SNMPv3 with privacy not working

Post support questions that relate to the Windows 2003/2000/XP operating systems.

Moderators: Developers, Moderators

Post Reply
jspp
Posts: 6
Joined: Mon Sep 13, 2010 3:13 pm

SNMPv3 with privacy not working

Post by jspp »

I use cacti version 0.8.7g

I graph devices using SNMPv1, v2 and v3 (authNoPriv with MD5) without problem.

I have a device that I want to add that uses authPriv (MD5/DES) but I can't make it work and I always get "SNMP error". When I click on Verbose Query on the SNMP - Interface Statistics, I get the following :

+ Running data query [1].
+ Found type = '3' [snmp query].
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/snmp_queries/interface.xml'
+ XML file parsed ok.
+ Executing SNMP walk for list of indexes @ '.1.3.6.1.2.1.2.2.1.1'
+ No SNMP data returned
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/snmp_queries/interface.xml'
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/snmp_queries/interface.xml'
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/snmp_queries/interface.xml'


The device is configured as following :
  • Hostname: 10.1.253.250
    Host Template: None
    Downed Device Detection: SNMP
    Ping Timeout Value: 400
    Ping Retry Count: 1
    SNMP Version: Version 3
    SNMP Username (v3): userrw
    SNMP Password (v3): md5md5md5
    SNMP Auth Protocol (v3): MD5 (default)
    SNMP Privacy Passphrase (v3): desdesdes
    SNMP Privacy Protocol (v3): DES (default)
    SNMP Context:
    SNMP Port: 161
    SNMP Timeout: 500
    Maximum OID's Per Get Request: 10
If I use the following snmpwalk command from the cacti server, I am able to get all the interfaces, so the problem seems to be with cacti.

Code: Select all

snmpwalk -v 3 -u userrw -l authPriv -A md5md5md5 -a MD5 -X desdesdes -x DES 10.1.253.250:161 .1.3.6.1.2.1.2.2.1.1
I am also able to poll this device using another system (SNMPc Management Console) without problem.

Note that if I reconfigure that device to use only MD5 Auth and no priv, I am able to poll it with cacti. It is only when I enable the Priv that cacti can't communicate properly with it.

Did I forget something? Is there a known bug/problem with cacti using authPriv with MD5/DES?

Thanks in advance for your help.

js

For the record, the device is a stack of two Avaya/Nortel 5510-24T switches running with FW:6.0.0.10/SW:v6.2.0.201.
User avatar
BSOD2600
Cacti Moderator
Posts: 12171
Joined: Sat May 08, 2004 12:44 pm
Location: USA

Post by BSOD2600 »

Some tips on snmpv3 http://forums.cacti.net/viewtopic.php?t=33216

what php and net-snmp versions?
jspp
Posts: 6
Joined: Mon Sep 13, 2010 3:13 pm

Post by jspp »

I should have included that in my first post ! :

PHP: 5.2.8
net-snmp: 5.5.0-1
Win32OpenSSL Light 1.0a
spine 0.8.7g
Win Server 2003 R2 32-bit / IIS 6

I reviewed the other post you referred, but nthing really applies to me. As for the snmp.c patch for spine, I suppose that it has been included in the release since.
User avatar
BSOD2600
Cacti Moderator
Posts: 12171
Joined: Sat May 08, 2004 12:44 pm
Location: USA

Post by BSOD2600 »

jspp wrote:I reviewed the other post you referred, but nthing really applies to me.
Sure it does, your php version.
TheWitness wrote:You should be able to use PHP 5.3.2++ and have a fully functional PHP snmp module with snmpV3.
jspp
Posts: 6
Joined: Mon Sep 13, 2010 3:13 pm

Post by jspp »

You're right! I missed that one.

I downloaded and installed PHP 5.3.3 and everything is configured in IIS using FastCGI. I am able to run a phpinfo() command from IIS.

Now, cacti is unable to access the MySQL database. When I load the cacti page I get the following message :

FATAL: Cannot connect to MySQL server on 'localhost'. Please make sure you have specified a valid MySQL database name in 'include/config.php'

I tested the settings and MySQL is running, the port 3306 is open, the user/password for cacti is working... The config.php file has the right settings.

