Monitoring HP UPS via SNMP v3

CMK version: Managed Service Edition v1.6.0p25

We try to monitor HP UPS model RT3000 G2 and R1500 INTL with Checkmk and SNMP v3.
After we’ve configured SNMP v3 in the UPS web interface… (the field “SNMP version” was set to v3 not to v1 as shown here)


… we are not able to get results of SNMP requests:

SNMP Error on xxx while walking .1.3.6.1.2.1.1.1. Normally this is caused by a device sending invalid SNMP responses (Details: Bad parse of ASN.1 type (0/-13)).

Output of “cmk --debug -vvn hostname”:

Both, Checkmk server and UPS are in the same network.

Has or had anyone similiar problems with such HP UPS devices? What can I do to get these devices monitored?

Thank you in advance,
Antje

Have you tried this on the CLI? Maybe your UPS is not using SHA1 as authentication protocol, but the old MD5.

snmpwalk -v3 -l authNoPriv -u checkmk -a SHA -A <authpw> <UPS-IP> sysObject

Hi,
thank you for your help.

The command output is this:

$ snmpwalk -v3 -l authNoPriv -u checkmk -a SHA -A xxx xx.xx.xx.212 sysObject
Authentication failed for checkmk
snmpwalk: Bad parse of ASN.1 type (Sub-id not found: (top) → sysObject)

can you try this with MD5? I guess your PW is not to comlex :wink:

snmpwalk -v3 -l authNoPriv -u checkmk -a MD5 -A <authpw> <UPS-IP> sysObject

MD5 throws the same output. :frowning:
Ok, I will try it with a more complex passphrase and will post the results here.
Thanks.

It would be helpful to see a screenshot with the real settings from your UPS.

thanks

Michael

Hi Michael,
I will do so as soon as possible. We are very busy at the moment due to the log4j issue… :frowning:

Cheers,
Antje

Hi there,
a happy new year to all of you!

We’ve solved the issue… or I should say: we’ve found a dirty workaround…
After testing several long passwords for authPriv with/without special characters, lower/upper letters, with/without digits and so on, the SNMP v3 requests still failed with timeouts. Even a restart of the UPS or installing the latest firmware didn’t help.
In the end, we’ve changed the SNMP v3 settings to no authentication (noAuthNoPriv) - and it works in Checkmk.
Unfortunately, there are no hints in the HP documentation about password restrictions, so that we will have to live with this workaround.

Hope this helps other users with similar problems on that hardware.

Kind regards,
Antje

Hi Antje,

Please take in to account that with noAuthNoPriv the access may not protected. Depending on your UPS model anyone can power off the UPS and all connected devices. Not sure if you want that.
In SNMPv3 you have several options. In case you use authPriv you need to provide a password for authentication AND a password for privacy, which is encryption.
I would recommend using option authNoPriv which needs a password only.
We generate random complex passwords per site and I dont see any limitations with the passwords in SNMPv3.

I hope that helps

regards

Michael

Hi Michael,

thank you very much for your advice. I am aware that using SNMP v3 without any authentication is unsecure. We already had tried setting the option authNoPriv - without success. The SNMP access failed again. It only works without passphrases. Very dirty. :frowning: As soon as I have time, I will test your recommendation again.
Unfortunately, HP didn’t document any passphrase policies for this feature. Or did you find any?

Thanx.

Cheers,
Antje

Hi Michael,

finally, we’ve solved the issue (without dirty workarounds).
As you said, we set the SNMP v3 settings to AuthNoPriv:

The root cause of the problem was not the password, but the authentication protocol in Checkmk.
I usually use SHA. But that doesn’t work here. MD5 has to be choosen:

Now it works properly…

Thank you and kind regards,
Antje

Good to read.

regards

Michael