SNMPv3 check on Cisco 9200 switch

Hi folks,

Trying to add a test switch into check_mk.
It’s a Cisco C9200-48P, with IOS XE 16.11.01.

Have set up the following on the switch so far, with help from this guide:

(config)#ip access-list standard SNMP-ACL

(config)#snmp-server view v3view interfaces included
(config)#snmp-server view v3view internet included
(config)#snmp-server view v3view chassis included
(config)#snmp-server view v3view system included
(config)#snmp-server view v3view mib-2 included
(config)#snmp-server group GROUP_NAME v3 priv read v3view access SNMP-ACL
(config)#snmp-server user USER_NAME GROUP_NAME v3 auth sha PASSWORD1 priv aes 128 PASSWORD2
(config)#snmp-server host IP_OF_CHECK_MK_INSTANCE version 3 priv USER_NAME
(config)#snmp-server engineID remote IP_OF_CHECK_MK_INSTANCE {engine ID returned by command “sh snmp engineID”}

In WATO this switch is defined with DNS name, IP, “No agent”, SNMPv2 or v3 chosen and the following SNMP credential options:

  • Security level: authentication and encryption
  • Authentication protocol: SHA-1 (SHA-96) (had to try every option, can’t find anywhere an agreed setting for Cisco switches)
  • security name: the username defined on the switch config
  • Auth password, privacy pass phrase: PASSWORD1 and PASSWORD2 defined on the switch config
  • Privacy protocol: AES-128

Now, ICMP and SNMP are allowed on the firewalls between the check_mk instance and the switch’s management interface.
Ping checks work fine.

But the service checks return the following error:

CRIT - no unmonitored services found, no vanished services found, no new host labels, [snmp] Cannot fetch system description OID . Please check your SNMP configuration. Possible reason might be: Wrong credentials, wrong SNMP version, Firewall rules, etc.

In this host’s diagnostic page, SNMPv3 section, I get the following:
SNMP Error on {switch DNS name} while walking . Normally this is caused by a device sending invalid SNMP responses (Details: Unknown user name (0/-33)).

From here, I have no clue what to do next.

Any ideas?

If you use the raw edition you can go to the command line.
As site user da a “cmk --debug -vvI hostname” and you will see the snmp command used by check_mk to connect to your switch.
With this command you can manually test if it is possible to reach the switch.
One thing what i don’t touch on the monitored devices is the enginID as i don’t know if there is any setting to change this. I had no problem with this over the last years.

Thanks for the suggestion!

Forgot to mention the check_mk edition used is the enterprise one.
Will try “cmk --debug -vvI hostname” as soon as SSH access is possible. Hope it works with this edition Wish CLI commands worked from the VM console as well and from the web interface (as an example, pfSense’s Diagnostics->[Command Prompt]), but it’s no biggie.