Cacti & Spine 0.8.8f + SNMPv3 w/ SHA+AES128 not working

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

ryanjwh
Posts: 19
Joined: Mon Nov 21, 2005 4:17 pm
Location: San Francisco, CA
Contact:

Re: Cacti & Spine 0.8.8f + SNMPv3 w/ SHA+AES128 not working

Post by ryanjwh »

Hi pantaley et al,

I think we've found a solution! I tossed this to a couple of our internal developers that specialize in C, and they saw the issue right away. It seems like configure.ac for spine is trying to include the net-snmp headers to run that crypto check, but it's assuming they're in /usr/include (the way debian/ubuntu does it), but RHEL puts them in /usr/include/net-snmp. So, when running configure, you have to do this:
CFLAGS="-I/usr/include/net-snmp" ./configure

I did this on our build system and indeed, the "check for crypto" line now says yes! I think this will fix it. I've updated our internal ticket to have the owner of this project recompile with this fix and push the new spine binary to our cacti systems to verify.
xco
Posts: 3
Joined: Wed Jan 27, 2016 12:32 pm

Re: Cacti & Spine 0.8.8f + SNMPv3 w/ SHA+AES128 not working

Post by xco »

Seems I have the same problem you are having. I attempted this fix but still not working. I'm still researching, if I find anything I'll post back.
-Jeremy
ryanjwh
Posts: 19
Joined: Mon Nov 21, 2005 4:17 pm
Location: San Francisco, CA
Contact:

Re: Cacti & Spine 0.8.8f + SNMPv3 w/ SHA+AES128 not working

Post by ryanjwh »

Another victim! Well, at least we're growing... =)

As an update, we re-compiled Spine after my last post and it now says it's including crypto (yay!) but the issue persists. Can't use Spine to query SNMPv3+crypto.

I filed this ticket, hoping for action sometime soon:
http://bugs.cacti.net/view.php?id=2658
helzerr
Cacti User
Posts: 54
Joined: Sun Feb 01, 2004 3:10 am
Location: Orlando, FL
Contact:

Re: Cacti & Spine 0.8.8f + SNMPv3 w/ SHA+AES128 not working

Post by helzerr »

Sounds very similar to an issue I've been grappling with for quite some time now - posted about it last year:

http://forums.cacti.net/viewtopic.php?p=255591#p255591

Still haven't found a solution... Thankfully, it only affects a handful of devices for whatever reason. The rest of my SNMPv3 devices work fine!

The devices which fail to poll work fine in the Web UI, but Spine says, "SNMP Ping Error: Unknown error: 2"; "SNMP Result: Host did not respond to SNMP"
helzerr
Cacti User
Posts: 54
Joined: Sun Feb 01, 2004 3:10 am
Location: Orlando, FL
Contact:

Re: Cacti & Spine 0.8.8f + SNMPv3 w/ SHA+AES128 not working

Post by helzerr »

I can verify that Spine ./configure indicated "checking if Net-SNMP needs crypto support... no"

I then tried again with CFLAGS="-I/usr/include/net-snmp" and now configure reports Yes

After building and installing Spine with CFLAGS, the results are exactly the same :-/ however, the resulting spine executable is somewhat smaller than the one compiled without CFLAGS...
helzerr
Cacti User
Posts: 54
Joined: Sun Feb 01, 2004 3:10 am
Location: Orlando, FL
Contact:

Re: Cacti & Spine 0.8.8f + SNMPv3 w/ SHA+AES128 not working

Post by helzerr »

Eureka! Found the solution to my issue:

http://bugs.cacti.net/view.php?id=2682

EngineID on client SNMP side needs to be unique on each node for Spine / cmd.php to properly query all v3 devices!
ryanjwh
Posts: 19
Joined: Mon Nov 21, 2005 4:17 pm
Location: San Francisco, CA
Contact:

Re: Cacti & Spine 0.8.8f + SNMPv3 w/ SHA+AES128 not working

Post by ryanjwh »

Unfortunately this doesn't help me. I've verified everything works fine if I tell Spine to use DES+MD5 and setup the SNMPv3 stuff in net-snmp on Linux to also use DES+MD5. However, if I setup both sides to use AES+SHA, Spine times out.

I'm pretty sure net-snmp has DES+MD5 stuff built-in which Spine uses on the Cacti server side, but AES+SHA requires linked to OpenSSL libraries and that may be a problem where Spine isn't properly pulling in OpenSSL stuff during compile.

In the meantime we're using DES+MD5 for all SNMP queries to Cloud-based hosts from our prem, but we're prefer to use AES+SHA for added security. On the target side (all of our servers listening for SNMP queries) we have different usernames setup for DES+MD5 vs AES+SHA so we can test from the snmpwalk command line on the Cacti server and verify both work. Cacti's web UI also works fine with AES+SHA when querying system info, running data queries to list interfaces, mounts, etc. Just not Spine when it actually goes to poll.
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest