RNMS ConfiguringSNMPv3withRuggedComDevices

Rev1
2012/11/21
Siemens NAM RC-CA I - Global Services and Support Group - 300 Applewood Cres. (Unit 1), Concord,
Ontario, Canada, L4K5C7, support@ruggedcom.com, Phone: 1.866.922.7975 / (+1) 954.922.7938
RuggedNMS Configuring SNMPv3 with RuggedCom Devices

Table of Contents
1.
Introduction ............................................................................................................................................................... 1
2.
RuggedNMS SNMPv3 configuration example to be used with RuggedCom devices................................................. 1

A.
ROX1 (1.14.4) SNMPv3 settings: ............................................................................................................................ 2
B.
ROS (v3.11.0 ) SNMPv3 settings ............................................................................................................................. 3
C.
ROX2 (2.3.0) SNMPv3 settings: .............................................................................................................................. 4
D.
WiMAX BST and CPE SNMPv3 settings.............................................................................................................. 11
3.
ROX2 SNMPv3 debug analysis VS wireshark captures. ......................................................................................... 12
4.
SNMPv3 initial handshake Wireshark capture examples with RuggedNMS ......................................................... 14
5.
How to decrypt SNMPv3 packets in Wireshark: ...................................................................................................... 14
6.
Verification of running SNMPv3 configurations used in RNMS, based on logs. ...................................................... 17
1. Introduction
Information in this document presented with idea of so known spoon feeding approach, mainly providing lots of
screenshots for favourite copy/past type of steps to help reader with basics of SNMPv3 configuration on RuggedNMS
vs various RuggedCom devices. The information flow in this document goes: first SNMPv3 configured on RuggedNMS
(RNMS further in text), then SNMPv3 configurations are done for ROX1, ROS, ROX2, WiMAX BST/CPE devices. Last
couple paragraphs will explain on handy basics of SNMPv3 handshake looked from ROX2 snmp log traces as well as tell
you how to decrypt encrypted SNMPv3 packet captures using Wireshark for any debugging purposes like to understand
the root cause if experiencing problems with SNMPv3 configuration. Roughly, you are looking to spend 15 minutes to
configure SNMPv3 on RNMS and 4 RuggedCom different devices running different OS platforms. OS versions used in
examples here are:
- RuggedNMS
1.5.3
- ROX1
1.14.4
- ROS
3.11.0
- ROX2
2.3.0
- WiMAX BST
4.2
- WiMAX CPE
4.3
2. RuggedNMS SNMPv3 configuration example to be used with RuggedCom devices

Use below content example as you reference template while specifying your settings in snmp-config.xml of RNMS to
enable SNMPv3.
<?xml version="1.0"?>
<snmp-config port="161" retry="3" timeout="10000"
read-community="public" write-community="private"
version="v2c"
max-vars-per-pdu="5" >
<definition version="v3" security-name="rugged"
1
Rev1
2012/11/21
auth-passphrase="ru99ed7c" auth-protocol="MD5"
privacy-passphrase="s7st3m48" privacy-protocol="DES">

<specific>172.30.16.104</specific>


<range begin="172.30.17.107" end="172.30.17.108"/>
</definition>
<definition version="v3" security-name="rugged2"
auth-passphrase="ru99ed7c" auth-protocol="SHA"
privacy-passphrase="s7st3m48" privacy-protocol="DES"
context-name="public">


</definition>
</snmp-config>
Brief on above file:
- This file is located in C:/ruggednms/etc/ or /usr/share/opennms/etc/ folders depending if RNMS installation
Windows or Linux accordingly.
- Majority directives callouts in xml tags are self-explanatory.
- The way how RNMS reads this configuration is that anything in opening <snmp-config > tag considered as
default global settings for all devices. Devices which are specified in between
<definition></definition> tags would use snmp configuration specified in corresponding definition
tag. You can have multiple definitions.
- Note, there are 2 definitions - first definition with security-name= rugged for ROS/ROXI/ROXII devices
and second definition with security-name= rugged2 for WiMAX Base station SNMPv3 authorization. In
second definition user required to use context-name as public for correct operation of SNMPv3 on CPE and
BST with RNMS.
- The information between opening tag <! and closing tag --> is considered a comment
- More on SNMPv3 configuration variations can be read here:
http://www.opennms.org/wiki/SNMPv3_protocol_configuration
A. ROX1 (1.14.4) SNMPv3 settings:
1) Navigate to Maintenance / SNMP Configuration / Access control and configure SNMPv3 user
Rev1
2012/11/21
2) In Maintenance / SNMP Configuration / Trap Configuration - add SNMP V3 Trap Destination, where
172.30.20.151 is you RNMS server IP
In the same menu enable Trap generation Option
B. ROS (v3.11.0 ) SNMPv3 settings

