Bug report
When sending messages to a HP1910 switch Telegraf sends an unencrypted get request when using the config below. Other HP Switches send an encryptedPDU as expected. Problem occurs for over 20 HP1910s of varying firmware.
All switches are using the config below.
If the normal Net-SNMP is used to query these switches directly, instead of through telegraf, information is encrypted and sent successfully.
Other switches which work include: HP 2650s,2620,5406zl.
Relevant telegraf.conf:
Note: passwords aren't the real ones!
#Normal SNMPv3 AuthPriv SHA+AES
[[inputs.snmp]]
agents = ["192.168.0.5" , "192.168.0.6"]
version = 3
auth_protocol = "sha"
auth_password = "APasswordofsomeform"
sec_level = "authPriv"
priv_protocol = "AES"
priv_password = "APrivacyPassword"
sec_name = "User"
# Timeout for each SNMP query.
max_repetitions = 10
timeout = "5s"
# Number of retries to attempt within timeout.
retries = 1
name = "SwitchesSNMPv3"
#Core info
[[inputs.snmp.field]]
name = "uptime"
oid = "1.3.6.1.2.1.1.3.0"
[[inputs.snmp.field]]
name = "sysLocation"
oid = "RFC1213-MIB::sysLocation.0"
[[inputs.snmp.field]]
name = "hostname"
oid = "RFC1213-MIB::sysName.0"
is_tag = true
[[inputs.snmp.table]]
name = "SwitchesV3"
inherit_tags = [ "hostname" ]
oid = "IF-MIB::ifXTable"
[[inputs.snmp.table.field]]
name = "ifName"
oid = "IF-MIB::ifName"
is_tag = true
[[inputs.snmp.table.field]]
name = "ifAlias"
oid = "IF-MIB::ifAlias"
is_tag = true
#Switch health
[[inputs.snmp.table]]
name = "SwitchHealth"
inherit_tags = [ "hostname" ]
oid = "HP-ICF-CHASSIS::hpicfSensorTable"
[[inputs.snmp.table.field]]
name = "SensorDescription"
oid = "HP-ICF-CHASSIS::hpicfSensorDescr"
is_tag = true
System info:
Telegraf: 1.5.0-1
OS: Ubuntu 16.04.3
Steps to reproduce:
- Run above config against a HP1910 and a normal switch.
2.Wireshark the connection between the devices.
- Compare difference in messages sent between Telegraf and 1910 vs Telegraf and another switch.
Expected behavior:
Telegraf should send an encrypted SNMP packet to the switch. Switch should respond with an encrypted packet.
Actual behavior:
Telegraf sends unencrypted get-request. Switch responds with unknown engine id message (1.3.6.1.6.3.15.1.1.4.0)
The packets sent to other switches includes the engine ID of the destination switch, whereas the packet sent to the HP1910s includes very little information.
Telegraf log shows : Error in plugin [inputs.snmp]: agent 192.168.0.5: gathering table SwitchHealth: performing bulk walk for field SensorDescription: Incoming packet is not authentic, discarding
Additional info:
If needed I can upload additional example wireshark samples.
I have tried manually configuring the context ID in the config, but the same problem occurs.
If I use SNMPv3 noauthnopriv it works.
Example request to HP1910 (IPs altered):
Frame 20468: 106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface 0
Ethernet II, Src: Microsof_8a:a7:03 (00:15:5d:8a:a7:03), Dst: Procurve_bc:22:00 (c0:91:34:bc:22:00)
Internet Protocol Version 4, Src: 192.168.0.4, Dst: 192.168.0.5
User Datagram Protocol, Src Port: 44488, Dst Port: 161
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 925242291
msgMaxSize: 65535
msgFlags: 04
.... .1.. = Reportable: Set
.... ..0. = Encrypted: Not set
.... ...0 = Authenticated: Not set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID:
msgAuthoritativeEngineBoots: 0
msgAuthoritativeEngineTime: 0
msgUserName:
msgAuthenticationParameters:
msgPrivacyParameters:
msgData: plaintext (0)
plaintext
contextEngineID:
contextName:
data: get-request (0)
get-request
request-id: -779502815
error-status: noError (0)
error-index: 0
variable-bindings: 0 items
Example request to normal switch (Real Username & IP altered):
Frame 20480: 187 bytes on wire (1496 bits), 187 bytes captured (1496 bits) on interface 0
Ethernet II, Src: Microsof_8a:a7:03 (00:15:5d:8a:a7:03), Dst: Procurve_bc:22:00 (c0:91:34:bc:22:00)
Internet Protocol Version 4, Src: 192.168.0.4, Dst: 192.168.0.6
User Datagram Protocol, Src Port: 44488, Dst Port: 161
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 925242292
msgMaxSize: 65535
msgFlags: 07
.... .1.. = Reportable: Set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 0000000b00009c8e99ac4640
0... .... = Engine ID Conformance: RFC1910 (Non-SNMPv3)
Engine Enterprise ID: Hewlett-Packard (11)
AgentID Trailer: 00009c8e99ac4640
msgAuthoritativeEngineBoots: 115
msgAuthoritativeEngineTime: 3628073
msgUserName: USER
msgAuthenticationParameters: 56094d2be7a5329728959170
msgPrivacyParameters: 00000073ab509c5b
msgData: encryptedPDU (1)
encryptedPDU:
Example Request to 1910 when using Net-SNMP Directly:
Frame 927: 180 bytes on wire (1440 bits), 180 bytes captured (1440 bits) on interface 0
Ethernet II, Src: Microsof_8a:a7:03 (00:15:5d:8a:a7:03), Dst: HewlettP_ac:9d:3e (d0:7e:28:ac:9d:3e)
Internet Protocol Version 4, Src: 192.168.0.4, Dst: 192.168.0.5
User Datagram Protocol, Src Port: 52201, Dst Port: 161
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1275595075
msgMaxSize: 65507
msgFlags: 07
.... .1.. = Reportable: Set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 8000000b03d07e28ac9d3e
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: Hewlett-Packard (11)
Engine ID Format: MAC address (3)
Engine ID Data: MAC address: HewlettP_ac:9d:3e (d0:7e:28:ac:9d:3e)
msgAuthoritativeEngineBoots: 1
msgAuthoritativeEngineTime: 68143
msgUserName: USER
msgAuthenticationParameters: 83dfadfa79829a23c4285e30
msgPrivacyParameters: 157ca7701f013b2d
msgData: encryptedPDU (1)
encryptedPDU:
Bug report
When sending messages to a HP1910 switch Telegraf sends an unencrypted get request when using the config below. Other HP Switches send an encryptedPDU as expected. Problem occurs for over 20 HP1910s of varying firmware.
