Cisco SNMPv3 using AES-256

Just checking if someone was able to import successfully Cisco Devices using SNMPv3 with AES-256 encryption?

Just found out this info : https://github.com/librenms/librenms/pull/12494

Thanks!
Jorge Pingitore

Just tried to import Cisco Device using SNMPv3 with Priv AES-256 or AES-192 using 21.2.0 or 21.3.0, but no luck

it works for AES-128 but not AES-192 or AES-256

More information for context:

Cisco Router:
SNMP Users:
Test#show snmp user

User name: testuser
Engine ID: 800000090300AABBCC000100
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES256
Group-name: test

User name: testuser128
Engine ID: 800000090300AABBCC000100
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: test

User name: testuser192
Engine ID: 800000090300AABBCC000100
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: AES192
Group-name: test

SNMP config:
snmp-server group test v3 priv read testview
snmp-server view testview iso included

Debug from Cisco:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Trying with AES-256 (not Working): The incoming packet is not recognized as Priv and not username:

process_mgmt_req_int: UDP packet being de-queued

*Mar 22 15:15:22.919: SNMP: Packet received via UDP from 192.168.13.3 on Ethernet0/0SrParseV3SnmpMessage: No matching Engine ID.
SrParseV3SnmpMessage: Failed.
SrDoSnmp: authentication failure, Unknown Engine ID

*Mar 22 15:15:22.984:
Incoming SNMP packet
*Mar 22 15:15:22.984: v3 packet security model: v3 security level: noauth
*Mar 22 15:15:22.984: username:
*Mar 22 15:15:22.984: snmpEngineID: 800000090300AABBCC000100
*Mar 22 15:15:22.984: snmpEngineBoots: 0 snmpEngineTime: 0
*Mar 22 15:15:22.984: SNMP: Report, reqid 1090444888, errstat 0, erridx 0
internet.6.3.15.1.1.4.0 = 43
Test(config)#
*Mar 22 15:15:22.989: SNMP: Packet sent via UDP to 192.168.13.3
process_mgmt_req_int: UDP packet being de-queued

*Mar 22 15:15:22.992: SNMP: Packet received via UDP from 192.168.13.3 on Ethernet0/0no such type in ParseType (58) (0x3A)
ParseSequence, Unexpected type: FFFFFFFF
SrParseV3SnmpMessage: ParseSequence:
SrParseV3SnmpMessage: Failed.
SrDoSnmp: ASN Parse Error

process_mgmt_req_int: UDP packet being de-queued

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Trying with AES-128 (working):

process_mgmt_req_int: UDP packet being de-queued

*Mar 22 15:22:17.126: SNMP: Packet received via UDP from 192.168.13.3 on Ethernet0/0SrParseV3SnmpMessage: No matching Engine ID.
SrParseV3SnmpMessage: Failed.
SrDoSnmp: authentication failure, Unknown Engine ID

*Mar 22 15:22:17.242:
Incoming SNMP packet
*Mar 22 15:22:17.242: v3 packet security model: v3 security level: noauth
*Mar 22 15:22:17.242: username:
*Mar 22 15:22:17.242: snmpEngineID: 800000090300AABBCC000100
*Mar 22 15:22:17.242: snmpEngineBoots: 0 snmpEngineTime: 0
*Mar 22 15:22:17.242: SNMP: Report, reqid 99677534, errstat 0, erridx 0
internet.6.3.15.1.1.4.0 = 44
*Mar 22 15:22:17.248: SNMP: Packet sent via UDP to 192.168.13.3
process_mgmt_req_int: UDP packet being de-queued

*Mar 22 15:22:17.250: SNMP: Packet received via UDP from 192.168.13.3 on Ethernet0/0SrParseV3SnmpMessage: Failed.

