SNMP V3 Traps are not received from one Device

mawo · November 2, 2021, 2:12pm

Hello together,

we’re using CheckMK Raw 1.6.0p15 and have currently some struggle with the Event Console.

We’re trying to receive SNMP v3 Traps from one Router. Inside of CheckMK everything is configured and looks fine from my side.
SNMP v2 Traps can be received from the router, but when we change to Version 3 on the router, the CheckMK receives no more Traps (V3 Community is present in CheckMK). Even in the mkeventd-Logs (set to Verbose) are no more Entries coming in.
I at least exspect something like “[cmk.mkeventd.EventServer.snmp] Trap (v3) dropped from xyz: …” inside the Log.

So, we checked with a Linux device, sending manually V3 Traps, and these can be received by CheckMK.

My question is now: Is there any additional configuation that is missing here?

Best regards,
Marc

ChristianM · November 3, 2021, 9:52am

Did you find anything in EC logs. You should increase the mkeventd logs to see, if a trap is received and what happens at thi spoint.
Regards, Christian

mawo · November 3, 2021, 12:59pm

Hello Christian,

The SNMP trap processing Loglevel is set to Verbose inside of CheckMK.
But when the Router sends V3 Traps, there are no Hits in the Logs.
When the same Router sends V2 or a Linux System sending V3 Traps, i can see Hits in the Logfiles and the Traps also show up in the Event Console.

So, it’s a bit strange for me:
Router V2 Trap = working (and log entries)
Router V3 Trap = not working (and no log entries)
Linux V3 Trap = working (and log entries)

Is the above mentioned Loglevel fine, or should i put it to “Verbose” for all the Log Levels?

Best regards

ChristianM · November 3, 2021, 1:09pm

Hi,
I think you need only verbose for the incomming events. BTW.: Dig you also configure teh engine-id in your V3 settings? Please look at the inline help to to that.

Regards,
Christian

mawo · November 3, 2021, 4:54pm

Yes, the Engine ID is configured inside CheckMK.

But even, if i missed something inside of CheckMK, i would exspect an entry in the Logfile like
[cmk.mkeventd.EventServer.snmp] Trap (v3) dropped from aa.bb.cc.dd: …

When we send an V3 Trap from a Test Linux System with wrong Credentials/Engine ID we atleast see one entry in the Log for this Host with the above mentioned String. This i would also exspect to see if the Router is sending V3 Traps, even when the Credentials/Egine ID is wrong, but no.

Can it be maybe an issue with the Router rather than with CheckMK? Because in general CheckMK can receive V3 Traps, as tested with a Linux Host.

andreas-doehler · November 3, 2021, 7:46pm

If you receive nothing then i would also look at the router if there is a problem.
Can you sent non SNMPv3 traps to test if the traps reach the monitoring machine?

thl-cmk · November 3, 2021, 9:46pm

Hi,

what type of router do you have?

On the CMK server you can try to use tcpdump to confirm your router is sending SNMPv3 traps (and the CMK server is receiving them) like this:

thl@cmkbuild:~$ sudo tcpdump -nn host <IP-ADDRESS-OF-YOUR-ROUTER> and udp port 162

you should get output like this:

thl@cmkbuild:~$ sudo tcpdump -nn host 192.168.10.148 and udp port 162
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
22:39:31.524457 IP 192.168.10.148.54916 > 192.168.10.132.162:  F=ap U="checkmk" [!scoped PDU]85_d5_55_00_26_af_44_1e_cb_22_38_8b_d9_6a_35_28_5a_19_c2_49_48_55_f7_b4_4a_2e_95_cb_f6_ad_f7_65_85_62_e7_d6_0e_2b_68_b8_f2_08_16_e2_5b_cf_57_65_d9_89_55_5e_84_44_81_bd_57_b1_d5_4d_b2_a4_84_f6_ae_94_a4_0c_cc_0b_73_f5_91_e7_c1_5f_4a_9c_35_75_e0_45_b4_48_f1_df_c0_c3_8c_1f_8c_00_30_6e_44_59_78_17_97_e0_5b_25_a2_af_2c_e1_62_67_34_84_a9_e1_58_82_88_88_02_b7_8f_fa_c3_30_cf_c6_03_f9_9f_92_b1_b7_bd_d1_e3_a7_d1
22:39:31.777098 IP 192.168.10.148.54916 > 192.168.10.132.162:  F=ap U="checkmk" [!scoped PDU]8b_bc_4a_ee_10_7a_08_49_1b_06_61_78_90_0d_8d_9a_2d_8b_cc_ba_94_94_81_e3_86_e9_76_b7_07_4d_2d_88_a3_9d_66_5c_e8_b0_a0_70_eb_97_01_4b_2a_ca_89_cb_0a_a9_96_8e_40_5f_71_33_24_41_c9_9e_78_c6_c4_93_8a_f3_4b_d1_ab_75_7c_f2_e2_36_7b_1e_22_67_c9_8c_d2_a0_45_9a_e7_4d_e1_72_7e_9b_01_f2_4a_05_8f_86_95_c6_e1_a0_0d_68_c2_6e_c4_f6_7c_58_2c_98_78_02_2c_2a_8c_2e_28_9a_94_61_d5_c6_b0_7c_44_46_fa_43_26_c9_97_a8_4f_9e_57_c1_c5_2e

mawo · November 4, 2021, 4:28pm

@andreas-doehler
The strange thing is, that SNMPv2 Traps can be received from the router.

@thl-cmk
Thanks for the Hint, i will check via tcpdump tomorrow…

system · November 4, 2022, 4:28pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.