FC5022 SAN Switch issue - Unsupported security level

mkp
mkp
edited June 2018 in SAN
Hello,

For a month I've been testing out your system with a few V3700 storages, and just now started to import our SAN Switch.

So far everything has run very very smooth, untill I try to add additional switches from more-up-to-date SAN Switch firmware versions. The ones failing are running 8.0.1.

All the switches are configured exactly the same, but it seems the two last ones are experiencing issues because of newer firmware versions.
I can't seem to figure out what unsupported security levels it's referring to, perhaps you can assist me.
Let me know if you need any logs.
Below contains first the one failing, and another snippet of one working, on earlier firmware.

***************************************************************************************************
test snmpwalk:
snmpwalk -v 3 -u snmpadmin3 10.149.x.x 1.3.6.1.2.1.1.5
snmpwalk: Unsupported security level

snmpwalk cmd : failed!

san_verify.pl:
Fri Jun  8 10:51:30 2018: Got Unsupported security level querying 10.149.x.x for sysDescr. No such file or directory/home/stor2rrd/stor2rrd/bin/san_verify.pl:160 : No such file or directory
Type         : BRCD
DestHost     : 10.149.x.x
Version SNMP : 3
SecName      : snmpadmin3
SNMP port    : not defined! Used SNMP default port "161"!
  connection failed!!
  Check network connectivity and user access
***************************************************************************************************

***************************************************************************************************
=========================
SWITCH: 10.149.x.x
=========================
test snmpwalk:
snmpwalk -v 3 -u snmpadmin3 10.149.x.x 1.3.6.1.2.1.1.5
iso.3.6.1.2.1.1.5.0 = STRING: "Flexxx_Switchxx"
snmpwalk cmd : ok

san_verify.pl:
Type         : BRCD
DestHost     : 10.149.x.x
Version SNMP : 3
SecName      : snmpadmin3
SNMP port    : not defined! Used SNMP default port "161"!
Switch name  : Flexxx_Switchxx
STATE        : CONNECTED!
  connection ok
***************************************************************************************************

Comments

  • Karel
    Karel
    Hello,

    open an SSH session for the FC5022 switch.
    Run the following command:

    snmpconfig --show snmpv3

    If you do not want to share the content here, you can send it by email.

    support@stor2rrd.com

  • mkp
    mkp
    edited June 2018
    Hello, 
    I'll just post it here, may be educational for others as well.

    The setup in san-list is the same for the other working switches, output at the bottom.

    Output from the switch (Trap Entry 3 IP is that of the STOR2RRD Server)

    SNMP Informs = 0 (OFF)

    SNMPv3 USM configuration:
    User 1 (rw): mmv3_mgr
            Auth Protocol: SHA
            Priv Protocol: AES128
    User 2 (rw): snmpadmin2
            Auth Protocol: SHA
            Priv Protocol: DES
    User 3 (rw): snmpadmin3
            Auth Protocol: SHA
            Priv Protocol: DES
    User 4 (ro): DirectorServerSNMPv3User
            Auth Protocol: SHA
            Priv Protocol: DES
    User 5 (ro): snmpuser2
            Auth Protocol: SHA
            Priv Protocol: DES
    User 6 (ro): snmpuser3
            Auth Protocol: SHA
            Priv Protocol: DES
    User 7 (ro):
            Auth Protocol: SHA
            Priv Protocol: DES

    SNMPv3 Trap/Informs configuration:
    Trap Entry 1:     FE80::0211:25FF:FEC3:xxxx
        Trap Port: 162
        Trap User: mmv3_mgr
        Trap recipient Severity level: 0
        Notify Type: TRAP(1)
    Trap Entry 2:     No trap recipient configured yet
        Notify Type: TRAP(1)
    Trap Entry 3:     10.149.x.x
        Trap Port: 162
        Trap User: snmpadmin3
        Trap recipient Severity level: 5
        Notify Type: TRAP(1)
    Trap Entry 4:     No trap recipient configured yet
        Notify Type: TRAP(1)
    Trap Entry 5:     No trap recipient configured yet
        Notify Type: TRAP(1)
    Trap Entry 6:     No trap recipient configured yet
        Notify Type: TRAP(1)
    Trap Entry 7:     No trap recipient configured yet
        Notify Type: TRAP(1)

    san-list.cfg is the following:

    10.149.x.x:snmpadmin3:BRCD:Flexxx_Switchxx
  • Karel
    Karel
    Hello,

    we do not use snmp Traps.
    You should use the user with read-only rights (ro) and without authorization, for example snmpuser2.

    switch:admin> snmpconfig --set snmpv3
    ...
     User (ro): [snmpuser2]
    Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3]
    Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): (2..2) [2]
    ...

    Here is an example from our lab:

    brocade01:admin> snmpconfig --show snmpv3
    ...
    User 5 (ro): snmpuser2
    Auth Protocol: noAuth
    Priv Protocol: noPriv
    ...
    snmpwalk -v 3 -u snmpuser2 192.168.X.X 1.3.6.1.2.1.1.5
    SNMPv2-MIB::sysName.0 = STRING: brocade01
  • mkp
    mkp
    Hello,

    I finally had some time to sit down and look into it.

    Because of different versions in the firmware, I opted to enable SNMPv1 in the SAN switches, using a mixed v3 og v1 on our different devices.

    So in a sense, my issue is solved. To properly correct it I may have to set up a proper set of users for the v3 to pull information from, as I have been unable to pull them from any pre-defined RO users, like snmpuser2

    I can't put in any information in the Access lists, as this blocks other connections. This makes our XClarity freak out and autocreate a case for a dead CMM.

    So for now it's solved by enabling snmpv1
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Categories

In this Discussion