#1055 Proxying and VACM

proxy-override-etc
open
nobody
agent (1103)
5
2013-01-25
2004-04-06
Peter Eckel
No

Hello,

I compiled Net-SNMP 5.1.1 on Solaris. Revenly, I set up a proxy
connection to an SNMPv3-capable router in order to be able to
monitor it from a local management station.

There seems to be a weird behaviour when one uses limited views in
combination with proxies. The relevant parts of the configuration are
the following:

view monitorView included .1.3.6.1.2.1.2.2.1
view monitorView excluded .1.3.6.1.2.1.2.2.1.0.1 FF.BF

group manager usm manager

access manager testctx any noauth exact monitorView none none

proxy -C n testctx -v 3 -l authNoPriv -u v3user -a md5 -A testtest
192.168.40.250 .1

The local and remote usm users are set up accordingly.

Now, when I query the remote agent through the proxy, everything
looks OK at the first glance:

$ snmpwalk -On -ntestctx -v3 -umanager -lnoAuthNoPriv localhost
.1.3.6.1.2.1.2.2
.1.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2
.1.3.6.1.2.1.2.2.1.1.3 = INTEGER: 3
.1.3.6.1.2.1.2.2.1.1.4 = INTEGER: 4
.1.3.6.1.2.1.2.2.1.1.5 = INTEGER: 5
.1.3.6.1.2.1.2.2.1.1.6 = INTEGER: 6
.1.3.6.1.2.1.2.2.1.1.7 = INTEGER: 7
.1.3.6.1.2.1.2.2.1.1.8 = INTEGER: 8
.1.3.6.1.2.1.2.2.1.1.9 = INTEGER: 9
.1.3.6.1.2.1.2.2.1.1.10 = INTEGER: 10
.1.3.6.1.2.1.2.2.1.1.13 = INTEGER: 13
.1.3.6.1.2.1.2.2.1.1.14 = INTEGER: 14
[...]
.1.3.6.1.2.1.2.2.1.20.14 = Counter32: 0
.1.3.6.1.2.1.2.2.1.20.15 = Counter32: 0
.1.3.6.1.2.1.2.2.1.21.2 = Gauge32: 0
.1.3.6.1.2.1.2.2.1.21.3 = Gauge32: 0
.1.3.6.1.2.1.2.2.1.21.13 = Gauge32: 0
.1.3.6.1.2.1.2.2.1.21.14 = Gauge32: 0
.1.3.6.1.2.1.2.2.1.21.15 = Gauge32: 0
.1.3.6.1.2.1.2.2.1.22.2 = OID: .0.0
.1.3.6.1.2.1.2.2.1.22.3 = OID: .0.0
.1.3.6.1.2.1.2.2.1.22.13 = OID: .0.0
.1.3.6.1.2.1.2.2.1.22.14 = OID: .0.0
.1.3.6.1.2.1.2.2.1.22.15 = OID: .0.0
Timeout: No Response from localhost

BUT:

1. The query ends with a timeout instead of "end of MIB view"
2. (worse) the proxy in fact does not stop querying the remote host
until it receives an "end of MIB view" istelf, but continues issuing
getnext PDUs.

The problem can be circumvented by either

- chaging the base OID for the proxy to .1.3.6.1.2.1.2.2

or

- changing the MIB view to an unlimited all (.1).

The proxy should IMHO notice when the OID returned by the
reomote agent is out of scope for the proxies MIB view and return an
"end of MIB view" in this case, stopping the queries to the remote
agent.

Discussion

  • schbach
    schbach
    2005-08-01

    Logged In: YES
    user_id=1321939

    Hello,

    I have a something similar problem.
    The possible problem is the OID in the proxy configuration.
    Use .1.3 instead .1

    - In the dokumentation of snmpd.conf is .1.3 used
    - In a BER coded OID, the min. length of an OID is 2 or NULL.