Rizwan Ansari | 21 Nov 07:40 2014

snmptrap under IPv6 after setting clientaddr

Hi all,

Under IPv6 environment, sent snmptrap after setting clientaddr in snmp.conf, It is sent from another interface.

Test Details..
[root <at> cghvhp1 ~]# cat /etc/snmp/snmp.conf clientaddr 2001:ccc1::2 [root <at> cghvhp1 ~]# [root <at> cghvhp1 snmp]# ifconfig eth3 eth3 Link encap:Ethernet HWaddr 2C:44:FD:7D:D8:F1 inet addr:192.168.110.1 Bcast:192.168.255.255 Mask:255.255.0.0 inet6 addr: 2001:ccc1::1/0 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5342 errors:0 dropped:13 overruns:0 frame:0 TX packets:130 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:693454 (677.2 KiB) TX bytes:15878 (15.5 KiB) Interrupt:36 [root <at> cghvhp1 snmp]# ifconfig eth4 eth4 Link encap:Ethernet HWaddr 2C:44:FD:7D:D8:F2 inet addr:192.168.110.2 Bcast:192.168.255.255 Mask:255.255.0.0 inet6 addr: 2001:ccc1::2/0 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:21 errors:0 dropped:0 overruns:0 frame:0 TX packets:38 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2874 (2.8 KiB) TX bytes:5946 (5.8 KiB) Interrupt:32 [root <at> cghvhp1 snmp]#

snmptrap is sent from eth3 while clientaddr is set to eth4.


I looked into IPv4 code and feel like same code is missing under IPv6 section.

Sending missing code section from IPv6 in snmplib/transports/snmpUDPIPv6Domain.c

diff --git a/snmplib/transports/snmpUDPIPv6Domain.c b/snmplib/transports/snmpUDPIPv6Domain.c
index b3eaae4..85a2f7a 100644
--- a/snmplib/transports/snmpUDPIPv6Domain.c
+++ b/snmplib/transports/snmpUDPIPv6Domain.c
<at> <at> -190,6 +190,7 <at> <at> netsnmp_udp6_transport(struct sockaddr_in6 *addr, int local)
 {
     netsnmp_transport *t = NULL;
     int             rc = 0;
+    char           *client_socket = NULL;

 #ifdef NETSNMP_NO_LISTEN_SUPPORT
     if (local)
<at> <at> -267,10 +268,29 <at> <at> netsnmp_udp6_transport(struct sockaddr_in6 *addr, int local)
 #endif /* NETSNMP_NO_LISTEN_SUPPORT */
     } else {
         /*
+         * This is a client session.  If we've been given a
+         * client address to send from, then bind to that.
+         * Otherwise the send will use "something sensible".
+         */
+        client_socket = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
+                                              NETSNMP_DS_LIB_CLIENT_ADDR);
+        if (client_socket) {
+            struct sockaddr_in6 client_addr;
+            netsnmp_sockaddr_in6_2(&client_addr, client_socket, NULL);
+            rc = bind(t->sock, (struct sockaddr *)&client_addr,
+                  sizeof(struct sockaddr_in6));
+            if ( rc != 0 ) {
+                DEBUGMSGTL(("netsnmp_udp6", "failed to bind for clientaddr: %d %s\n",
+                            errno, strerror(errno)));
+                netsnmp_socketbase_close(t);
+                netsnmp_transport_free(t);
+            }
+        }
+        /*
          * This is a client session.  Save the address in the
          * transport-specific data pointer for later use by netsnmp_udp6_send.
          */
-
         t->data = malloc(sizeof(netsnmp_indexed_addr_pair));
         if (t->data == NULL) {
             netsnmp_socketbase_close(t);



I need to confirm the changes, This is required to send snmptrap after setting clientaddr in snmp.conf.

Please provide your  feedback regarding this change.


Thanks,
Rizwan

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
David Hauck | 21 Nov 00:26 2014

snmpd.conf and 'sys*' Configuration Directives

Hi,

In case anyone is reading this list ;)...

