runZero supports the standard SNMPv3 authentication and privacy protocols from RFC 3414:
- For authentication: HMAC-MD5-96 (
md5
) or HMAC-SHA-96 (sha
). - For privacy: CBC-DES (
des
).
In addition, AES128 privacy (aes
) is supported as per RFC 3826.
In SNMPv3, authentication and privacy (encryption) can require two different passwords, as well as a login ID. Your network devices may be configured in one of three modes:
noAuthNoPriv
- no authentication, no privacyauthNoPriv
- authentication, but no privacyauthPriv
- authentication and privacy
Usually both authentication and privacy are required for access to sensitive information such as serial numbers.
Here are a few things to check first:
- Are the SNMPv3 credentials enabled on the scan task credentials tab?
- If there are assets you expect to see SNMP data for but you don't, are their IP addresses in the subnet CIDR allow list for the SNMP credentials?
- Do assets show up if you search for
port:161
orprotocol:snmp
? That is, are they responding to SNMP at all?
If you sometimes see SNMP data but not always, it's possible that your network is over capacity. SNMP is a UDP protocol, meaning if the network is overloaded, the traffic may be dropped. Reducing scan speed may help, particularly if the limit is on the Explorer's main network link.
If SNMPv3 authentication is attempted, you will see an SNMP engine ID recorded in the asset. The engine ID is usually a long string of hex digits, and is used to calculate access keys. If authentication fails, you will also see an error reported in the asset. For example, here’s a failed authentication attempt:
snmp.engineID.raw 88801f88803c183b0abba0665999000000
snmp.failedAuth wrong digest
An error such as request timeout (after 1 retries)
likely indicates that authentication succeeded, but the encrypted data channel could not be set up – meaning you may have the wrong privacy password.
To debug SNMPv3 and check the passwords you have been given, you can use the command-line utilities from the net-snmp open source project. It is available on macOS, and available packaged for most Linux distributions as well as for Windows. For Windows, there are free GUI SNMP testers available.
The snmpwalk
utility will connect to an IP address and dump all the information it can retrieve. Here is an example of how to use it to connect in authPriv
mode, with both authentication and privacy passwords:
snmpwalk -v3 -l authPriv -a SHA -A authentication-password -x AES -X privacy-password -u username 10.0.1.23
The -a
/-A
options specify authentication, the -x
/-X
options specify encryption (privacy). -u
lets you specify the username for authentication. These are the same parameters runZero requests when setting up a new scan task.
For an unauthenticated SNMP query:
snmpwalk -v1 -c public 10.170.128.100
It’s common for network firewalls to block SNMP traffic, so for best results check with snmpwalk
on the machine where you have deployed the runZero Explorer.
Note that SNMPv3 on Cisco Catalyst will not let you pull the bridge port information that we need unless you specifically enable per-VLAN access.
SNMP v3 access to VLAN ARP/FDB tables requires this access rule:
Newer IOS: snmp-server group YourGroupName v3 auth context vlan- match prefix
Older IOS: snmp-server group YourGroupName v3 auth context vlan-1
(repeated for every vlan)
This article discusses it:
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article