1) In Main menu / Administration / Configure SNMP / Configure SNMP Access, specify settings as illustrated:
Rev1
2012/11/21
2) In Main menu / Administration / Configure SNMP / Configure SNMP Users, specify settings as illustrated:
Notes:
Use same SNMPv3 credentials as in RNMS configuration accordingly.
The IP address field should be set to RNMS IP - IP is used for traps as well as solves additional authentication
factor. ROS deice will be replying to SNMP queries only sent from this IP. No other IP addresses will be receiving
replies on their SNMP queries using name specified here as rugged other than configured IP.
3) In Main menu / Administration / Configure SNMP / Configure SNMP Security to Group Maps, specify settings as
illustrated:
Note: Once configured SNMP settings, SNMP communication activity may be verified with build in ROS trace
utility.
To enable SNMP tracing utility:
o Press CTRL+S, this will switch user input to CLI mode
o Type the following two commands (no quotes) each in new line trace snmp allon trace
To stop trace utility and exit CLI:
o Press CTRL+C keys
o Type command (no quotes) trace snmp alloff
o Press CTRL+S
C. ROX2 (2.3.0) SNMPv3 settings:

1) Create a system user in example here rugged and assign the user role to it (rugged) in admin/users/<add
userid>
Rev1
2012/11/21
Be sure to create your own complex password for the user and assign guest role.
2) Enable SNMP on the unit in admin / snmp /
3) Configure SNMP User to group (in example here User Name=rugged, Group=v3full) in admin /snmp /snmpsecurity-to-group
- First add a key settings for:
o Security Model =v3
o UserName =rugged
,by pressing <Add snmp-security-to-group>
Rev1
2012/11/21
Then select newly created key v3/rugged specifying in it additional settings for Group=v3full , with all-rights
which is default setting (pic below).
4) Add SNMP access configuration in admin / snmp /snmp-access.

- Click on <Add snmp-access> to add a Key with:
o Group=v3full
o Security Model=v3
o Security Level=authPriv
Rev1
2012/11/21
Then select newly created key v3full/v3/authPriv and add additional settings: set all-of-mibs for all option
under SNMP Group Access Configuration table as illustrated.
Rev1
2012/11/21
5) Configure SNMP User in admin / snmp / snmp-user /

- Add a new key specifying:
o User SNMP Engine ID
o User Name = rugged
, when selecting <Add snmp-user>
Note: SNMP Engine ID value can be copied from Admin / snmp / SNMP Sessions [table]/ SNMP Local Engine ID
[parameter]
Rev1
2012/11/21
- For the created key add SNMPv3 User Configuration specifying:

o Authentication Protocol = MD5
o Privacy Protocol=des3cbc
o Authentication and Privacy keys matching RNMS keys from paragraph 2 above.
6) Add a trap configuration.

- Add a new key specifying target Name in admin / snmp /snmp-target-address/ <Add snmp-target-address>
Rev1
2012/11/21
Select created key and configure additional key parameters set on SNMPv3 Target Configuration table:
o Enabled= checked
o Target Address = RNMS_IP
o Security Model = v3
o User Name = rugged
o Security Level = authPriv
o Trap Type List = snmpv3_trap
10
Rev1
2012/11/21
Note: Do not forget to commit configuration to apply settings.

D. WiMAX BST and CPE SNMPv3 settings.
On Base Station and/or CPE station navigate to
Management Menu / SNMP / SNMP General Settings (if CPE)
Or
Admin / SNMP / SNMP General Settings (if BST)
- Enable SNMPv3 and In Mangers Table provide RNMS IP address.
- Click on SNMPv3 Configuration to configure SNMPv3 related settings
11
Rev1
2012/11/21
Add new SNMPv3 entry and configure the following fields accordingly to match with 2nd <definition> tag settings
in RNMS configuration shown as per paragraph 2.
- Username =rugged2
- Authentication Passphrase = ru99ed7c
- Authentication Protocol = HMAC-SHA1
- Privacy Passphrase = s7st3m48
- Privacy Protocol = CBC-DES
- Access Group = NMS Access Group
Note: SNMPv3 Configuration is same for RuggedMAX CPE and BST as of 4.3.X firmware release for both.
3. ROX2 SNMPv3 debug analysis VS wireshark captures.

