SNMPv3 on Cisco Catalyst 6500 and NFA 9.2

Document created by ajake01 Employee on Jun 27, 2014
Version 1Show Document
  • View in full screen mode

Hi All

In the GUI on NFA 9.2 we had a issue where router could not discover a SNMPv3 profile

router (Cisco Catalyst 6500) was no different than other 3 routers that are already in.
Even if you manually assign a SNMP profile to it, once you try to refresh it would pop the message that it cant be polled and it would remove the profile from it.

Once we enabled SNMP v2 on router, poll worked for the snmp v2 profile. IOS v 12.1(33)

When we compared routers, two routers had same Engine ID ... client try to regenerate snmp engine ID after hours but he found out that CISCO had a bug in their code .. because the SNMP engine ID is not regenerated on the switch.

below explains what is actually happening and what you could see in wireshark once you try to discover an snmp profile in NFA GUI for the router

 

from CISCO: "From NMS perspective you may encounter Time Syncronization(violation of

timeliness) error related SNMPv3 reponses as logically SNMPv3 engine ID must
be unique in an administrative domain(RFC 2571). When this happens you should
encounter SNMPv3 auth failures due to UsmNotInTimeWindow related
errors(implying replayed or duplicated messages)."
Cheers
Kemal

 

This document was generated from the following discussion: SNMPv3 on Cisco Catalyst 6500 and NFA 9.2

Attachments

    Outcomes