How to receive snmp v3 traps without specific enginedID?

Question

I'm using snmptrapd on linux from net-snmp package. I'm trying to make some perl script to handle snmp traps. I'm already have such script and it works with snmp v1, v2c traps and with snmpv3 traps but only when I specify engineID explicitly both in config and in command sending trap. But when I configure cisco router to send me linkDown trap it uses MAC address with some extra bytes as engineID. And I can see trap arrives on interface in wireshark, but snmptrapd does nothing. Is it possible to configure snmptrapd to accept all traps by authenticated users without specifying engineID?

Here is my snmptrapd.conf

# Example configuration file for snmptrapd
#
# No traps are handled by default, you must edit this file!
#
createUser -e 0x0102030405 myuser MD5 mypassword DES myotherpassword
createUser -e 0x0102030405 myuser2 MD5 mypassword DES myotherpassword
createUser -e 0x0102030406 myuser2 MD5 mypassword DES myotherpassword
createUser cisco SHA cisco123 DES cisco123
authUser log,execute myuser
authUser log,execute myuser2
authUser log,execute cisco
authCommunity   log,execute public
perl do "/usr/local/share/snmp/snmptrapdhandler.pl";

I'm using Fedora 21 linux,

$ uname -a
Linux 4.1.13-100.fc21.x86_64 #1 SMP Tue Nov 10 13:13:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

and net-snmp version is net-snmp-5.7.2-23.fc21.x86_64

score 1 · Answer 1 · edited Apr 05 '19 at 18:22

It took a long time to figure this out to be able to use snmptrapd without needing the engineID. This works with a brand new Cisco Nexus switch (nx-os) and hoping this will help someone else:

format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n

/etc/snmp/snmptrapd.conf:

traphandle default /etc/snmp/send_to_email_script # make sure it is executable
traphandle default /etc/snmp/snmp-traphandle_script # can be any program
doNotLogTraps no
authUser log,execute,net ${snmp_user} # username variable
createUser ${snmp_user} MD5 ${snmp_auth} AES-128 ${snmp_auth}

Example user could be:

# createUser networkmonitor MD5 cisco1234! AES-128 cisco1234!

On cisco switch make sure this user exists with same username/password and priv/auth. Also add snmp host (which is the how you send the trap to snmptrapd):

# snmp-server host ip_address traps version 3 priv networkmonitor

Make sure ip_address is not switch ip, but the snmptrapd receiver's ip

score 0 · Answer 2 · answered Oct 10 '16 at 13:15

We receive traps without specifying engine-id from cisco devices with snmpv3. But we are using MD5/DES on cisco device.

Linux 02asdf 4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

ii  snmp                                  5.7.3+dfsg-1ubuntu4     amd64                   SNMP (Simple Network Management Protocol) applications
ii  snmp-mibs-downloader                  1.1                     all                     Install and manage Management Information Base (MIB) files
ii  snmpd                                 5.7.3+dfsg-1ubuntu4     amd64                   SNMP (Simple Network Management Protocol) agents
ii  snmpsim                               0.2.4-1                 all                     SNMP agent simulator
ii  snmptrapd                             5.7.3+dfsg-1ubuntu4     amd64                   Net-SNMP notification receiver
ii  snmptt                                1.4-1                   all                     SNMP trap handler for use with snmptrapd

Can you show your snmptrapd.conf? – user339597 Oct 10 '16 at 13:38 — user339597, Oct 10 '16 at 13:38

How to receive snmp v3 traps without specific enginedID?

2 Answers2