One of the good files to consider looking inside during SNMPv3 configuration debugging is snmp-trace.log . Typically
SNMP logging to this file is disabled by default.
1) To enable snmp-trace.log in ROX2 WEB UI tick appropriate check box to enabled state in navigation menu:
/admin/logging/diagnostics/SNMP Log table and then commit changes. (Feature Available as of ROX.2.3.0)
2) To view log in CLI type show log snmp-trace.log | more, Or just browse to the file using Web UI
3) Here is illustration of successful SNMPv3 handshake output with some human interpretation of it :
12
Rev1
2012/11/21
<INFO> 25-Oct-2012::11:30:28.234 RX1500-Support1 confd[2191]: snmp get-request

reqid=0 192.168.18.10:57747
This would be the output on the first SNMPv3 packet from RNMS querying for engine ID, engine time and other
initial SNMPv3 discovery mechanism parameters, pretty much dull packet with relevant SNMPv3 specific fields set to
nothing. The PDU where those discovery parameters are carried in the packet is unencrypted.
<INFO> 25-Oct-2012::11:30:28.236 RX1500-Support1 confd[2191]: snmp report
reqid=0 192.168.18.10:57747 (Counter32 usmStatsUnknownEngineIDs=0)
Second packet is a report-reply on first get-request packet. It contains device engine ID; engine time etc., to be used
in further packets communication from/to RNMS for this specific device. These first 2 packets is a part of so known
SNMPv3 device engine discovery mechanism more on this can be read here: http://www.ietf.org/rfc/rfc2574.txt
(Section 4. Discovery)
<INFO> 25-Oct-2012::11:30:28.247 RX1500-Support1 confd[2191]: snmp get-request
reqid=705942994 192.168.18.10:57747 (OBJECT IDENTIFIER sysObjectID)
Once the first two packets are successfully exchanged the 3rd packet from RNMS would be encrypted request
containing discovery mechanism parameters and the actual OID field requested for reading
<INFO> 25-Oct-2012::11:30:28.255 RX1500-Support1 confd[2191]: snmp get-response
reqid=705942994 192.168.18.10:57747 (OBJECT IDENTIFIER
sysObjectID=1.3.6.1.4.1.15004.2.8.2)
4th packet would be encrypted reply from device providing OID info as per previous request packet.
The wire shark captures with above 4 packets from RNMS to ROX2 device can be found further down the text file
name: RNMS_quering_ROX2_sample_SNMPv3_handshake.pcapng.
Here is another message example on SNMPv3 packets received, likely indicating SNMPv3 priv. or auth. key not
matching from the same snmp-trace.log file - indicating wrong digest:
<INFO> 25-Oct-2012::11:15:21.018 RX1500-Support1 confd[2191]: snmp report
reqid=0 192.168.18.10:63297 (Counter32 usmStatsWrongDigests=13)
-
Not to forget in admin /snmp / SNMP USM Statistics [table] there is quite helpful SNMP statistics counters
available for SNMP troubleshooting purposes. Mainly for SNMPv3 (USM- User-based Security Model )
13
Rev1
2012/11/21
4. SNMPv3 initial handshake Wireshark capture examples with RuggedNMS

OS Platform
ROX2
Wireshark Capture files (Double Click to open)

RNMS_quering_ROX2_sample_SNMPv3_handshake.pcapng
ROX1
RNMS_quering_ROX1_sample_SNMPv3_handshake.pcapng
ROS
RNMS_quering_ROS_sample_SNMPv3_handshake.pcapng
WiMAX BST
RNMS_quering_BST_sample_SNMPv3_handshake.pcapng
WiMAX CPE
RNMS_quering_CPE_sample_SNMPv3_handshake.pcapng
Note: Use further explained, in paragraph 5 below, payload decryption method to read encrypted PDU content in
captures.
5. How to decrypt SNMPv3 packets in Wireshark:

14
Rev1
2012/11/21
1) Select SNMP packet; Right click on Simple Network Management Protocol layer; Click on Protocol
Preferences
2) In opened window Click Edit Users Table
3) Add New entry providing correct SNMPv3 credentials accordingly:

15
Rev1
2012/11/21
4) Click Apply button for wire shark to attempt decrypt SNMPv3 packets. Now your SNMPv3 packets encrypted PDU
portion should be decrypted, try clicking +on encrypted PDU to reveal its content, illustration below:
16
Rev1
2012/11/21
Note : to decrypt WiMAX captures use WiMAX SNMP3 credentials accordingly.
6. Verification of running SNMPv3 configurations used in RNMS, based on logs.