*Mar 22 15:22:17.367: SNMP: Get-next request, reqid 99677533, errstat 0, erridx 0
mib-2 = NULL TYPE/VALUESrDoSnmp: received get-next pdu
CheckClassMIBView: all included

*Mar 22 15:22:17.368:
Incoming SNMP packet
*Mar 22 15:22:17.368: v3 packet security model: v3 security level: priv
*Mar 22 15:22:17.368: username: testuser128
*Mar 22 15:22:17.368: snmpEngineID: 800000090300AABBCC000100
*Mar 22 15:22:17.368: snmpEngineBoots: 1 snmpEngineTime: 4364
*Mar 22 15:22:17.368: SNMP: Response, reqid 99677533, errstat 0, erridx 0
system.1.0 = Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.7(3)M2, DEVELOPMENT TEST SOFTWARE
*Mar 22 15:22:17.373: SNMP: Packet sent via UDP to 192.168.13.3
process_mgmt_req_int: UDP packet being de-queued

*Mar 22 15:22:17.375: SNMP: Packet received via UDP from 192.168.13.3 on Ethernet0/0SrParseV3SnmpMessage: Failed.

*Mar 22 15:22:17.492: SNMP: Get-next request, reqid 99677535, errstat 0, erridx 0
system.1.0 = NULL TYPE/VALUESrDoSnmp: received get-next pdu
CheckClassMIBView: all included
CheckClassMIBView: all included

Maybe @Hans_Erasmus knows?

Are you sure your net-snmp on the LibreNMS server supports AES-256?

Hi,

I am not sure, I am assuming the last version 21.3.0-5-gd10183475 - Mon Mar 22 2021 11:41:20 GMT-0400 was compiled with the support for 256.

Is there any command that I can use to check?
snmpwalk gives me the option to use -X AES-256 and AES-192:

[root@SRV03-DMZSERVER ~]# snmpwalk
No hostname specified.
USAGE: snmpwalk [OPTIONS] AGENT [OID]

Version: 5.8
Web: http://www.net-snmp.org/
Email: [email protected]

OPTIONS:
-h, --help display this help message
-H display configuration file directives understood
-v 1|2c|3 specifies SNMP version to use
-V, --version display package version number
SNMP Version 1 or 2c specific
-c COMMUNITY set the community string
SNMP Version 3 specific
-a PROTOCOL set authentication protocol (MD5|SHA|SHA-224|SHA-256|SHA-384|SHA-512)
-A PASSPHRASE set authentication protocol pass phrase
-e ENGINE-ID set security engine ID (e.g. 800000020109840301)
-E ENGINE-ID set context engine ID (e.g. 800000020109840301)
-l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv)
-n CONTEXT set context name (e.g. bridge1)
-u USER-NAME set security name (e.g. bert)
-x PROTOCOL set privacy protocol (DES|AES|AES-192|AES-256)
-X PASSPHRASE set privacy protocol pass phrase
-Z BOOTS,TIME set destination engine boots/time

Thanks!
Jorge

Any tips how to check if the snmp was compiled with AES-256?

Since you see “x PROTOCOL set privacy protocol (DES|AES|AES-192|AES-256)” in the help, it should be enabled.

Regarding your error I have no idea tho.

Thanks. in the previous post, I added the help info and I can see the option to AES-256.
we maybe have some incompatibility between Cisco Implementation and net-SNMP for AES-256

I would guess “Ethernet0/0SrParseV3SnmpMessage: No matching Engine ID.” is the first problem to look into, but im only guessing :slight_smile:

Which OS are you on? I remember CentOS7 you could build SNMP5.8 but the still lacked the neccessary OpenSSL version order to use SNMPv3 auth mechanisms fully. Ubuntu 20.04 worked out of the box.

I am using CentOS Stream release 8.
I had the impression that LibreNMS takes care of net-snmp and bring the feature to any OS

I will setup a Ubuntu to see if it works with SNMP AES-256.

Thanks!

I found out you have to use the AES-256-C option for Net-SNMP see here https://github.com/net-snmp/net-snmp/blob/cbf71bf391e88b387fcd0a8875b97433180db7a2/snmplib/snmpusm.c#L196
but this never shows up in the command line listed protocols. I have a small set of patches for my local install that I have been using for a bit, I can look into doing a pull request.

Thanks for the info. It makes sense, I even tried to compile the version 5.9 with --enable-blumenthal-aes but still not get the option for AES-256-C just the AES-256 that does not work with Cisco. It will be great if we can have that added to Librenms as standard, so we can start to import Cisco Devices with AES-256.

Just submitted pull request for adding / editing host to use the AES-256-C option and it was merged in tonight. The only portion missing is being able to set it as a default value in the WebUI.

Thank you! now it’s working with AES 256-C

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.