It seems that there is no way to "reset" the sys* configuration directives
(sysName/sysDescr/sysLocation/sysContact - I've actually only played with a couple of these but I
suspect they all work similarly in this regard). I can successfully change sysLocation (for e.g.) to any
non-zero value, issue a 'pkill -HUP snmpd' and followed by an 'snmpget <other params> syslocation.0' to
retrieve the updated value. However, there's no way to represent an "empty/zero-length" string for this
directive in order to clear out/reset the object. BTW, simply commenting out the directive doesn't do
anything (i.e., the running agent simply reloads a configuration that doesn't have any new value for the
directive so the pre-existing value persists).

I'm guessing this is a limitation of the snmpd configuration file parsing? However, I see reference to
empty string context values so I'm guessing there must be some way to represent this. Is there? Otherwise,
I take it this is a bug related to limited configuration file parsing?

Regards,
-David 

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

yuvaraj r | 20 Nov 11:03 2014
Picon

Error: Couldn't open a master agentx socket to listen on (tcp:localhost:1705):

Hi,

I am running snmpd daemon with following options to communicate with my SubAgent.

snmpd -f -Lo -C --rwcommunity=public --master=agentx -Dagentx --agentXSocket=tcp:localhost:1705 udp:161


During execution of snmpd, i am getting error like

Error: Couldn't open a master agentx socket to listen on (tcp:localhost:1705):

Can you help me to fix this error.

Regards
Raj
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Pushpa Thimmaiah | 20 Nov 10:17 2014
Picon

Need of snmpDaemon while sending snmp traps

Hello everybody,

It seems snmptraps can be sent out without snmpDaemon running background. I have used command 'snmptrap' to send traps without SNMPDaemon running  and traps sent out successfully.OS: ubuntu
Can anybody let me know why snmpDeamon not necessary while sending traps?
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
sandhya reddy | 18 Nov 14:01 2014
Picon

SNMPv3 TSM snmpget doubt

I have installed net-snmp 5.6.2.1 and sent out snmp get request using snmpget command. This is a SNMPv3 request over TLS that i'm sending.

snmpget request sends out two get request
1) Read operation for snmpEngineID.0
2) Actual get request querying for a MIB variable say sysContact.0

From the tool 1st request is going out for which a response is received in net-snmp.
After that it is sending the same request two more times 
Finally it gives error
Failed 5343 contextEngineID probing

Please help with the mistake i'm doing
Why is this error coming inspite of receiving response

Thanks
Sandhya


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Ani A | 16 Nov 19:13 2014
Picon

Is Net-SNMP linux namespace aware?

Hello,

I have an SNMP agent, which is not VRF (namespace) aware.
So, in order to make sure SNMP packets are sent out on the correct routing instance, 
one solution seems to be, to run our SNMP agent, as a sub-agent to Net-SNMP, if 
Net-SNMP is namespace aware. I searched for a while but could not find any specific
documents related to this, hence I seek help on this forum
Is Net-SNMP namespace aware? if so, can anyone please point me to any documents/man
pages/configs.

Thanks.
--
Ani
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Bakshi Gulam | 16 Nov 07:30 2014
Picon

VACM Configurations Not Working

Hi All,

I've some problem with configuring VACM. My VACM configurations in
snmpd.conf seems to be not working. Any help on this would be really
appreciated.

Below are my VACM configurations in snmpd.conf. (whole snmpd.conf is
attached with this mail)

# User Creation
createUser noAuthUser
createUser MD5User MD5 "demo-password"
createUser MD5DESUser MD5 "demo-password" DES

#
# Group Specification
#       group-name      sec.model    sec.name
group   ro_group          usm       noAuthUser      # SNMPv3 username
== sec.name
group   ro_group          usm        MD5User
group   rw_group          usm       MD5DESUser

#
# View Specification
#      view-name       incl/excl      subtree               mask
view      all          included        .1
      # default-view which includes the whole MIB tree

view   system_view     excluded        .1
view   system_view     included       system
view   system_view     excluded       sysLocation.0

view   if_view         excluded        .1
view   if_view         included       system
view   if_view         included       ifTable

#
# Access Specification
#       group-name   context   sec.model   sec.level   match
read        write       notif
access  ro_group       ""         usm       noauth     exact
system_view    none        none
access  ro_group       ""         usm        auth      exact
if_view      none        none
access  rw_group       ""         usm        priv      exact
all       if_view      none

I expect noAuthUser to have read access only to system_view (which has
only system sub-tree). But I'm able to read everything (for example,
some object from ifMIB; sysLocation.0 which is excluded; etc) from
whole MIB tree via noAuthUser. Access control restrictions seems to
have no effect. Am I missing anything?

