Introduction

Simple Network Management Protocol (SNMP) is an application-layer protocol defined by the Internet Architecture Board (IAB) for exchanging management information between network devices. It is a part of the Transmission Control Protocol/Internet Protocol (TCP⁄IP) suite.

SNMP is one of the widely accepted protocols to manage and monitor network elements. Most of the professional-grade network elements come with bundled SNMP agent. These agents have to be enabled and configured to communicate with the network management system (NMS). The SNMP agent is a program that resides on your managed device, packaged within the network element. You have to enable it on your device. It collects the management information from the device locally and provides it to the SNMP manager. These agents could be standard, for example, Net-SNMP or specific to a vendor, such as HP Insight Agent.

SNMP Credentials

SNMP uses a password-like authorization known as a community string. When you provide an SNMP credential to a device, it checks to see if the community string matches the community string configured on the device. If the string matches, the device responds to the SNMP query.

SNMP Discovery Prerequisites

Classic Gateway

  • Allow ICMP between end-device and OpsRamp Gateway.
  • Allow UDP port 161/162 bi-directional between end-device and OpsRamp Gateway.
  • Allow SNMP on the end-device.
  • Create SNMP credentials and assign them to end-device for discovery.

NextGen Gateway

  • Allow ICMP between end device and (nodes, load balancers).
  • Allow UDP port 161/162 bi-directional between end-device and (nodes, load balancers).
  • Allow SNMP between end device and (nodes, load balancers).
  • Create SNMP credentials and assign them to end-device for discovery.

SNMP discovery attributes against device

As a part of SNMP discovery we are showing below attribute details on the end device:

FieldDescription
Basic Information
  • Device Type
  • Resource Type
  • OS
  • Host Name
  • DNS Name
  • IP Address
  • Mac Address
  • Make
  • Model
  • Description
  • Serial Number
  • Description
  • Software Revision
  • Hardware Revision
  • Firmware Revision
  • Management Protocols
More Information
  • Object Id
  • Location
Hardware Information
  • Device Info
    • Device Type
    • Make
    • Model
Inventory Tab
  • Physical Components
    • Name
    • Description
    • Model
    • Alias
    • Serial Number
    • Hardware Revision
Software Modules
  • Name
  • Description
  • Model
  • Alias
  • Serial Number
  • Firmware Revision
  • Software Revision
Interface Tab
  • Operational Status
  • Name
  • Alias Name
  • Type
  • Transmission Mode
  • Mac Address / Ip Address

Discover the gateway using SNMP

To find the read-only gateway community string, one option is to:

  1. Log into the gateway WebUI.
  2. Click SNMP.

Or, you can get the read-only community string by logging into the gateway and reading the string in the /etc/snmp/snmpd.conf file.

You can change the community string to a name of your choice.

Multi-credential functionality

SNMP multi-credential functionality allows you to discover network resources using multiple credentials using a single discovery profile. You can create or use multiple credential sets if you are using a gateway to discover your resources.

For example, a printer uses SNMPv2c credential type and a Cisco router uses SNMPv3 credential type. In such a case, you need to create two discovery profiles. With SNMP multi-credential functionality, you can create one discovery profile and use both the credential sets.

The gateway discovers devices with the credentials, sequentially, as the credentials were entered when a Discovery Profile was created at the time of the first scan. After successful discovery, the gateway remembers resources and their credentials for subsequent discovery.

Multi-credentialed, SNMP-enabled devices have the following advantages:

  • Reduces the effort of creating multiple discovery profiles.
  • Reduces time for manually traversing through multiple discovery profiles to discover a network resource.
  • Scans and discovers a subnet with multiple SNMP community strings.
  • Discovers network resources working on different SNMP versions.

SNMP field values

The following provides information on configuring the SNMP fields for creating an SNMP credential set.

SNMPv1 and SNMPv2

FieldValueDescription
Port161Agent receives requests on UDP port 161.
CommunityN/ARead-only community string.

SNMPv3

SNMPv3 is a user-based security model. It provides secure access to the devices by combining authenticating and encrypting packets over the network. The security features provided in SNMPv3 are message integrity, authentication, and encryption.

