Network Management

Trying to setup SNMPv3 on HP 2920 for HP IMC communication.

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03323388

http://evilrouters.net/2008/12/22/snmpv3-configuration-for-procurve-5400s/

http://h30499.www3.hp.com/t5/ProCurve-ProVision-Based/Help-Configuring-SNMPv3/m-p/6704252/highlight/false#M7357


snmpv3 user cacti auth sha AUTHPASS priv PRIVPASS

(ofcourse I replaced the AUTHPASS & PRIVPASS with my own values)

Theatre-Stack# show snmpv3 user cacti

 Status and Counters - SNMP v3 Global Configuration Information

  User Name        : cacti
  Auth. Protocol   : SHA
  Privacy Protocol : CBC DES

The SNMP seems to work with tester tool:

http://www.paessler.com/tools/snmptester

Paessler SNMP Tester 5.1.3
08/05/2015 12:56:24 (11 ms) : Device: 10.0.1.40
08/05/2015 12:56:24 (15 ms) : SNMP V3
08/05/2015 12:56:24 (20 ms) : Uptime
08/05/2015 12:56:24 (92 ms) : -------
08/05/2015 12:56:24 (97 ms) : DISMAN-EVENT-MIB::sysUpTimeInstance = 121134700 ( 14 days )
08/05/2015 12:56:24 (190 ms) : HOST-RESOURCES-MIB::hrSystemUptime.0 = No such object (SNMP error # 222) ( 0 seconds )
08/05/2015 12:56:24 (195 ms) : Done

And also with snmpwalk:

C:\SNMPTester>SnmpWalk.exe -r:"10.0.1.40" -v:3 -sn:cacti -ap:SHA -aw:AUTHPASS -pp:DES -pw:PRIVPASS -os:.1.3.6.1.
2.1.10.7.10.1.2.1 -op:.1.3.6.1.2.1.10.7.10.1.2.10
SnmpWalk v1.01 - Copyright (C) 2009 SnmpSoft Company
[ More useful network tools on http://www.snmpsoft.com ]

OID=.1.3.6.1.2.1.10.7.10.1.2.2, Type=Integer, Value=1
OID=.1.3.6.1.2.1.10.7.10.1.2.3, Type=Integer, Value=1
OID=.1.3.6.1.2.1.10.7.10.1.2.4, Type=Integer, Value=1
OID=.1.3.6.1.2.1.10.7.10.1.2.5, Type=Integer, Value=1
OID=.1.3.6.1.2.1.10.7.10.1.2.6, Type=Integer, Value=1
OID=.1.3.6.1.2.1.10.7.10.1.2.7, Type=Integer, Value=1
OID=.1.3.6.1.2.1.10.7.10.1.2.8, Type=Integer, Value=1
OID=.1.3.6.1.2.1.10.7.10.1.2.9, Type=Integer, Value=1
OID=.1.3.6.1.2.1.10.7.10.1.2.10, Type=Integer, Value=1
Total: 9



But IMC gives me error each time:

Failure:

1. Check that the SNMP Set community name is correct.
With SNMPv3 adopted, the username, authentication password,
privacy password and privacy mode for the device and the iMC should be the same.
2. Error code such as no such name may occur in the Set operation.
You need to capture packets to analyze whether such error occurs in the response received by the device.

Any ideas how to get it working?


Seb

100+ views and not a single reply...

Does that mean anything?

>Does that mean anything?

Only the obvious, none of your peers knows the answer or there isn't enough info.

Have you tried contacting the HPSC?

http://h20566.www2.hpe.com/portal/site/hpsc

Try the usual things - double-check that you've got the right username/password set in IMC, check that you've got the right encryption/authentication settings.

Use tcpdump to take a closer look at the traffic that IMC is trying to send. You can even load the SNMPv3 passphrases into Wireshark to decrypt the packets. That lets you check that IMC is sending packets with the right authentication settings. If it's not sending them with the right parameters, then dig into IMC. Check things like special characters in passwords. 

If IMC is sending packets with the right auth parameters, but the switch isn't responding, then investigate the switch settings more closely.

I honestly do not have the time to fix it, it is not my only job. Paying big money for a poroduct one could expct it to work (or is that too much to ask?)

I have x-times checked the config & it works (as stated in first post), and is correctly filled in IMC

What IMC does or does not do, not really fancy trying to "fix it" myself.

Surely I can not be the only one trying to use SNMP v3?