-- 
/////////////////////////
// Bakshi Gulam        //
// http://www.gulam.in //
/////////////////////////
Attachment (snmpd.conf): application/octet-stream, 3931 bytes
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Bakshi Gulam | 14 Nov 06:12 2014
Picon

VACM Configurations Not Working

Hi All,

I've some problem with configuring VACM. My VACM configurations in snmpd.conf seems to be not working. Any help on this would be really appreciated.

Below are my VACM configurations in snmpd.conf. (whole snmpd.conf is attached with this mail)

# User Creation
createUser noAuthUser
createUser MD5User MD5 "demo-password"
createUser MD5DESUser MD5 "demo-password" DES

#
# Group Specification
#       group-name      sec.model    sec.name
group   ro_group          usm       noAuthUser      # SNMPv3 username == sec.name
group   ro_group          usm        MD5User
group   rw_group          usm       MD5DESUser

#
# View Specification
#      view-name       incl/excl      subtree               mask
view      all          included        .1                                    # default-view which includes the whole MIB tree

view   system_view     excluded        .1
view   system_view     included       system
view   system_view     excluded       sysLocation.0

view   if_view         excluded        .1
view   if_view         included       system
view   if_view         included       ifTable

#
# Access Specification
#       group-name   context   sec.model   sec.level   match       read        write       notif
access  ro_group       ""         usm       noauth     exact    system_view    none        none
access  ro_group       ""         usm        auth      exact      if_view      none        none
access  rw_group       ""         usm        priv      exact        all       if_view      none


I expect noAuthUser to have read access only to system_view (which has only system sub-tree). But I'm able to read everything (for example, some object from ifMIB; sysLocation.0 which is excluded; etc) from whole MIB tree via noAuthUser. Access control restrictions seems to have no effect. Am I missing anything? 


--
/////////////////////////
// Bakshi Gulam        //
/////////////////////////
Attachment (snmpd.conf): application/octet-stream, 3931 bytes
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Gunner | 13 Nov 17:56 2014
Picon

SNMPv3 Trap specifying BOOTS,TIME

I am trying to send an SNMPv3 trap with a specific boots/time in order to avoid a window violation.  However, it appears that when I use the "-Z" parameter it is ignored and set to zero.

Sample command:
    snmptrap -v 3 -u TestUser -a MD5 -A TestPassword -l authNoPriv -Z 123,456 192.168.1.1 '' linkUp.0

Using version 5.7.2 of net-snmp on Fedora, and Wireshark to decode and verified msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime are both 0 where I would expect they be 123 and 456.

Thanks!
y>
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
David Hauck | 12 Nov 20:48 2014

Cross Compiled Test Suite Execution

Hi,

Does anyone know what the proper configuration is for executing the Net-SNMP test suite in a cross
development environment? Specifically, running the test suite on the host system while using the target
as the target under test. The default build configuration is to have the host build Net-SNMP for the target
and the resulting build directory then contains executables conditioned for the target (and these
executables potentially/likely can't be successfully run on the host).

There doesn't seem to be an obvious/simple solution to this and I wondered if I was just overlooking
something. For example, I can use SNMP_DEST_ADDR and SNMP_SNMPD_PORT to specify interaction with the
target, but, 1) the locally built executables are not executable on the host system, and 2) the
configuration files for the target are not useable locally. 

Is there a recommended way of getting around this beyond moving the entire build and testing directories
over to the target (and running the test suite(s) directly on the target).

Thanks,
-David

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Dharm S | 12 Nov 06:21 2014
Picon

Re: Help in configuring users in DTLS

Hi Arefin,

Thanks for the response. But the issue seems to be something else. I am getting the same error again though i used 600 or 640.



On Mon, Nov 10, 2014 at 10:10 PM, M. A. Arefin <arefin.m.a <at> gmail.com> wrote:
I had a similar problem! Apparently the file permission on the certs was too open! Reducing the file permission to something like 640 or 600 solve the problem for me. Pardon me if this is not the case.