All switches are using the config below.
If the normal Net-SNMP is used to query these switches directly, instead of through telegraf, information is encrypted and sent successfully.
Other switches which work include: HP 2650s,2620,5406zl.
Relevant telegraf.conf:
Note: passwords aren't the real ones!
System info:
Telegraf: 1.5.0-1
OS: Ubuntu 16.04.3
Steps to reproduce:
2.Wireshark the connection between the devices.
Expected behavior:
Telegraf should send an encrypted SNMP packet to the switch. Switch should respond with an encrypted packet.
Actual behavior:
Telegraf sends unencrypted get-request. Switch responds with unknown engine id message (1.3.6.1.6.3.15.1.1.4.0)
The packets sent to other switches includes the engine ID of the destination switch, whereas the packet sent to the HP1910s includes very little information.
Telegraf log shows : Error in plugin [inputs.snmp]: agent 192.168.0.5: gathering table SwitchHealth: performing bulk walk for field SensorDescription: Incoming packet is not authentic, discarding
Additional info:
If needed I can upload additional example wireshark samples.
I have tried manually configuring the context ID in the config, but the same problem occurs.
If I use SNMPv3 noauthnopriv it works.
Example request to HP1910 (IPs altered):
Frame 20468: 106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface 0
Ethernet II, Src: Microsof_8a:a7:03 (00:15:5d:8a:a7:03), Dst: Procurve_bc:22:00 (c0:91:34:bc:22:00)
Internet Protocol Version 4, Src: 192.168.0.4, Dst: 192.168.0.5
User Datagram Protocol, Src Port: 44488, Dst Port: 161
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 925242291
msgMaxSize: 65535
msgFlags: 04
.... .1.. = Reportable: Set
.... ..0. = Encrypted: Not set
.... ...0 = Authenticated: Not set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID:
msgAuthoritativeEngineBoots: 0
msgAuthoritativeEngineTime: 0
msgUserName:
msgAuthenticationParameters:
msgPrivacyParameters:
msgData: plaintext (0)
plaintext
contextEngineID:
contextName:
data: get-request (0)
get-request
request-id: -779502815
error-status: noError (0)
error-index: 0
variable-bindings: 0 items
Example request to normal switch (Real Username & IP altered):
Frame 20480: 187 bytes on wire (1496 bits), 187 bytes captured (1496 bits) on interface 0
Ethernet II, Src: Microsof_8a:a7:03 (00:15:5d:8a:a7:03), Dst: Procurve_bc:22:00 (c0:91:34:bc:22:00)
Internet Protocol Version 4, Src: 192.168.0.4, Dst: 192.168.0.6
User Datagram Protocol, Src Port: 44488, Dst Port: 161
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 925242292
msgMaxSize: 65535
msgFlags: 07
.... .1.. = Reportable: Set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 0000000b00009c8e99ac4640
0... .... = Engine ID Conformance: RFC1910 (Non-SNMPv3)
Engine Enterprise ID: Hewlett-Packard (11)
AgentID Trailer: 00009c8e99ac4640
msgAuthoritativeEngineBoots: 115
msgAuthoritativeEngineTime: 3628073
msgUserName: USER
msgAuthenticationParameters: 56094d2be7a5329728959170
msgPrivacyParameters: 00000073ab509c5b
msgData: encryptedPDU (1)
encryptedPDU:
Example Request to 1910 when using Net-SNMP Directly:
Frame 927: 180 bytes on wire (1440 bits), 180 bytes captured (1440 bits) on interface 0
Ethernet II, Src: Microsof_8a:a7:03 (00:15:5d:8a:a7:03), Dst: HewlettP_ac:9d:3e (d0:7e:28:ac:9d:3e)
Internet Protocol Version 4, Src: 192.168.0.4, Dst: 192.168.0.5
User Datagram Protocol, Src Port: 52201, Dst Port: 161
Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1275595075
msgMaxSize: 65507
msgFlags: 07
.... .1.. = Reportable: Set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 8000000b03d07e28ac9d3e
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: Hewlett-Packard (11)
Engine ID Format: MAC address (3)
Engine ID Data: MAC address: HewlettP_ac:9d:3e (d0:7e:28:ac:9d:3e)
msgAuthoritativeEngineBoots: 1
msgAuthoritativeEngineTime: 68143
msgUserName: USER
msgAuthenticationParameters: 83dfadfa79829a23c4285e30
msgPrivacyParameters: 157ca7701f013b2d
msgData: encryptedPDU (1)
encryptedPDU: