Cacti & Spine 0.8.8f + SNMPv3 w/ SHA+AES128 not working

[ryanjwh]

Hi pantaley et al,

I think we've found a solution! I tossed this to a couple of our internal developers that specialize in C, and they saw the issue right away. It seems like configure.ac for spine is trying to include the net-snmp headers to run that crypto check, but it's assuming they're in /usr/include (the way debian/ubuntu does it), but RHEL puts them in /usr/include/net-snmp. So, when running configure, you have to do this:
CFLAGS="-I/usr/include/net-snmp" ./configure

I did this on our build system and indeed, the "check for crypto" line now says yes! I think this will fix it. I've updated our internal ticket to have the owner of this project recompile with this fix and push the new spine binary to our cacti systems to verify.

[xco]

Seems I have the same problem you are having. I attempted this fix but still not working. I'm still researching, if I find anything I'll post back.
-Jeremy

[ryanjwh]

Another victim! Well, at least we're growing... =)

As an update, we re-compiled Spine after my last post and it now says it's including crypto (yay!) but the issue persists. Can't use Spine to query SNMPv3+crypto.

I filed this ticket, hoping for action sometime soon:
http://bugs.cacti.net/view.php?id=2658

[helzerr]

Sounds very similar to an issue I've been grappling with for quite some time now - posted about it last year:

http://forums.cacti.net/viewtopic.php?p=255591#p255591

Still haven't found a solution... Thankfully, it only affects a handful of devices for whatever reason. The rest of my SNMPv3 devices work fine!

The devices which fail to poll work fine in the Web UI, but Spine says, "SNMP Ping Error: Unknown error: 2"; "SNMP Result: Host did not respond to SNMP"

[helzerr]

I can verify that Spine ./configure indicated "checking if Net-SNMP needs crypto support... no"

I then tried again with CFLAGS="-I/usr/include/net-snmp" and now configure reports Yes

After building and installing Spine with CFLAGS, the results are exactly the same :-/ however, the resulting spine executable is somewhat smaller than the one compiled without CFLAGS...

[helzerr]

Eureka! Found the solution to my issue:

http://bugs.cacti.net/view.php?id=2682

EngineID on client SNMP side needs to be unique on each node for Spine / cmd.php to properly query all v3 devices!

[ryanjwh]

Unfortunately this doesn't help me. I've verified everything works fine if I tell Spine to use DES+MD5 and setup the SNMPv3 stuff in net-snmp on Linux to also use DES+MD5. However, if I setup both sides to use AES+SHA, Spine times out.

I'm pretty sure net-snmp has DES+MD5 stuff built-in which Spine uses on the Cacti server side, but AES+SHA requires linked to OpenSSL libraries and that may be a problem where Spine isn't properly pulling in OpenSSL stuff during compile.

In the meantime we're using DES+MD5 for all SNMP queries to Cloud-based hosts from our prem, but we're prefer to use AES+SHA for added security. On the target side (all of our servers listening for SNMP queries) we have different usernames setup for DES+MD5 vs AES+SHA so we can test from the snmpwalk command line on the Cacti server and verify both work. Cacti's web UI also works fine with AES+SHA when querying system info, running data queries to list interfaces, mounts, etc. Just not Spine when it actually goes to poll.