On Mon, Nov 10, 2014 at 1:59 AM, Dharm S <dharm.sk2014 <at> gmail.com> wrote:
Hi All,

I have generated certificates and used the keys while entering the SNMP commands. I ran snmpd after entering the following lines in snmp.conf:

peerCert 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
localCert 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6

where peerCert is the fingerprint of snmpd.crt and localCert in manager.crt.

And in snmpd.conf, I have:

[snmp] localCert 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
certSecName 10 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 --cn

The snmpget dtlsudp:localhost:10161 sysContact.0 gives following debug messages:
cert:util:init: init
cert:index:add: dir /usr/local/etc/snmp/tls/ca-certs at index 0
cert:index:add: dir /home/anjali/.snmp/tls/certs at index 4
cert:index:add: dir /usr/local/etc/snmp/tls/private at index 2
cert:index:add: dir /home/anjali/.snmp/tls/private at index 5
cert:index:add: dir /home/anjali/.snmp/tls/ca-certs at index 3
cert:index:add: dir /usr/local/etc/snmp/tls/certs at index 1
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/ca-certs
cert:index:lookup: /usr/local/etc/snmp/tls/ca-certs (0) /var/net-snmp/cert_indexes/0
cert:index:parse: The index for /usr/local/etc/snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/certs
cert:index:lookup: /usr/local/etc/snmp/tls/certs (1) /var/net-snmp/cert_indexes/1
cert:index:parse: The index for /usr/local/etc/snmp/tls/certs looks good
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/private
cert:index:lookup: /usr/local/etc/snmp/tls/private (2) /var/net-snmp/cert_indexes/2
cert:index:parse: The index for /usr/local/etc/snmp/tls/private looks good
cert:key:struct:new: new key 0x0x9f81438 for manager.key
cert:key:struct:new: new key 0x0x9f81388 for snmpd.key
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/ca-certs
cert:index:lookup: /home/anjali/.snmp/tls/ca-certs (3) /var/net-snmp/cert_indexes/3
cert:index:parse: The index for /home/anjali/.snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/certs
cert:index:lookup: /home/anjali/.snmp/tls/certs (4) /var/net-snmp/cert_indexes/4
cert:index:parse: The index for /home/anjali/.snmp/tls/certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/private
cert:index:lookup: /home/anjali/.snmp/tls/private (5) /var/net-snmp/cert_indexes/5
cert:index:parse: The index for /home/anjali/.snmp/tls/private looks good
cert:partner: manager.crt match found!
cert:partner: snmpd.crt match found!
cert:key:read: Checking file snmpd.key
cert:key:read: Checking file manager.key
cert:dump: -------------------- Certificates -----------------
cert:dump: cert snmpd.crt in /usr/local/etc/snmp/tls/certs
cert:dump:    type 1 flags 0x3 (identity+remote_peer)
cert:dump: cert manager.crt in /usr/local/etc/snmp/tls/certs
cert:dump:    type 1 flags 0x3 (identity+remote_peer)
cert:dump: key manager.key in /usr/local/etc/snmp/tls/private
cert:dump:    type 4 flags 0x1 (identity)
cert:dump: key snmpd.key in /usr/local/etc/snmp/tls/private
cert:dump:    type 4 flags 0x1 (identity)
cert:dump: ------------------------ End ----------------------
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 167466280
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 167466280
cert:find:params:  hint = 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
cert:find:found: using cert manager.crt / 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1) (uses=identity+remote_peer (3))
cert:find:found: using cert manager.crt / 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1) (uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 167493864
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 167493864
cert:find:params:  hint = 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3))
cert:trust_ca: checking roots for 0x9f80f08
cert:trust: putting trusted cert 0x9f81f70 = 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 in certstore 0x9fd36d0
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 167598104
cert:find:params:  hint = 8954990382e414a949d54638c05fb5b2b82771c6
cert:find:found: using cert manager.crt / 8954990382e414a949d54638c05fb5b2b82771c6 for remote_peer(2) (uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 167493864
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 167493864
cert:find:params:  hint = 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3))
The fingerprint from the remote side's certificate didn't match the expected
  got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the expected
  got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the expected
  got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the expected
  got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the expected
  got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the expected
  got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
failed rfc5343 contextEngineID probing
snmpwalk: Timeout (Success)

