#2947 RECV security service 3 error parsing ScopedPDU on net-snmp 5.8 when using AES
net-snmp 5.8 vs net-snmp 5.7.2
both compile and built successfully.
but got different on GET (test on sysUpTime .1.3.6.1.2.1.1.3.0)
net-snmp 5.7.2 : tested OK with AES
net-snmp 5.8 : failed, error msg "security service 3 error parsing ScopedPDU"
here's my config:
./configure \ --host=arm-linux \ --with-install-prefix="/net-snmp/build/" \ --enable-mfd-rewrites \ --enable-shared \ --with-endianness=little \ --with-logfile="/www/snmpd.log" \ --with-default-snmp-version="3" \ --enable-mini-agent \ --enable-applications \ --disable-manuals \ --disable-scripts \ --without-libwrap \ --without-rpm \ --without-zlib \ --with-perl-modules=no \ --disable-embedded-perl \ --with-cc=$CC \ --with-ar=$AR \ --disable-ipv6 \ --disable-perl-cc-checks \ --with-openssl=internal \ --with-mibdirs="/usr/share/snmp/mibs" \ --with-mib-modules="testmibs" \ --with-persistent-directory="/var/net-snmp" \ --with-libs="/lib/libsqlite3.so" \ --with-sys-contact="hellotesting@more.more" \ --with-sys-location="Galaxy"
=====================================
and here's my snmpd.conf :
rwuser usm_user1234
createUser usm_user1234 MD5 "00000000" AES "00000000"
rwuser usm_user2 noauth
createUser usm_user2
psyslocation Galaxy
psyscontact hellotesting@more.more
==========================================
and here's the log on processing GET
netsnmp_udp: recvfrom fd 5 got 139 bytes (from UDP: [192.168.1.234]:53271->[192.168.1.44]:161)
transport:recv: 139 bytes from UDP: [192.168.1.234]:53271->[192.168.1.44]:161
trace: _sess_process_packet_parse_pdu(): snmp_api.c, 5536:
sess_process_packet: session 0x647a0 fd 5 pkt 0x655f0 length 139
Received SNMP packet(s) from UDP: [192.168.1.234]:53271->[192.168.1.44]:161
trace: snmp_parse_version(): snmp_api.c, 3657:
dumph_recv: SNMP Version
dumpx_recv: 02 01 03
dumpv_recv: Integer: 3 (0x03)
trace: snmpv3_parse(): snmp_api.c, 3698:
dumph_recv: SNMPv3 Message
trace: snmpv3_parse(): snmp_api.c, 3713:
dumph_recv: SNMP Version Number
dumpx_recv: 02 01 03
dumpv_recv: Integer: 3 (0x03)
trace: snmpv3_parse(): snmp_api.c, 3729:
dumph_recv: msgGlobalData
trace: snmpv3_parse(): snmp_api.c, 3746:
dumph_recv: msgID
dumpx_recv: 02 04 7C 4F D5 0A
dumpv_recv: Integer: 2085606666 (0x7C4FD50A)
trace: snmpv3_parse(): snmp_api.c, 3778:
dumph_recv:msgMaxSize: msgMaxSize
dumpx_recv: 02 03 00 80 00
dumpv_recv: Integer: 32768 (0x8000)
trace: snmpv3_parse(): snmp_api.c, 3811:
snmpv3_parse:msgMaxSize: msgMaxSize 32768 received
trace: snmpv3_parse(): snmp_api.c, 3824:
dumph_recv: msgFlags
dumpx_recv: 04 01 07
dumpv_recv: String: .
trace: snmpv3_parse(): snmp_api.c, 3842:
dumph_recv: msgSecurityModel
dumpx_recv: 02 01 03
dumpv_recv: Integer: 3 (0x03)
trace: snmpv3_parse(): snmp_api.c, 3916:
dumph_recv: SM msgSecurityParameters
trace: usm_process_in_msg(): snmpusm.c, 2455:
usm: USM processing begun...
trace: usm_parse_security_parameters(): snmpusm.c, 2025:
dumph_recv: msgAuthoritativeEngineID
dumpx_recv: 04 0D 80 00 1F 88 80 D5 94 FB 3A 7D 17 09 5D
dumpv_recv: String: ........:}. ]
trace: usm_parse_security_parameters(): snmpusm.c, 2048:
dumph_recv: msgAuthoritativeEngineBoots
dumpx_recv: 02 01 08
dumpv_recv: Integer: 8 (0x08)
trace: usm_parse_security_parameters(): snmpusm.c, 2072:
dumph_recv: msgAuthoritativeEngineTime
dumpx_recv: 02 01 3B
dumpv_recv: Integer: 59 (0x3B)
trace: usm_parse_security_parameters(): snmpusm.c, 2100:
dumph_recv: msgUserName
dumpx_recv: 04 0C 75 73 6D 5F 75 73 65 72 31 32 33 34
dumpv_recv: String: usm_user1234
trace: usm_parse_security_parameters(): snmpusm.c, 2143:
dumph_recv: msgAuthenticationParameters
dumpx_recv: 04 0C 4F 53 AD C4 48 61 94 F5 98 EA DF A2
dumpv_recv: String: OS..Ha......
