Troubleshooting SNMPv3 in SSP
search cancel

Troubleshooting SNMPv3 in SSP

book

Article ID: 265594

calendar_today

Updated On:

Products

SSP SSP-S210 PLATFORM SSP-S410 SSP-S410 PLATFORM

Issue/Introduction

The purpose of this article is to provide steps that can be followed when troubleshooting SNMPv3 issues in SSP. 

 

 

 

Environment

  • SSP platform

Resolution

Testing SNMPv3 configuration

The easiest way to test SNMPv3 config in SSP is to utilize snmpget utility on any Linux based operating system. 

testuser@Win10:~$ snmpget -v3 -l authPriv -u bob -a SHA1 -A "<password>" -x AES -X "<password>" IP_ADDR_OF_SSP iso.3.6.1.2.1.1.1.0
iso.3.6.1.2.1.1.1.0 = STRING: "Blue Coat Virtual Appliance, ISG release 2.4.6.1 (282037)"

Above command sends snmpget and authenticates using "testuser" as username and "<password>" as password. SHA1 is used as authentication protocol and AES as encryption protocol

At the time of writing, SSP does not support SHA2 and AES stronger than 128. If unsupported protocol is used the following output can be observed:

testuser@Win10:~$ snmpget -v3 -l authPriv -u testuser -a SHA1 -A "<password>" -x AES256 -X "<password>" IP_ADDR_OF_SSP iso.3.6.1.2.1
.1.1.0
snmpget: Decryption error

testuser@Win10:~$ snmpget -v3 -l authPriv -u testuser -a SHA2 -A "<password>" -x AES -X "<password>" IP_ADDR_OF_SSP iso.3.6.1.2.1.1.
1.0
snmpget: Authentication failure (incorrect password, community or key)

 

Decrypting SNMPv3 traffic

Wireshark application has a capability to decrypt SNMPv3 traffic. To do that we need to navigate to Edit -> Preferences -> Protocols -> SNMP and click on Edit next to User Table:

The following window will appear:

To create SNMP user we need to click on highlighted '+' symbol and provide relevant information. If provided data is correct, SNMPv3 traffic will be decrypted:

Additional Information

While performing above tests, the following config was applied on SSP:

ISG# show running-config snmp
snmp
 agent enabled
 agent version v3
 agent engine-id from-mac-address ##:##:##:##:##:##
 agent max-message-size 50000
 system contact ""
 system name ""
 system location ""
 vacm group secure
  member testuser
   sec-model [ usm ]
  !
  access usm auth-priv
   read-view   bc
   write-view  bc
   notify-view bc
  !
 !
 vacm view bc
  subtree 1.3
   included
  !
 !
snmp
 agent enabled
 agent version v3
 agent engine-id from-mac-address ##:##:##:##:##:##
 agent max-message-size 50000
 system contact ""
 system name ""
 system location ""
 vacm group secure
  member testuser
   sec-model [ usm ]
  !
  access usm auth-priv
   read-view   bc
   write-view  bc
   notify-view bc
  !
 !
 vacm view bc
  subtree 1.3
   included
  !
 !
 usm local user testuser
  auth sha password <password>
  priv aes password <password>
 !
 usm local user test
  auth sha password <password>
  priv aes password <password>
 !
!

Powered by Wolken Software