But if i comment peerCert and localCert and run snmpd with fingerprints entered in command line, I get the output.

snmpget -v 3 -u final --defSecurityModel=tsm -T our_identity=89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 -T their_identity=09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0 dtlsudp:localhost:10161 sysContact.0 -Dcert

output:
cert:util:init: init
cert:index:add: dir /usr/local/etc/snmp/tls/ca-certs at index 0
cert:index:add: dir /home/anjali/.snmp/tls/certs at index 4
cert:index:add: dir /usr/local/etc/snmp/tls/private at index 2
cert:index:add: dir /home/anjali/.snmp/tls/private at index 5
cert:index:add: dir /home/anjali/.snmp/tls/ca-certs at index 3
cert:index:add: dir /usr/local/etc/snmp/tls/certs at index 1
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/ca-certs
cert:index:lookup: /usr/local/etc/snmp/tls/ca-certs (0) /var/net-snmp/cert_indexes/0
cert:index:parse: The index for /usr/local/etc/snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/certs
cert:index:lookup: /usr/local/etc/snmp/tls/certs (1) /var/net-snmp/cert_indexes/1
cert:index:parse: The index for /usr/local/etc/snmp/tls/certs looks good
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/private
cert:index:lookup: /usr/local/etc/snmp/tls/private (2) /var/net-snmp/cert_indexes/2
cert:index:parse: The index for /usr/local/etc/snmp/tls/private looks good
cert:key:struct:new: new key 0x0x97b6218 for manager.key
cert:key:struct:new: new key 0x0x97b6168 for snmpd.key
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/ca-certs
cert:index:lookup: /home/anjali/.snmp/tls/ca-certs (3) /var/net-snmp/cert_indexes/3
cert:index:parse: The index for /home/anjali/.snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/certs
cert:index:lookup: /home/anjali/.snmp/tls/certs (4) /var/net-snmp/cert_indexes/4
cert:index:parse: The index for /home/anjali/.snmp/tls/certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/private
cert:index:lookup: /home/anjali/.snmp/tls/private (5) /var/net-snmp/cert_indexes/5
cert:index:parse: The index for /home/anjali/.snmp/tls/private looks good
cert:partner: manager.crt match found!
cert:partner: snmpd.crt match found!
cert:key:read: Checking file snmpd.key
cert:key:read: Checking file manager.key
cert:dump: -------------------- Certificates -----------------
cert:dump: cert snmpd.crt in /usr/local/etc/snmp/tls/certs
cert:dump:    type 1 flags 0x3 (identity+remote_peer)
cert:dump: cert manager.crt in /usr/local/etc/snmp/tls/certs
cert:dump:    type 1 flags 0x3 (identity+remote_peer)
cert:dump: key manager.key in /usr/local/etc/snmp/tls/private
cert:dump:    type 4 flags 0x1 (identity)
cert:dump: key snmpd.key in /usr/local/etc/snmp/tls/private
cert:dump:    type 4 flags 0x1 (identity)
cert:dump: ------------------------ End ----------------------
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 159287896
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 159287896
cert:find:params:  hint = 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
cert:find:found: using cert manager.crt / 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1) (uses=identity+remote_peer (3))
cert:find:found: using cert manager.crt / 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1) (uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 159374304
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 159374304
cert:find:params:  hint = 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3))
cert:trust_ca: checking roots for 0x97b5ce0
cert:trust: putting trusted cert 0x97b6d50 = 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 in certstore 0x980f408
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 159374304
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 159374304
cert:find:params:  hint = 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3))
SNMPv2-MIB::sysContact.0 = STRING: Me <me <at> example.org>

After this i uncomment peerCert and localCert in snmp.conf, and I am able to get the output using just

snmpget dtlsudp:localhost:10161 sysContact.0

Can anyone help me in understanding what makes it read while modifying snmp.conf when snmpd is running and it doesnt read the fingerprints as required with initial configuration????

------------------------------------------------------------------------------

_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users




--
M. A. Arefin

240.401.7074 (cell)

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users <at> lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Gmane