I even unstalled and reinstalled everything to no avail (using both an empty cacti database and my previous database). Cacti is unable to connect to the MySQL database with PHP 5.3.3...
User avatar
BSOD2600
Cacti Moderator
Posts: 12171
Joined: Sat May 08, 2004 12:44 pm
Location: USA

Post by BSOD2600 »

Did you install the mysql, sockets and snmp php extensions? Enabled in php.ini? shows in phpinfo()?

Enabling the php error log reveal any more details about the errors?
jspp
Posts: 6
Joined: Mon Sep 13, 2010 3:13 pm

Post by jspp »

Since I was unable to make any MySQL connection using PHP 5.3.3, I downgraded to PHP 5.2.14 (the other version available on windows.php.net).

Now the system is back to normal but I still have the problem with the SNMPv3 devices with authPriv (MD5/DES)...

So it's back to start....

I then installed PHP 5.3.3 over 5.2.14 without changing anything to the configurations and I validated that the php.ini has all the correct configurations. The MySQL error came back...
Did you install the mysql, sockets and snmp php extensions?
Yes
Enabled in php.ini?
Yes
shows in phpinfo()?
Yes
Enabling the php error log reveal any more details about the errors?
Only this:
[16-Sep-2010 14:08:12] PHP Warning: strtotime() [<a href='function.strtotime'>function.strtotime</a>]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for '-4.0/DST' instead in C:\Inetpub\wwwroot\cacti\include\global_arrays.php on line 640
[16-Sep-2010 14:08:12] PHP Warning: date() [<a href='function.date'>function.date</a>]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for '-4.0/DST' instead in C:\Inetpub\wwwroot\cacti\include\global_arrays.php on line 640



By the way, there is contradicting information about PHP 5.3.x in the posts on the cacti forums. In the thread you referred (http://forums.cacti.net/viewtopic.php?t=33216) TheWitness says that
You should be able to use PHP 5.3.2++ and have a fully functional PHP snmp module with snmpV3
but in another thread (http://forums.cacti.net/viewtopic.php?t=36525) you wrote that
PHP 5.3.x is not supported in cacti 0.8.7x
User avatar
BSOD2600
Cacti Moderator
Posts: 12171
Joined: Sat May 08, 2004 12:44 pm
Location: USA

Post by BSOD2600 »

jspp wrote:Since I was unable to make any MySQL connection using PHP 5.3.3, I downgraded to PHP 5.2.14 (the other version available on windows.php.net).
php 5.2 and 5.3 are very different beasts. Plus the change from ISAPI to FastCGI is another wrench thrown in to complicate things for Windows users.
jspp wrote:By the way, there is contradicting information about PHP 5.3.x in the posts on the cacti forums....
Cacti 0.8.7e officially didn't support php 5.3 due to cacti not properly handling the new changes. It was easier to just instruct users that it's not supported than hand holding all the changes to code/php.ini.

Cacti 0.8.7g does 'fix' the php 5.3 issues though.

Side-note, as I look through my windows installer config, I'm still using php 5.2.14 instead of 5.3.x. I vaguely recall the same mysql issues you are having and decided I didn't have the time to troubleshoot it to any great length.

Looks like a dev is going to be needed to help further investigate whats broken about 5.3.x on windows compared to 5.2.14.
sdavied
Posts: 15
Joined: Mon Dec 01, 2008 2:14 pm

Re: SNMPv3 with privacy not working

Post by sdavied »

Sorry to revive an old thread, but I was having this EXACT problem and could not figure out a solution. Based on everything I read here and whatever I found on the internet, my theory was that php-snmp using snmp v3 was not working correctly (at least with authPriv). Also, my Cacti version was a little out of date (0.8.7b). My first attempt at a fix was to upgrade Cacti to 0.8.7g. That did not work. So, I did a little testing and found an easy solution to make this work. Here's my setup:
  • Date Wed, 11 May 2011 12:37:05 -0500
    Cacti Version 0.8.7g
    Cacti OS unix
    SNMP Version NET-SNMP version: 5.3.2.2
    RRDTool Version RRDTool 1.3.x
    Hosts 299
    Graphs 2057
    Data Sources Script/Command: 500
    SNMP: 909
    SNMP Query: 938
    Total: 2347
    Poller Information
    Interval 300
    Type cmd.php
    Items Action[0]: 2331
    Action[1]: 455
    Total: 2786
    Concurrent Processes 5
    Max Threads 1
    PHP Servers 1
    Script Timeout 25
    Max OID 10
    Last Run Statistics Time:34.7133 Method:cmd.php Processes:5 Threads:N/A Hosts:265 HostsPerProcess:53 DataSources:2786 RRDsProcessed:1890
    PHP Information
    PHP Version 5.1.6
    PHP OS Linux
    PHP uname Linux tools.eaglecom.net 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64
    PHP SNMP Installed
    max_execution_time 30
    memory_limit 72M
What I did is first test my theory: php-snmp not working. I created a simple php script to run from command line to try a walk of one of my snmp v3 devices. I could not get any output returned from the function (snmp3_walk). However, when I ran an snmpwalk (net-snmp) from the command line using the exact same parameters, I got the output I expected. So, I know net-snmp is working.

