SNMPv3 check on Cisco 9200 switch

JoeDrake · September 11, 2020, 12:30pm

Hi folks,

Trying to add a test switch into check_mk.
It’s a Cisco C9200-48P, with IOS XE 16.11.01.

Have set up the following on the switch so far, with help from this guide:

(config)#ip access-list standard SNMP-ACL
permit IP_OF_CHECK_MK_INSTANCE

(config)#snmp-server view v3view interfaces included
(config)#snmp-server view v3view internet included
(config)#snmp-server view v3view chassis included
(config)#snmp-server view v3view system included
(config)#snmp-server view v3view mib-2 included
(config)#snmp-server group GROUP_NAME v3 priv read v3view access SNMP-ACL
(config)#snmp-server user USER_NAME GROUP_NAME v3 auth sha PASSWORD1 priv aes 128 PASSWORD2
(config)#snmp-server host IP_OF_CHECK_MK_INSTANCE version 3 priv USER_NAME
(config)#snmp-server engineID remote IP_OF_CHECK_MK_INSTANCE {engine ID returned by command “sh snmp engineID”}

In WATO this switch is defined with DNS name, IP, “No agent”, SNMPv2 or v3 chosen and the following SNMP credential options:

Security level: authentication and encryption
Authentication protocol: SHA-1 (SHA-96) (had to try every option, can’t find anywhere an agreed setting for Cisco switches)
security name: the username defined on the switch config
Auth password, privacy pass phrase: PASSWORD1 and PASSWORD2 defined on the switch config
Privacy protocol: AES-128

Now, ICMP and SNMP are allowed on the firewalls between the check_mk instance and the switch’s management interface.
Ping checks work fine.

But the service checks return the following error:

CRIT - no unmonitored services found, no vanished services found, no new host labels, [snmp] Cannot fetch system description OID .1.3.6.1.2.1.1.1.0. Please check your SNMP configuration. Possible reason might be: Wrong credentials, wrong SNMP version, Firewall rules, etc.

In this host’s diagnostic page, SNMPv3 section, I get the following:
SNMP Error on {switch DNS name} while walking .1.3.6.1.2.1.1.1. Normally this is caused by a device sending invalid SNMP responses (Details: Unknown user name (0/-33)).

From here, I have no clue what to do next.

Any ideas?

andreas-doehler · September 11, 2020, 1:56pm

If you use the raw edition you can go to the command line.
As site user da a “cmk --debug -vvI hostname” and you will see the snmp command used by check_mk to connect to your switch.
With this command you can manually test if it is possible to reach the switch.
One thing what i don’t touch on the monitored devices is the enginID as i don’t know if there is any setting to change this. I had no problem with this over the last years.

JoeDrake · September 14, 2020, 8:07am

Thanks for the suggestion!

Forgot to mention the check_mk edition used is the enterprise one.
Will try “cmk --debug -vvI hostname” as soon as SSH access is possible. Hope it works with this edition Wish CLI commands worked from the VM console as well and from the web interface (as an example, pfSense’s Diagnostics->[Command Prompt]), but it’s no biggie.

JoeDrake · April 19, 2021, 9:20am

Ok, just for reference, the following config (anonymised) worked for me, switches being now on IOS-XE 16.12.4:

snmp-server group {group name here} v3 priv read {SNMP view name here}
snmp-server view {SNMP view name here} mib-2 included
snmp-server view {SNMP view name here} cisco included
snmp-server user {user name here} {group name here} v3 auth sha {auth passphrase here} priv aes 128 {privacy passphrase here}

Would love to see these in the docs as well, to ease other people’s pain over this topic.

rwalters · February 14, 2022, 10:55pm

Can you tell me what are the options you selected in checkmk along with this cisco config?

system · February 14, 2023, 10:55pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.