SNMP v3 authentication failure after EX3200/EX4200 VC is rebooted

After rebooting an EX4200 Virtual Chassis (VC) SNMP v3 authentication failed because of change engine-id of last 4 bytes to 0.

It has been observed that after rebooting an EX4200 VC the SNMP V3 authentication failed due to the SNMPd Engine ID last 4 bytes changed to zero as shown below:

Engine id bee fore reboot when SNMP V3 authentication working fine:

EX-PROMPT> show snmp v3
Local engine ID: 80 00 0a 4c 01 0a d1 48 0a

Engine id after reboot when SNMP V3 authentication failed

EX-PROMPT> show snmp v3
Local engine ID: 80 00 0a 4c 01 00 00 00 00

This problem is seen if the system default IP address is not set by the kernel before snmpd calls ‘sysctl’ (to fetch system default IP) after system reboot.
The problem is seen mostly in a JAVA VC setup but the exact same issue is seen on a standalone QFX-3500.

The frequency of occurrence of this issue can be higher if the box is managed inband, but the problem may occur when it is managed out of band as well.

By default, the system will use an IP address to generate the engine-id, but it can be manually configured as, “set snmp engine-id use-mac-address” or “set snmp engine-id <user-string>”, then it will use MAC address or user configured engine-ID string to generate the local engine-id.

SNMP V3 authentication can also fail in the case of an improper configuration as shown below:

While configuring SNMP V3, the commands for “authentication-key” and “privacy-key” are shown below:

set snmp v3 usm local-engine user admin authentication-md5 authentication-password Juniper1234 >>>>> Need to mention “authentication-password” while configuring
set snmp v3 usm local-engine user admin privacy-des privacy-password Juniper1234 >>>>> Need to mention “privacy-password” while configuring

But after configuration it will reflect as below:

set snmp v3 usm local-engine user admin authentication-md5 authentication-key Juniper1234 >>>>>> it will reflect as “authentication-key”
set snmp v3 usm local-engine user admin privacy-des privacy-key Juniper1234 >>>>>> it will reflect as “privacy-key”

We can confirm authentication pass / fail by using the snmpwalk command:

Success:
> snmpwalk -m all -v 3 -l authPriv -u hpov -a MD5 -A india123 -x DES -X india123 10.209.72.10 sysUpTime
system.sysUpTime.0 = Timeticks: (1575286) 4:22:32.86

Failure:
> snmpwalk -m all -v 3 -l authPriv -u hpov -a MD5 -A india123 -x DES -X india123 10.209.72.10 sysUpTime
snmpwalk: Authentication failure

Workaround:

Configure the engine-id as shown below so that it will remain same even after reboot:

“set engine-id local XXX”

This issue is fixed in:

  • 11.1S4.1
  • 11.2R2
  • 11.3R1
  • All later releases

About the author

Prasanna

Leave a Comment