Ad Widget

**kaspars.mednis** · 05-02-2018, 11:20

Hi,

This is the first time i hear about the idea of using just only one poller on Zabbix server... its really strange, people uses hundreds of pollers usually without any issues, Zabbix is designed to use multiple concurrent pollers. I have polled multiple SNMPv3 devices without any issues.

You problem may be the Timeout settings in zabbix_server conf , the default timeout of 3 seconds may be not enough for snmpv3. My suggestions, if you have the default timeout:

- set back the poller count to 5
- increase the timeout settings to 10 and restart the Zabbix server

Regards,
Kaspars

**steveroebuck** · 05-02-2018, 17:39

Hi Kasper

Thanks for your reply, the issue we have is when we utilise SHA/AES authentication, the issue doesn't occur if we lower our security to MD5/DES, this can be seen the in the packet traces, when using multiple pollers none of the pollers send out the information encrypted with SHA/AES they send out using MD5/DES.

A single poller sends out SHA/AES just fine.

**kaspars.mednis** · 05-02-2018, 17:40

Thanks for your feedback, that sounds like a bug, will check that

Regards,
Kaspars

**kaspars.mednis** · 05-02-2018, 17:47

just a few questions:

- your exact Zabbix server version ?
- are your snmpEngineIDs unique ?

If monitoring SNMPv3 devices, make sure that msgAuthoritativeEngineID (also known as snmpEngineID or “Engine ID”) is never shared by two devices. According to RFC 2571 (section 3.1.1.1) it must be unique for each device.

Kaspars

**sfl** · 06-02-2018, 22:46

Hi all,

I'm experiencing same issue with snmp v3. Startpoller to 1 seems to solve the issue. Running Zabbix 3.4.6 package on ubuntu xenial.

checked snmpengineid, all are different.

I did not think it could come from SHA or AES cipher.

@steveroebuck, do you use package or compiled zabbix version ?

Sfl

**steveroebuck** · 15-02-2018, 11:27

Hi Guys

Sorry for the delay in replying I have been on leave.

@Kaspars

Yes all devices have unique engine ID's and as previously stated the problem vanishes if you use either a single poller or swap out auth type to DES/MD5.

We have had the issue with 3.4.2 and now 3.4.5

@sfl we are using the dockerised deployment, but I have also stood up and deployed on stand alone VM's and had the same issue with 3.4.2 and 3.4.5. Official bug reports have led to many a wild goose chase. If you are experiencing the same might be worth having a look at some packet traces in wireshark with your AES/SHA credentials supplied, to see if you are getting the same auth failures and malformed packets out of zabbix that we are.

**steveroebuck** · 20-02-2018, 16:45

Anyone got any suggestions/advice or a fix for this issue, Zabbix themselves claim it's not a bug and I am having no luck with any bug fixes from them directly.

**steveroebuck** · 26-03-2018, 10:51

We are still having issues with this exclusively when using AES/SHA on SNMP v3 Devices, Zabbix insist it's not a bug, but all my investigations point to it being a zabbix issue.

**Viks** · 26-03-2018, 12:17

This is not a Zabbix bug, but your machine issue
This is a Violation of RFC 2571 (SNMP).

Please configure your device according to RFC and you will not have issues.

**steveroebuck** · 26-03-2018, 15:23

If our "devices" are none standard (Trend Tipping Point, Checkpoint FW, F5 GTM and HPE 5900 series switches) can you explain why I can SNMPwalk then all fully, they have been working without issue in Solarwinds and they can all also be added without issue to LIbrenms, we only see the authentication issues once we add multiple devices, I have monitor a single HPE 5900 switch via a Zabbix proxy I get no issues, I can sometimes manage to monitor 2 devices, but soon as I go beyond this I start to get issues with ports going to "no supported". If my template or credentials were incorrect all ports would fail not just some seemingly at random.

If we are still going with the thought that we are not in compliance with RFC 2571 can you please explain to me how a single device will work fine, or if I utilise a single poller it also works fine.

If you look at the original packet captures you will see that when multiple pollers are used Zabbix is not sending out AES/SHA as requested it starts sending out packets with MD5/DES.

**Viks** · 26-03-2018, 15:50

Can you specify which equipment / system / software (OS, model, version) have issues
and list each of them with a full engineID?

**steveroebuck** · 26-03-2018, 16:42

As we have over 50 switches in our environment I have just listed a sample below

HPE 5900AF-48XG-4QSFP+ Switch - HPE Comware Software, Version 7.1.045 Release 2432P02 - Engine ID = 800063A280CC3E5F74B18300000001

HPE 6125XLG Blade Switch - HPE Comware Software, Version 7.1.045, Release 2432P01 - Engine ID = 800063A280CC3E5F95ED6400000001

HPE FF 5930-2Slot+2QSFP+Switch - HPE Comware Software, Version 7.1.045, Release 2432P02 Engine ID = 800063A2802C233A3EFA7700000001

HPE FF 5900CP-48XG-4QSFP+ - HPE Comware Software, Version 7.1.045, Feature 2427 - Engine ID = 800063A280443192353CAB00000001

HPE 6127XLG Ethernet Blade Switch - HPE Comware Software, Version 7.1.045, Release 2432P01 = Engine ID = 800063A280CC3E5FA06ED300000001

F5 GTM - BIG-IP 11.6.0 Build 6.43.442 Engineering Hotfix HF6 - Engine ID = 0x80001f88802c40a363219c8858

We have multiple of each of the above and we are experiencing the issues with them sporadically.

**Viks** · 26-03-2018, 17:10

Simply collect the EngineID values from all your installations
and checking whether they are all realy unique and not repeating.

It can even be very easily done by creating metric item:
SNMP-FRAMEWORK-MIB::snmpEngineID.0
or
.1.3.6.1.6.3.10.2.1.1.0

**steveroebuck** · 27-03-2018, 12:36

As we are still evaluation Zabbix as a solution I have scaled back what is being monitored to the following devices and I am experiencing the same issues with some ports being discovered correctly and others being "not supported" due to authentication issues.

HPE 5900AF-48XG-4QSFP+ Switch - HPE Comware Software, Version 7.1.045 Release 2432P02 - Engine ID = 800063A280CC3E5F74B18300000001
HPE 6125XLG Blade Switch - HPE Comware Software, Version 7.1.045, Release 2432P01 - Engine ID = 800063A280CC3E5F95ED6400000001
HPE FF 5930-2Slot+2QSFP+Switch - HPE Comware Software, Version 7.1.045, Release 2432P02 Engine ID = 800063A2802C233A3EFA7700000001
HPE 6127XLG Ethernet Blade Switch - HPE Comware Software, Version 7.1.045, Release 2432P01 = Engine ID = 800063A280CC3E5FA06ED300000001
HPE 5900AF-48XG-4QSFP+ Switch - HPE Comware Software, Version 7.1.045, Feature 2427 = Engine ID = 800063A280CC3E5F75A94F00000001
HPE 6125XLG Blade Switch - HPE Comware Software, Version 7.1.045, Release 2432P01 = Engine ID = 800063A280CC3E5F6C66DC00000001
F5 GTM - BIG-IP 11.6.0 Build 6.43.442 Engineering Hotfix HF6 - Engine ID = 0x80001f88802c40a363219c8858

These are the only devices currently being monitored via our Zabbix installation, all are using Authpriv with AES/SHA

Ad Widget

SNMP v3 Issues

SNMP v3 Issues

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment