VERSA SNMP SERVICE TROUBLESHOOT
SNMP common problems of v2c and v3:
Unable to send traps
Unable to reply SNMP poll
Desired SNMP version not enabled
SNMP agent ip address is not 127.0.0.1
SNMP manager not listening to the right UDP port and not sending out with correct port.
Default SNMP port changed.
By default, the SNMP agent is disabled on flexvnf.
Community mismatch.
snmp-server unreachable
Using wrong mib to poll info. There are versa specific MIBs.
Target-source not properly configured.
Depending on the kind of issue the customer faces, troubleshooting steps vary. In general, the below troubleshooting steps can be followed.
Bird view troubleshooting steps:
Ensure snmp-server is reachable.
Ensure vnf-manager configuration has an SNMP exit interface and the server IP address. If this part is not configured, the SNMP daemon does nothing.
Ensure desired SNMP version is configured.
Ensure snmp-server IP address is configured properly for (v2c).
Be sure to check the authentication configuration.
Detail troubleshooting steps:
Ensure snmp agent is enabled
set snmp agent enableEnsure agent ip address is 127.0.0.1
set snmp agent ip 127.0.0.1Ensure snmp is listening to port 161. Snmp-server sends snmp poll with destination IP address 161.
set snmp agent udp-port 161Ensure desired SNMP version is running. V2c and v3 have commonly used SNMP versions. Depending on the version enabled, need to troubleshoot according.
set snmp agent version v2c
set snmp agent version v3Ensure snmp community is configured. SNMP community is nothing but a password used between snmp-agent and snmp-manager.
set snmp community versa sec-name versa123
Note:
versa = community name
versa123 = community password. Be sure to configure the SNMP server IP address (v2c).
Ensure that target-source is configured, may not always be necessary.
Ensure that the SNMP access method is no-auth-no-priv. This is applicable to v2c. For v3, need to take care of the username and password.
Ensure views are enabled.
Check that server IP address is reachable and available in the routing table.
Ensure that vnf-manager is properly configured. This is important. You need to include the interface name in the vnf-interface list and server ip address in vnf-managent-ip.
For example:
admin@cpe7-cli> show configuration system vnf-manager
ip-addresses [ 10.100.1.1/32 10.100.1.10/32 210.1.1.2/32 ]; <<<<<remplace 210.1.1.2/32 with 10.163.40.228/32 (server ip)
vnf-mgmt-interfaces [ tvi-0/7.0 vni-0/1.0 ]; <<<< replace vni-0/1.0
with lan port (vni-0/4.0)
Use tcmpdump whenever necessary filtering with ports 161 and 162. For example: look for Getrequest and GetReply.
admin@cpe7-cli> tcpdump vni-0/1 filter "port 161 or port 162" Starting capture on vni-0/1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vs_trc_vni_0_1, link-type EN10MB (Ethernet), capture size 262144 bytes
03:50:05.813321 52:54:00:a2:a6:58 > 52:54:00:65:3f:af, ethertype IPv4 (0x0800), length 78: 210.1.1.2.58884 > 210.1.1.1.161: GetRequest(21) .1.3
03:50:05.817306 52:54:00:65:3f:af > 52:54:00:a2:a6:58, ethertype IPv4 (0x0800), length 78: 210.1.1.1.161 > 210.1.1.2.58884: GetResponse(21) .1.3=[noSuchObjectUse below debugging tools to collect developer-level messages. Run tail command before initiating SNMP poll/trap. It shows important information about what's going on; authentication failed, succeed, etc.
set confdConfig logs developerLogLevel trace
set confdConfig Logs snmpLogLevel info [admin@cpe7: confd] $ cd /var/log/versa/confd/
[admin@cpe7: confd] $ sudo tail -f devel.log
<INFO> 29-Nov-2018::06:50:31.294 cpe7 confd[5961]: devel-snmpa auth
init check failed: noGroupNameYou should be able to conclude something by using the above steps. It's common to see configuration mistakes in customer setup.