I got to looking at how Cacti determines what method to use and found this function in <cacti_path>/lib/snmp.php:

Code: Select all

function snmp_get_method($version = 1) {
	if ((function_exists("snmpget")) && ($version == 1)) {
		return SNMP_METHOD_PHP;
	}else if ((function_exists("snmp2_get")) && ($version == 2)) {
		return SNMP_METHOD_PHP;
	}else if ((function_exists("snmp3_get")) && ($version == 3)) {
		return SNMP_METHOD_PHP;
	}else if ((($version == 2) || ($version == 3)) && (file_exists(read_config_option("path_snmpget")))) {
		return SNMP_METHOD_BINARY;
	}else if (function_exists("snmpget")) {
		/* last resort (hopefully it isn't a 64-bit result) */
		return SNMP_METHOD_PHP;
	}else if (file_exists(read_config_option("path_snmpget"))) {
		return SNMP_METHOD_BINARY;
	}else{
		/* looks like snmp is broken */
		return SNMP_METHOD_BINARY;
	}
}
To test my theory I removed the line (AFTER making a backup copy of the original file):

Code: Select all

else if ((function_exists("snmp3_get")) && ($version == 3)) {
		return SNMP_METHOD_PHP;
}
This way cacti is forced to use net-snmp if the version is 3. So far it is working great with no adverse effects.

I just thought I would post this as it may help someone else with the same problem. I know I struggled with it for a while and never did find a working solution anywhere. Use at your own risk.
jspp
Posts: 6
Joined: Mon Sep 13, 2010 3:13 pm

Re: SNMPv3 with privacy not working

Post by jspp »

It's funny that you revived the thread at that time as I just started a few days ago to try again to make it work on my server.

I tried your little tweak of the snmp.php to force the usage of net-snmp, but even if it uses net-snmp cacti can't get the device info using SNMPv3 with authPriv. If I try to get the list of interfaces (using Verborse Query) I get "+ No SNMP data returned"

I even created a batch file to replace snmpwalk and captured the command line that cacti sends to it. I ran that command line to call snmpwalk and got a listing of all the interfaces of my device. Seems that cacti can't get the results even if the command works...

By the way I am on Windows (not linux) so it might be different.

BSOD2600 told me that I should use PHP 5.3 to resolve the SNMPv3 issues, but with PHP 5.3 cacti can't connect to the MySQL database...

It's like I am trapped in a catch-22! ;) Unless someone knows how to make cacti work with php5.3 and mysql on windows!
jspp
Posts: 6
Joined: Mon Sep 13, 2010 3:13 pm

Re: SNMPv3 with privacy not working

Post by jspp »

I found it!

I tried to run cacti with root instead of cactiuser and it worked... Double checked cactiuser password and it was good so it must be a difference between the access of those users. The first thing that came to my mind is the old-password hash.

Did a little search on PHP 5.3 and MySQL and found that it seems that PHP 5.3 dislikes old-passwords.

I removed old-password setting from my.ini and restarted MySQL.

Then I updated the cacti password using new password hash.

Code: Select all

UPDATE mysql.user SET Password = PASSWORD('cactipw') WHERE Host = 'localhost' AND User = 'cactiuser';
After that, I was able to log into cacti, add my SNMPv3 authPriv device, discover its interfaces and create a graph. After a few polls, the stats were good, so I think that I am all set!
sdavied
Posts: 15
Joined: Mon Dec 01, 2008 2:14 pm

Re: SNMPv3 with privacy not working

Post by sdavied »

Check this forum post over at zen-cart.com:

http://www.zen-cart.com/forum/showthread.php?t=150719

It deals with the warning that showed up when you had version 5.3 going. Maybe this is causing part of the problem???

What happens if you write a short php script (using version 5.3) and try an snmp query?
Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests