Unable to add IPv6 devices using SNMP/udp6, but can snmpwalk/telnet to them from LibreNMS

I recently installed the LibreNMS official docker image and got everything up and running perfectly using IPv4. Then, I attempted to add a few IPv6 devices and I cannot seem to get them to work at all (yes, I am selecting the ‘udp6’ transport method when I attempt to add them).

If I go into the container via ‘docker exec -it librenms /bin/bash’, I am able to:

  • ping the devices by both their IPv6 address and their FQDN (which resolves to the IPv6 address)
  • ‘snmpwalk’ (from the container) to the devices perfectly fine (expected output happens for both v4 and v6), using identical SNMP settings I am putting into the WebUI
  • telnet to one of the routers via the same IPv6 address I am able to successfully SNMPWalk (so I at least know outbound IPv6 packets can make it there)

I know IPv6 in general is functional because I can also browse to my LibreNMS WebUI on its IPv6 address on port 8000 (as well as several other containers, e.g. Unifi Controller).

I first suspected this was due to my relatively unorthodox network setup; I am using “macvlan” network type for the LibreNMS and its various sidecar containers – I even have the hosts connecting to each other via IPv6 for their internal services, and they’re working (memcached, redis, etc).

I initially wasn’t 100% sure that I built the Docker macvlan networks with the “–ipv6” command line switch, so I removed them all and rebuilt them to ensure that I did. If I inspect the networks, it shows Ipv6Enable as True… (as it did before) but I still get the same error whenever I go to add an IPv6 device:

bash-5.1# ./addhost.php xxxx:yyyy:zzzz:100::10 test v2c 161 udp6
Could not connect to xxxx:yyyy:zzzz:100::10, please check the snmp details and snmp reachability
SNMP v2c: No reply with community test
SNMP v2c: No reply with community public
bash-5.1# snmpwalk -c test -v 2c xxxx:yyyy:zzzz:100::10
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C1000 Software (C1000-UNIVERSALK9-M), Version 15.2(7)E3k, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Fri 04-Dec-20 00:51 by prod_rel_team
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.2897
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (23619647) 2 days, 17:36:36.47
[…]

Completely out of ideas at this point. I guess my next step could be to sniff packets and see if anything is actually making it to the device ports, but this just isn’t making any sense… it also does not seem to make a difference if it’s a V6 address that’s within the same /64 subnet (xxxx:yyyy:zzzz:100::/64) vs. another V6 subnet that it has connectivity to. (the container resides on the :100::/64 network, within the same L2 VLAN on the same switch so firewalling/ACLs are a non-factor).

Update: I sniffed traffic on one of the ports for a device that will not add and there is never any IPv6 SNMP traffic being sent, unless I am using ‘snmpwalk’ (from the container).

I also attempted to force-add the device, skipping the snmp checks, but it will only perform the ICMPv6 pings (and replies are successful) but it simply will not poll any IPv6 SNMP… strange.

Any way to debug the ‘snmp check’ process?

When the device is force-added, does it behave as expected after ? meaning discovery and polling work ?
If yes, the issue is only with the check. If not, then something more general is wrong with ipv6 implementation.

It will not poll SNMP if force-added, only ICMPv6 - I also never see the SNMP packets attempting to go to the device on the analyzer. Is there more debugging I can enable to troubleshoot? Thanks