Keep the working config ready for reference. You can use below:
snmpv3 and v2c working config example:
set snmp agent enabled
set snmp agent ip 127.0.0.1
set snmp agent udp-port 161
set snmp agent version v2c
set snmp agent version v3
set snmp agent engine-id
set snmp agent engine-id enterprise-number 42359
set snmp agent engine-id from-ip 210.1.1.2 <<< replace with
10.163.40.228 or server ip.
set snmp agent max-message-size 2000
set snmp system contact ""
set snmp system name CPCPE00000142TGG-PRU-PH-01
set snmp system location "7F UPTOWN PLACE TOWER 1, 1 EAST 11TH
DRIVE, UPTOWN BONIFACIO,TAGUIG CITY,METRO MANILA, PHILIPPINES 1634"
set snmp community public sec-name public
set snmp target v2_10.163.40.228 ip 210.1.1.2 <<< replace with
10.163.40.228 or server ip.
set snmp target v2_10.163.40.228 udp-port 162
set snmp target v2_10.163.40.228 tag [ std_v2_inform std_v2_trap ]
set snmp target v2_10.163.40.228 timeout 1500
set snmp target v2_10.163.40.228 retries 3
set snmp target v2_10.163.40.228 v2c sec-name public
set snmp notify std_v1_trap tag std_v1_trap
set snmp notify std_v1_trap type trap
set snmp notify std_v3_inform tag std_v3_inform
set snmp notify std_v3_inform type inform
set snmp notify std_v3_trap tag std_v3_trap
set snmp notify std_v3_trap type trap
set snmp target-source 210.1.1.1 <<< replace 210.1.1.1 with vni-
0/4.0 ip address.
set snmp vacm group All-Rights member netvendor sec-model [ usm ]
set snmp vacm group All-Rights member public sec-model [ v2c ]
set snmp vacm group All-Rights access any no-auth-no-priv
set snmp vacm group All-Rights access v2c no-auth-no-priv read-view
internet
set snmp vacm group All-Rights access v2c no-auth-no-priv write-
view internet
set snmp vacm group All-Rights access v2c no-auth-no-priv notify-
view internet
set snmp vacm group All-Rights access usm auth-priv read-view
internet
set snmp vacm group All-Rights access usm auth-priv write-view
internet
set snmp vacm group All-Rights access usm auth-priv notify-view
internet
set snmp vacm view internet subtree 1.2 included
set snmp vacm view internet subtree 1.3 included
set snmp vacm view internet subtree 1.3.6.1 included
set snmp usm local user netvendor auth
set snmp usm local user netvendor auth sha
set snmp usm local user netvendor auth sha password G5n5nmp3509
set snmp usm local user netvendor priv
set snmp usm local user netvendor priv aes
set snmp usm local user netvendor priv aes password G5n5nmp3509 admin@cpe7-cli> show configuration system vnf-manager
ip-addresses [ 10.100.1.1/32 10.100.1.10/32 210.1.1.2/32 ]; <<<<<
remplace 210.1.1.2/32 with 10.163.40.228/32 (server ip)
vnf-mgmt-interfaces [ tvi-0/7.0 vni-0/1.0 ]; <<<< replace vni-0/1.0
with lan port (vni-0/4.0)These tools and commands will come in handy in times of need:
Show route routing-instance
ping <snmp server-ip> routing-instance <>
show configuration snmp | display set
show configuration vnf-management
tcpdump vni-0/<> filter “port 161 or port 162”You can use free software SNMP server: reasoning mib browser(no v3 support) and ManageEngine MIBBrowser(v3 support).
Be familiar yourself with snmpwalk commands.
For example,
/opt/entuity/Entuity/lib/tools/snmpwalk -v 3 -E 8000a577010aa328e4 -n "" -u vuser -l authPriv -a sha -A versa123 -x AES -X versa123 -m ALL -M ./versa-mibs 10.172.18.78 .1.3.6.1.2.1.1
snmpengineID (-E) = 8000a577010aa328e4 <<< show confdCnofig snmpAgent snmpEngine snmpEngineIDBasic Config steps:
1. Configure snmp agent:
a. Enable snmp agent.
b. Configure agent ip (127.0.0.1)
c. Configure version (v2c/v3)
2. Configure snmp system:
a. Contact
b. Location
c. Name
3. Configure snmp trap:
4. Configure community name and sec-name (password):
5. Configure snmp target: a. Destination port
b. Server ip address.
c. Associate Community sec-name to the target.
6. Configure target source if required.
7. Configure vacm group name and associate v2c and usm(v3) to it.
8. Specify v2c and usm authentication method on vacm group for read/write/notify access.
9. Specify view type.
10. Specify usm username and password for v3 authentication.
SNMP Default Config:
snmp agent is disabled by default.
SNMP traps are enabled by default
OIDs are configured.