Seb

---

@spgsitsupport wrote:

I honestly do not have the time to fix it, it is not my only job. Paying big money for a poroduct one could expct it to work (or is that too much to ask?)

 

I have x-times checked the config & it works (as stated in first post), and is correctly filled in IMC

 

What IMC does or does not do, not really fancy trying to "fix it" myself.

 

Surely I can not be the only one trying to use SNMP v3?

 

Seb

---

Well, other people, including me, are successfully using IMC with SNMPv3, both with 2920s & with other vendors/devices. That implies it's something specific to your setup which is broken.

It's normal troubleshooting. You need to try to isolate the problem. I provided some suggestions for things you could try, which wouldn't take more than half an hour. It would be less time than you've spent on this forum. That would at least narrow it down to either a switch or an IMC issue, and from there you would know what you needed to do - either change configuration, or log a support case.

Here is some text from our training manuals on how we configure SNMP v3.  Please note at the end, we only allow SNMPv3 for security purposes.  User input are highlighted in red.

configure

snmpv3 enable

You will get the following response from the switch:

SNMPv3 Initialization process.

Creating user 'initial'

Authentication Protocol: MD5

Enter authentication password: 12345678

Privacy protocol is DES

Enter privacy password: 12345678

##YOU WILL DELETE THIS USER LATER, SO THE PASSWORD DOES NOT MATTER##

User 'initial' has been created

Would you like to create a user that uses SHA? [y/n] n

User creation is done.  SNMPv3 is now functional.

Would you like to restrict SNMPv1 and SNMPv2c messages to have read only access (you can set this later by the command 'snmp restrict-access'): y

Type the following commands:

show snmpv3 user

Status and Counters - SNMP v3 Global Configuration Information

  User Name                        Auth. Protocol   Privacy Protocol

  -------------------------------- ---------------- ----------------

  initial                          MD5              CBC DES

Issue the following command:

snmpv3 user [username] auth sha [auth password] priv aes [priv password]

Type

show snmpv3 user

Status and Counters - SNMP v3 Global Configuration Information

  User Name                        Auth. Protocol   Privacy Protocol

  -------------------------------- ---------------- ----------------

  initial                          MD5              CBC DES

  snmpv3user                       SHA              CFB AES-128

Verify that the user has been create.  Finish with the following commands to add the IMC/SNMPv3 user to a privledged group:

snmpv3 group managerpriv user [username] sec-model ver3

no snmpv3 user initial

type “show snmpv3 user” again and make sure the only the following user exists:

 Status and Counters - SNMP v3 Global Configuration Information

  User Name                        Auth. Protocol   Privacy Protocol

  -------------------------------- ---------------- ----------------

  snmpv3user                       SHA              CFB AES-128

Type the following commands to disable SNMPv1/v2: 

snmpv3 only

snmpv3 restricted-access

Remember to ALWAYS SAVE your configuration if it works.

wr mem

In IMC, go to System, --> Resource Management, -->SNMP Template

Add an IMC Profile with Parameter Tycp:  SNMPv3 Priv-AES123 Auth-Sha

Use the [username], [auth password], and [priv password] from above and you should be set.

If you still need help after this, please post back.

Hi.

I know this is basically the same information as the above post, with the difference of priv-des, which is required

for older procurve switches.

This is straight from my "baseline" for procurve switches. There are minor differences between older and newer procurve devices, but the same format applies.

For the switch:

snmpv3 enable
snmpv3 user manager auth sha password priv password
snmpv3 group managerpriv user manager sec-model ver3
no snmpv3 user initial
snmp-server contact "Company, Department, Phone number" location "location"

And this is from IMC

Name: Manager SNMP

Parameter Type*:  SNMPv3 Priv-Des Auth-Sha

I really have no problem following instructions.

I have fuly working SNMP v3 as stated in FIRST post.

Firmware WB.15.16.0008

  User Name                        Auth. Protocol   Privacy Protocol
  -------------------------------- ---------------- ----------------
  cacti                            SHA              CBC DES

In IMC I have

Name: Manager SNMP

Parameter Type*:  SNMPv3 Priv-Des Auth-Sha

SOLVED:

I could not get it to work with

group operatorauth (WHY?)

I needed to use

group managerpriv

Seb

Aody knows the WHY?

---

@spgsitsupport wrote:

Aody knows the WHY?

---

It's hard to say without knowing your complete device configuration.

Check on the switch what it say about the group and you'll find answer.

Best Regards.