There may be situations observed during troubleshooting of SNMPv3 communication that some SNMPv3 parameters
not matching with what you have configured in RNMS. e.g. request packet sent with incorrect SNMPv3 user name (in
request packet), wrong auth or priv keys used and etc. Some way to check what is exactly wrong is to try previously
described troubleshooting hints of analyzing data captures , decrypt SNMPv3 packets or trace communication from
the agent device itself like mentioned above for ROS and ROX2 in respective paragraphs above accordingly. But
when this is not possible or not providing enough information to conclude on the root cause the local RNMS logs can
be checked as well for any SNMP issues hints.
In the scope of SNMP troubleshooting the file of interest would be uncategorized located in
C:\ruggednms\logs\daemon
17
Rev1
2012/11/21
In the uncategorized log try to look for SNMP related information using following search pattern IP, Port: 161 in
some text editor of your preferences like notepad++ e.g. /172.19.16.53, Port: 161
Illustration below:
- Here is an example of log message for incorrectly configure SNMPv3 record for 172.19.16.53 IP
2012-11-20 13:23:30,197 INFO [Configd:ConfigdEventProcessor]
RuggedNMS.ConfigMgtd.org.opennms.netmgt.snmp.snmp4j.Snmp4JWalker: Walking
GenericData for /172.19.16.53 using version SNMPv3 with config:
AgentConfig[Address: /172.19.16.53, Port: 161, Community: public, Timeout:
10000, Retries: 3, MaxVarsPerPdu: 10, MaxRepititions: 2, Max request size:
65535, Version: 3, ProxyForAddress: null, Security level: 3, Security name:
rugged2, auth-passphrase: ru99ed7c, auth-protocol: SHA, priv-passprhase:
s7st3m48, priv-protocol: DES, context-name:, context-engine-ID: ]
From above log message you can tell that context engine ID is missing during snmp request assembly. The very next
message reply sent to RNMS from 172.19.16.53 quite likely may be with some specific error code suggesting that
Context Name is missing. This Log analysis technique may be also helpful to pin point on root of various SNMPv3
problems which you may run in to typically pointing to incorrect configuration.
2012-11-20 13:23:30,197 DEBUG [Configd:ConfigdEventProcessor]
RuggedNMS.ConfigMgtd.org.opennms.netmgt.snmp.snmp4j.Snmp4JStrategy:
Snmp4JAgentConfig: Context Name
18

RNMS ConfiguringSNMPv3withRuggedComDevices

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

RNMS ConfiguringSNMPv3withRuggedComDevices

Caricato da

Copyright:

Formati disponibili

Rev1

RuggedNMS Configuring SNMPv3 with RuggedCom Devices

RuggedNMS SNMPv3 configuration example to be used with RuggedCom devices................................................. 1

ROX1 (1.14.4) SNMPv3 settings: ............................................................................................................................ 2

ROS (v3.11.0 ) SNMPv3 settings ............................................................................................................................. 3

ROX2 (2.3.0) SNMPv3 settings: .............................................................................................................................. 4

WiMAX BST and CPE SNMPv3 settings.............................................................................................................. 11

ROX2 SNMPv3 debug analysis VS wireshark captures. ......................................................................................... 12

SNMPv3 initial handshake Wireshark capture examples with RuggedNMS ......................................................... 14

How to decrypt SNMPv3 packets in Wireshark: ...................................................................................................... 14

Verification of running SNMPv3 configurations used in RNMS, based on logs. ...................................................... 17

2. RuggedNMS SNMPv3 configuration example to be used with RuggedCom devices

In the same menu enable Trap generation Option

B. ROS (v3.11.0 ) SNMPv3 settings

C. ROX2 (2.3.0) SNMPv3 settings:

2) Enable SNMP on the unit in admin / snmp /

4) Add SNMP access configuration in admin / snmp /snmp-access.

5) Configure SNMP User in admin / snmp / snmp-user /

- For the created key add SNMPv3 User Configuration specifying:

6) Add a trap configuration.

Note: Do not forget to commit configuration to apply settings.

3. ROX2 SNMPv3 debug analysis VS wireshark captures.

<INFO> 25-Oct-2012::11:30:28.234 RX1500-Support1 confd[2191]: snmp get-request

4. SNMPv3 initial handshake Wireshark capture examples with RuggedNMS

Wireshark Capture files (Double Click to open)

5. How to decrypt SNMPv3 packets in Wireshark:

2) In opened window Click Edit Users Table

3) Add New entry providing correct SNMPv3 credentials accordingly:

Note : to decrypt WiMAX captures use WiMAX SNMP3 credentials accordingly.

6. Verification of running SNMPv3 configurations used in RNMS, based on logs.

Potrebbero piacerti anche