Cheatsheet:
Snmp enable or not
Agent ip address 127.0.0.1
Udp-port
Version
Community name and password
Manager/target details:
Server ip
Port number
Tag
Timeout
Retries
Associate community to the sender
Trap/notify
Snmp source ip
Associate community to vacm group
Associate access right to the vacm group
Read/write/nofity
Specify view detail in vacm
Configuring snmp agent:
Enable snmp agent
set snmp agent enableConfigure snmp server(manager):
Configure the server ip address.
set snmp target v2c_config ip 10.144.1.192. Configure IP address that will be used as the source address forSNMPp traffic
set snmp target-source 210.1.1.1 <<< not requiredWorking snmp configuration when the snmp manager is located on the LAN side. I have only tested SNMP v2, not v3. For v3 below config will not work.
set snmp agent enabled
set snmp agent ip 127.0.0.1
set snmp agent udp-port 161
set snmp agent extra-listen ::1 161
set snmp agent version v2c
set snmp agent max-message-size 50000
set snmp system contact ""
set snmp system name cpe7
set snmp system location India
set snmp community versa123 sec-name versa123
set snmp target v2_210.1.1.2 ip 210.1.1.2
set snmp target v2_210.1.1.2 udp-port 162
set snmp target v2_210.1.1.2 tag [ std_v2_inform std_v2_trap ]
set snmp target v2_210.1.1.2 timeout 1500
set snmp target v2_210.1.1.2 retries 3
set snmp target v2_210.1.1.2 v2c sec-name versa123
set snmp notify std_v1_trap tag std_v1_trap
set snmp notify std_v1_trap type trap
set snmp notify std_v2_inform tag std_v2_inform
set snmp notify std_v2_inform type inform
set snmp notify std_v2_trap tag std_v2_trap
set snmp notify std_v2_trap type trap
set snmp notify std_v3_inform tag std_v3_inform
set snmp notify std_v3_inform type inform
set snmp notify std_v3_trap tag std_v3_trap
set snmp notify std_v3_trap type trap
set snmp target-source 210.1.1.1
set snmp vacm group access-v2c-public-internet member versa123 sec-model [ v2c ]
set snmp vacm group access-v2c-public-internet access v2c no-auth-no-priv read-view internet
set snmp vacm group access-v2c-public-internet access v2c no-auth-no-priv notify-view internet
set snmp vacm view internet subtree 1.2 included
set snmp vacm view internet subtree 1.3 included
set snmp vacm view internet subtree 1.3.6.1 includedWorking snmp configuration when the snmp manager/server is located on the remote LAN side. I have tested only SNMP v2, not v3. So, snmp v3 will not work with the below configuration.
snmp polling works fine, with below config:
set snmp agent enabled
set snmp agent ip 127.0.0.1
set snmp agent udp-port 161
set snmp agent extra-listen ::1 161
set snmp agent version v2c
set snmp agent max-message-size 50000
set snmp system contact ""
set snmp system name cpe7
set snmp system location India
set snmp community versa123 sec-name versa123
set snmp target v2_200.1.1.2 ip 200.1.1.2
set snmp target v2_200.1.1.2 udp-port 162
set snmp target v2_200.1.1.2 tag [ std_v2_inform std_v2_trap ]
set snmp target v2_200.1.1.2 timeout 1500
set snmp target v2_200.1.1.2 retries 3
set snmp target v2_200.1.1.2 v2c sec-name versa123
set snmp notify std_v1_trap tag std_v1_trap
set snmp notify std_v1_trap type trap
set snmp notify std_v2_inform tag std_v2_inform
set snmp notify std_v2_inform type inform
set snmp notify std_v2_trap tag std_v2_trap
set snmp notify std_v2_trap type trap
set snmp notify std_v3_inform tag std_v3_inform
set snmp notify std_v3_inform type inform
set snmp notify std_v3_trap tag std_v3_trap
set snmp notify std_v3_trap type trap
set snmp vacm group access-v2c-public-internet member versa123 sec-model [ v2c ]
set snmp vacm group access-v2c-public-internet access v2c no-auth-no-priv read-view internet
set snmp vacm group access-v2c-public-internet access v2c no-auth-no-priv notify-view internet
set snmp vacm view internet subtree 1.2 included
set snmp vacm view internet subtree 1.3 included
set snmp vacm view internet subtree 1.3.6.1 includedThanks for Reading!