38 02 03
0039:09:20:48.68 SNMP mSnmpCtrl:00 80 00 04 01 07 02 01 03 04 37 30 35 04 0c 00
0039:09:20:48.68 SNMP mSnmpCtrl:00 00 0b 00 00 f4 03 43 36 1f 80 02 01 6a 02 03
0039:09:20:48.68 SNMP mSnmpCtrl:33 ed f1 04 05 61 72 75 62 61 04 0c 00 00 00 00
0039:09:20:48.68 SNMP mSnmpCtrl:00 00 00 00 00 00 00 00 04 08 a9 95 00 c4 27 00
0039:09:20:48.68 SNMP mSnmpCtrl:06 b3 04 30 30 2e 04 0c 00 00 00 0b 00 00 f4 03
0039:09:20:48.68 SNMP mSnmpCtrl:43 36 1f 80 04 00 a1 1c 02 04 50 3b bb 38 02 01
0039:09:20:48.68 SNMP mSnmpCtrl:00 02 01 00 30 0e 30 0c 06 08 2b 06 01 02 01 01
0039:09:20:48.68 SNMP mSnmpCtrl:04 00 05 00
0039:09:20:48.68 SNMP mSnmpCtrl:request-id type: 161: GET_NEXT_REQUEST_TYPE
0039:09:20:48.68 SNMP mSnmpCtrl:request id:1346091832
0039:09:20:48.68 SNMP mSnmpCtrl:error status:0
0039:09:20:48.68 SNMP mSnmpCtrl:error index :0
0039:09:20:48.70 SNMP mSnmpCtrl:sysContact.0 = NULL TYPE/VALUE
0039:09:20:48.70 SNMP mSnmpCtrl:findContextInfo:SR_NO_GROUP_ERROR: cannot find
   security name: arubaw▒▒Bt sec model: 3 in vacmSecurityToGroupTable
0039:09:20:48.70 SNMP mSnmpCtrl:SrDoSnmp:  SR_NO_GROUP_ERROR
0039:09:20:48.70 SNMP mSnmpCtrl:SrDoSnmp:received get-next pdu
0039:09:20:48.70 SNMP mSnmpCtrl:Outgoing Packet: addr = 10.20.64.26:55852,length
   = 131
0039:09:20:48.70 SNMP mSnmpCtrl:Version: 3
0039:09:20:48.70 SNMP mSnmpCtrl:30 81 80 02 01 03 30 10 02 04 50 3b bb 38 02 02
0039:09:20:48.70 SNMP mSnmpCtrl:05 c0 04 01 03 02 01 03 04 37 30 35 04 0c 00 00
0039:09:20:48.70 SNMP mSnmpCtrl:00 0b 00 00 f4 03 43 36 1f 80 02 01 6a 02 03 33
0039:09:20:48.70 SNMP mSnmpCtrl:ed f1 04 05 61 72 75 62 61 04 0c cc 66 22 63 1c
0039:09:20:48.70 SNMP mSnmpCtrl:0f 22 44 48 24 20 23 04 08 62 61 00 34 2e 32 36
0039:09:20:48.70 SNMP mSnmpCtrl:3a 04 30 ed 9c 07 df 61 11 1a a7 e4 d5 4d 1c e6
0039:09:20:48.70 SNMP mSnmpCtrl:87 fe 50 75 35 84 5f f4 b5 01 6c 13 f1 12 7b 5a
0039:09:20:48.70 SNMP mSnmpCtrl:40 be 56 65 4e 40 80 63 55 fd d7 3d e4 87 9f a6
0039:09:20:48.70 SNMP mSnmpCtrl:da 6b bf
0039:09:20:48.70 SNMP mSnmpCtrl:*****End pdu processing:out_packet_len is
   131*****

 



Solution

The reason we are unable to poll or seeing above error message is because the user mapped to the snmpv3 group is incorrect from what we are trying to poll.

The user we are trying to poll is "aruba"                             >> snmpv3 user "aruba"
However, the user mapped to snmpv3 group is "HP"       >>  snmpv3 group operatorauth user "HP" sec-model ver3
which is a mismatch in configuration.

Without mapping a snmpv3 user to a specific group, the user would not be aware of the privilege levels it has.  Hence, we get the error authorization failed / authorization error.

Below will be the suggested changes to the configuration:

The command:
     snmpv3 group operatorauth user "HP" sec-model ver3

is to be replaced with the correct user as below:
     snmpv3 group operatorauth user "aruba" sec-model ver3

 

Configuration after changes would look like the below:

no snmp-server enable

snmp-server response-source 10.23.227.1

snmp-server trap-source 10.23.227.1

snmp-server contact "Aruba-Network-Team" location "abc"

snmpv3 enable

snmpv3 only

snmpv3 restricted-access

snmpv3 group operatorauth user "aruba" sec-model ver3

snmpv3 user "aruba"

 

0 comments
0 views