trace: usm_parse_security_parameters(): snmpusm.c, 2172:
dumph_recv: msgPrivacyParameters
dumpx_recv: 04 08 30 AB B3 D2 E1 85 4B 3C
dumpv_recv: String: 0.....K<
trace: sc_hash(): scapi.c, 885:
trace: sc_get_authtype(): scapi.c, 338:
trace: sc_find_auth_alg_byoid(): scapi.c, 266:
trace: sc_hash_type(): scapi.c, 938:
trace: sc_get_proper_auth_length_bytype(): scapi.c, 395:
trace: sc_find_auth_alg_bytype(): scapi.c, 313:
trace: get_enginetime(): lcd_time.c, 156:
lcd_get_enginetime: engineID 80 00 1F 88 80 D5 94 FB 3A 7D 17 09 5D : boots=8, time=59
trace: usm_get_user_from_list(): snmpusm.c, 3706:
usm: match on user usm_user1234
trace: usm_check_secLevel(): snmpusm.c, 3583:
comparex: Comparing: 1 3 SNMP-USER-BASED-SM-MIB::usmNoPrivProtocol
trace: sc_check_keyed_hash(): scapi.c, 1080:
trace: sc_get_authtype(): scapi.c, 338:
trace: sc_find_auth_alg_byoid(): scapi.c, 266:
trace: sc_get_auth_maclen(): scapi.c, 374:
trace: sc_find_auth_alg_bytype(): scapi.c, 313:
trace: sc_generate_keyed_hash(): scapi.c, 741:
trace: sc_get_authtype(): scapi.c, 338:
trace: sc_find_auth_alg_byoid(): scapi.c, 266:
trace: sc_get_auth_maclen(): scapi.c, 374:
trace: sc_find_auth_alg_bytype(): scapi.c, 313:
trace: MD5_hmac(): scapi.c, 1663:
trace: usm_process_in_msg(): snmpusm.c, 2612:
usm: Verification succeeded.
trace: sc_get_privtype(): scapi.c, 352:
trace: sc_get_priv_alg_byoid(): scapi.c, 215:
trace: sc_decrypt(): scapi.c, 1467:
trace: sc_get_priv_alg_byoid(): scapi.c, 215:
trace: usm_process_in_msg(): snmpusm.c, 2799:
usm: USM processing completed.
trace: snmpv3_parse(): snmp_api.c, 3970:
dumph_recv: ScopedPDU
security service 3 error parsing ScopedPDU
trace: _snmp_parse(): snmp_api.c, 4351:
snmp_parse: Parsed SNMPv3 message (secName:usm_user1234, secLevel:authPriv): ASN.1 parse error in message
trace: _sess_process_packet_parse_pdu(): snmp_api.c, 5619:
sess_process_packet: received message id#2085606666 reqid#0 len 139
trace: _sess_process_packet_parse_pdu(): snmp_api.c, 5622:
sess_process_packet: parse fail
trace: _sess_process_packet_parse_pdu(): snmp_api.c, 5627:
sess_process_packet: post-parse fail
trace: _sess_read(): snmp_api.c, 6100:
sess_read: not reading 3 (fdset 0xbeeabbb4 set 0)
trace: snmp_sess_select_info2_flags(): snmp_api.c, 6537:
sess_select: for all sessions: 5 3
sess_select: blocking:no session requests or alarms.
trace: receive(): snmpd.c, 1299:
snmpd/select: select( numfds=6, ..., tvp=(nil))
==============================================
What I am missing?
I have the same problem with net-snmp version 5.8.1.pre2 (on CentOS 8, compiled and installed from Github). When I create a user with a DES privacy pass phrase (
/usr/local/bin/net-snmp-create-v3-user -ro -A myAuthPass -X myPrivPass -a SHA -x DES myUser), it works. If I use AES instead of DES (/usr/local/bin/net-snmp-create-v3-user -ro -A myAuthPass -X myPrivPass -a SHA -x AES myUser), I have the same error: "security service 3 error parsing ScopedPDU".Anyone ever solve this?
Having the same problem on CentOS8, packages available out of the box. In my case no protocols work at all (AES, AES256, SHA, SHA256).
CentOS7 works fine.
Net-SNMP v5.8 is no longer supported. Please retest with Net-SNMP v5.9.
Retested with net-snmp v5.9, got the same thing:
Is SNMPv3 known to work at all on Redhat derivatives?
I am facing the same issue with net-snmp version 5.9.1, Is there any workaround available for this?