From forums:
I’ve been working on getting v3 trap targets with VyOS and discovered that the /etc/snmp/snmpd.conf file that gets generated is busted for v3 trap-targets. I tried to file a bug, but wasn’t able to, so I’m putting this here so maybe someone can see it.
On my trap target I created a /etc/snmp/snmptrapd.conf file with the following contents:
snmpTrapdAddr :163 doNotLogTraps no doNotFork yes # v3 config createUser -e 0000000000000002 snmpv3user SHA vyos12345678 AES vyos12345678 authUser log snmpv3user disableAuthorization yes
I then spun snmptrapd on the trap target:
snmptrapd -Lf /var/log/snmptrapd.log -c /etc/snmp/snmptrapd.conf
I then monitored the /var/log/snmptrapd.log file:
tail -f /var/log/snmptrapd.log
And watched for inbound UDP traffic:
tcpdump -vv -A -T snmp -s 0 "dst port 163"
You can test this from VyOS by invoking the following:
snmptrap -v 3 -e 0000000000000002 -u snmpv3user -l authPriv -a SHA -A vyos12345678 -x AES -X vyos12345678 10.3.29.93:163 '' .1.3.6.1.4.1.5089.1.0.1 .1.3.6.1.4.1.5089.2.0.999 s "123456"
For my VyOS config I did the following:
set service snmp v3 engineid '0000000000000002' set service snmp v3 group default mode 'ro' set service snmp v3 group default view 'default' set service snmp v3 trap-target 10.3.29.93 auth plaintext-password 'vyos12345678' set service snmp v3 trap-target 10.3.29.93 auth type 'sha' set service snmp v3 trap-target 10.3.29.93 port '163' set service snmp v3 trap-target 10.3.29.93 privacy plaintext-password 'vyos12345678' set service snmp v3 trap-target 10.3.29.93 privacy type 'aes' set service snmp v3 trap-target 10.3.29.93 type 'trap' set service snmp v3 trap-target 10.3.29.93 user 'snmpv3user' set service snmp v3 view default oid 1
First thing you’ll notice is that there are no SNMP messages that make their way to the trap host. If you examine /etc/snmp/snmpd.conf on VyOS you’ll see the following line:
trapsess -v 3 -e "0000000000000002" -u snmpv3user -a sha -A vyos12345678 -x aes -X vyos12345678 -l authPriv 10.3.29.93:udp:163
This is incorrect. To make this work you’ll need to replace the auth and privacy type to upper case:
sha → SHA
aes → AES
and reorder the target host:
10.3.29.93:udp:163 → udp:10.3.29.93:163
The new line should look like the following:
trapsess -v 3 -e "0000000000000002" -u snmpv3user -a SHA -A vyos12345678 -x AES -X vyos12345678 -l authPriv udp:10.3.29.93:163
Now restart SNMP on VyOS:
restart snmp
You should see VyOS send SNMP messages to the trap target.
Hopefully this can help someone fix their issue.