SNMPv3 parsing failed in NNMi

Hi, experts!

customer is sending SNMP v3 traps (Auth+Encr mode)  from docker containers using NET-SNMP command. Sure, nodes are non-SNMP, so IPs of trp senderss and SNMPv3 Engine IDs are loaded into NNMi jboss. These Engine IDs are used in NET_SNMP commands.

Strange thing is that from some nodes traps are received, parsed and decoded properly, but some nodes traps parsing fails:

2024-02-16 13:12:16.721 WARNING [com.hp.ov.nms.trapd.NMTrapData] (Thread-92 (group:HornetQ-client-global-threads-267017497)) Failed to parse trap from /10.47.38.80: Expecting a SEQUENCE for  ScopedPDU
2024-02-16 13:12:16.722 WARNING [com.hp.ov.nms.trapd.MessageProcessor] (Thread-92 (group:HornetQ-client-global-threads-267017497)) com.hp.ov.snmp.exceptions.DecryptedPduBerParseException: Trap parsing failed. Expecting a SEQUENCE for ScopedPDU. Dropping trap from /10.47.38.80.
2024-02-16 13:12:17.754 WARNING [com.hp.ov.nms.trapd.NMTrapData] (Thread-79 (group:HornetQ-client-global-threads-267017497)) Failed to parse trap from /10.47.38.80: Length too long or indet erminate 82
2024-02-16 13:12:17.754 WARNING [com.hp.ov.nms.trapd.MessageProcessor] (Thread-79 (group:HornetQ-client-global-threads-267017497)) com.hp.ov.snmp.exceptions.DecryptedPduBerParseException: Trap parsing failed. Length too long or indeterminate 82. Droping trap from /10.47.38.80.

Any idea what can be wrong? How we could troubleshhot anissue further? 
We analyzed captured traps traffic with Wireshark. No problems there. Traps were decoded and presented correctly. As a result, customer insists that something is wrong in NNMi.

thank you in advance,
Gedas

  • 0  

    Hello Gedas,

    What is NNMi version? The WARNINGs above were reported in older NNMi version 10.20. It was resolved in the patch NNMi 10.20 Patch 11 and later NNMi releases.

    We have also seen the same WARNINGs in cases when a device was discovered as SNMP one by NNMi but there was stale entry for Engine ID configured in the file to be loaded in ovjboss. For SNMP nodes we should not configure Engine ID which may be frequently changed on a device. Similar Warnings were seen when SNMPv3 configuration created on a device did not match what was configured in NNMi for the same device. There were a few issues reported with the same WARNINGs when multiple devices of the same model having/sharing the same engine ID (seems to be a new trend for some vendors) or multiple engine id's used for a given single host.

    The last two scenarios are not supported by NNMi and there is an idea submitted SNMPV3 : Options to update mutliple engine id & duplicate engine id's for the same host - NOM Idea Exchange - Network Operations Management-Customers Only (microfocus.com)

    If you think nothing above relevant please submit a support case and provide decoded Wireshark/tcpdump capture.

    Best regards,
    Sergey

  • Suggested Answer

    0   in reply to   

    Thank you, Sergey

    it's NNMi 2020.08. Traps are send by command line from Docker Containers (engine ID is provided in snmptrap command, the same IP+engineID is added to  file and loaded to jboss.
    We tried to make EngineIDs unique, but it did not resolved and issue.
    Parsing failure occurs only with SNMPv3 traps using  AuthPriv mode. We changed mode to AuthNoPriv and errors gone.

    Interesting that tcpdumps of failed traps is decoded properly in the Wireshark. What could be normal, because Wireshark is debugging/troubleshooting tool and should be more tolerant to errors packets, mismatches etc.

    best regards,
    Gedas