Why CISCO-ERR-DISABLE-MIB trap does not show interface and vlan information in Icinga?

Question

I have a cisco and a monitoring server with icinga (a.k.a. nagios, thruk). I want to receive traps from cisco and show them in icinga. But I am unable to see the interface and vlan for the errdisable trap.

I have downloaded mibs from cisco, incliding CISCO-ERR-DISABLE-MIB.my. Then I converted it for snmptt with this command:

snmpttconvertmib --in=CISCO-ERR-DISABLE-MIB.my --out=snmptt.conf --exec='/bin/bash /usr/local/bin/trap/submit_check_result $r '"errdisable 2" -net_snmp_perl --format=4

which produced the following config (I replaced the absolute path to mib with ... and variable values with ...):

#
#
#
#
MIB: CISCO-ERR-DISABLE-MIB (file:/.../CISCO-ERR-DISABLE-MIB.my) converted on Wed Sep  8 16:49:53 2021 using snmpttconvertmib v1.4.2
#
#
#
EVENT cErrDisableInterfaceEvent .1.3.6.1.4.1.9.9.548.0.1.1 "Status Events" Normal
FORMAT cErrDisableInterfaceEvent - cErrDisableIfStatusCause:$1 
EXEC /bin/bash /usr/local/bin/trap/submit_check_result $r errdisable 2 "cErrDisableInterfaceEvent - cErrDisableIfStatusCause:$1 "
SDESC
The cErrDisableInterfaceEvent is generated when an interface
or {interface, vlan} is error-disabled by the feature
specified in cErrDisableIfStatusCause.
cErrDisableInterfaceEvent is deprecated and replaced by 
cErrDisableInterfaceEventRev1.
Variables:
  1: cErrDisableIfStatusCause
     Syntax="INTEGER"
       1: udld
       ...
       9: portSecurityViolation
     Descr="This object specifies the feature/event that caused the
        {interface, vlan} (or the entire interface) to be
        error-disabled."
EDESC
#
#
#
EVENT cErrDisableInterfaceEventRev1 .1.3.6.1.4.1.9.9.548.0.2 "Status Events" Normal
FORMAT cErrDisableInterfaceEventRev1 - cErrDisableIfStatusCause:$1 
EXEC /bin/bash /usr/local/bin/trap/submit_check_result $r errdisable 2 "$N - $+1 "
SDESC
The cErrDisableInterfaceEventRev1 is generated when an
interface or {interface, vlan} is error-disabled by the 
feature specified in cErrDisableIfStatusCause.
cErrDisableInterfaceEventRev1 deprecates 
cErrDisableInterfaceEvent to make it RFC 2578 compliant. 
According to section 8.5 of RFC 2578, the next
to last sub-identifier in the name of any newly-defined
notification must have the value zero.
Variables:
  1: cErrDisableIfStatusCause
     Syntax="INTEGER"
       1: udld
       ...
       9: portSecurityViolation
     Descr="This object specifies the feature/event that caused the
        {interface, vlan} (or the entire interface) to be
        error-disabled."
EDESC

There are two traps, I am interested only in cErrDisableInterfaceEventRev1, but not in deprecated cErrDisableInterfaceEvent.

This is my send-errdisable.sh which I use to generate a test errdisable event:

TO_HOST=icinga.example.com
community=abcabc

snmptrap -m ALL -v 2c -c $community $TO_HOST '' CISCO-ERR-DISABLE-MIB::cErrDisableInterfaceEventRev1 \
CISCO-ERR-DISABLE-MIB::cErrDisableIfStatusCause.2.0 i 1 \
2>/dev/null

Now when I generate an errdisable event, in icinga plugin output for the errdisable service I get the following text: cErrDisableInterfaceEventRev1 - cErrDisableIfStatusCause:udld
but I expect the interface and vlan to be there, like this:
cErrDisableInterfaceEventRev1 - cErrDisableIfStatusCause.2.0:udld

Why it is not shown? And how to fix that?

score 0 · Answer 1 · answered Sep 08 '21 at 15:03

I do not know exactly why it is not shown. I suspect it is something wrong done by the net_snmp_perl converter.

The OID event 1.3.6.1.4.1.9.9.548.1.3.1.1.2.2.0 of this case consists of two things: 1.3.6.1.4.1.9.9.548.1.3.1.1.2 and .2.0.

It seems net_snmp_perl omits the trailing part of the event OID (".2.0") after it resolved the first part of OID event (in this case it is resolved to cErrDisableIfStatusCause).

But I have found a solution for fixing.

Following this article, I have found out what I could write in the EXEC line to replicate the original values.

Open the generated snmptt.conf and replace

EVENT cErrDisableInterfaceEventRev1 .1.3.6.1.4.1.9.9.548.0.2 "Status Events" Normal
FORMAT cErrDisableInterfaceEventRev1 - cErrDisableIfStatusCause:$1 
EXEC /bin/bash /usr/local/bin/trap/submit_check_result $r errdisable 2 "cErrDisableInterfaceEventRev1 - cErrDisableIfStatusCause:$1 "

to

EVENT cErrDisableInterfaceEventRev1 .1.3.6.1.4.1.9.9.548.0.2 "Status Events" Normal
FORMAT Looks unimportant what you write here
EXEC /bin/bash /usr/local/bin/trap/submit_check_result $r errdisable 2 "$N - $+1 "

"$N" is event name from config file, in this case "cErrDisableInterfaceEventRev1"
"$+1" is first variable name and its value, in this case "cErrDisableIfStatusCause.2.0:udld"

So now sending a test trap is shown in icinga like this:
cErrDisableInterfaceEventRev1 - cErrDisableIfStatusCause.2.0:udld

And it is what we wanted. Now changing the .2.0 to for example .3.1 in send-errdisable.sh also is correspondingly shown in icinga.

Why CISCO-ERR-DISABLE-MIB trap does not show interface and vlan information in Icinga?

1 Answers1