FieldValueDescription
Port161SNMP Agent port. The default port is 161.
ContextN/ASpecify context name (an octet string) that identifies the collection of management information accessible by an SNMP entity.
Security NameN/AEnter the name of the user (principal) on whose behalf the message is being exchanged.
Security Level
  • NOAUTHNOPRIV
  • AUTHPRIV
  • AUTHNOPRIV
  • Communication without Authentication and Privacy
  • Communication with Authentication and Privacy
  • Communication with Authentication and without Privacy.
Authentication Protocol
  • MD5
  • SHA
Authentication in an SNMPv3 uses an encryption algorithm to determine if the data is from a valid source. The encryption algorithms for authentication:
  • Message Digest Algorithm: generates a 128-bit (16 bytes) message digest.
  • Secure Hash Algorithm: generates a 160-bit (20 bytes) message digest.
Authentication PasswordN/AEnter the Authentication password.
Confirm PasswordN/ARe-enter authentication password for validation.
Privacy Protocol
  • AES-128
  • AES-192
  • AES-256
  • DES
  • AES-192-C
  • AES-256-C
  • 3DES
Privacy in SNMPv3 uses an encryption algorithm to encode the contents of an SNMPv3 packet. This encoding is used to verify that the content cannot be viewed by unauthorized entities when routed over the network.
  • Advanced Encryption Standard (AES 128) is a 128-bit standard, cryptographic algorithm that encrypts and decrypts data.
  • Advanced Encryption Standard (AES 192) is a 192-bit standard, cryptographic algorithm that encrypts and decrypts data.
  • Advanced Encryption Standard (AES 256) is a 256-bit standard, cryptographic algorithm that encrypts and decrypts data.
  • Data Encryption Standard (DES) is a 64-bit standard that encrypts and decrypts data.
Privacy PasswordN/AEnter the privacy password.
Confirm PasswordN/ARe-enter authentication password for validation.
Connection time-outN/A - Default value: 10,000 millisecondsProvide a maximum time period for discovery. If the gateway does not get a response from the device after 10,000 milliseconds, it terminates the discovery.

Configure and Install the Integration

  1. From All Clients, select a client.

  2. Go to Setup > Account.

  3. Select the Integrations and Apps tab.

  4. The Installed Integrations page, where all the installed applications are displayed.
    Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.

  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
    Note: You can even search for the application using the search option available. Also you can use the All Categories option to search.

    SNMP Discovery
  6. Click ADD on the SNMP tile.

  7. From the Configurations page, click + ADD.

  8. Enter the below mentioned BASIC INFORMATION:

    SNMP Discovery

      SNMP Network Device

      If you select SNMP Network Device as profile type, provide inputs for the following fields:

      • Credentials: Select a credential from the drop-down list. This credential refers to the access, authorization, or authentication credentials assigned to your devices managed by the network administrators.

        • (Optional) Click + Add to create a credential. The ADD CREDENTIAL window is displayed. Enter the following information.

          • Name: Credential name.
          • Description: Brief description of the credential.
          • SNMP Version: Select a version. Default is V1. Click here for more information.
          • Port: Enter the port. Default is 161. Click here for more information.
          • Community: Enter the community string. Default is public. Click here for more information.
          • Connection Timeout(ms): Specify the connection timeout in milliseconds. Click here for more information.
        • Discovery Type: Select the discovery type from the list:

          • IP Range: Select this option if you have an IP range and enter all the IP addresses in the box separated by a comma, or enter a range of IP addresses to be discovered.
            • Discover only SNMP enabled devices: If we enabled this flag then OpsRamp application will discover only SNMP responding devices.
            • Use CDP, LLDP: If enabled, the application will collect neighbourhood information from Layer two protocols (CDP and LLDP).
            • Use OSPF, BGP, BRIDGE: If enabled the application will collect neighbourhood information from three Layer protocols (OSPF, BGP and BRIDGE).
            • Use LOAD BALANCER: If enabled, the discovered device type is load balancer and the application will collect additional info.
            • Use reverse DNS lookup: If enabled, the application will get the dns name of the device.
            • Discover VoIP phones: If enabled, and if the discovered devices are voip devices then the application will collect additional info.
            • Advanced Options: Two options are displayed when you select advanced options.
              • TCP Ports for Host Discovery: OpsRamp tool do the port scan for the mentioned tcp port, if we don't mention any port do the port against 443 and 80.
              • Perform snmp scan against discovered host: By default, this check is enabled, and the OpsRamp tool performs Nmap discovery first. Subsequently, do the SNMP discovery for devices for which Nmap is successful.When we uncheck this option, skip the nmap discovery and directly do the snmp discovery.
          SNMP Discovery
          • Seed: Enter the IP address of the root or the seed device. Seed IP defines the range of IP addresses where network discovery starts a scan. When a seed IP is defined, the root device and the adjacent neighbors of the root device are scanned.
            • Depth: Select the depth from the drop-down list. The devices are scanned at a depth starting from the IP of the root device. Depth defines the level of the network you want to scan. Example: Depth 1 indicates the seed or the root device and its immediate neighbors. Depth 2 indicates seed or the root device including its immediate neighbors and their immediate neighbors.
            • Seed IPs: Enter the IP address of the root or the seed device. Seed IP defines the range of IP addresses where network discovery starts a scan. When a seed IP is defined, the root device and the adjacent neighbors of the root device are scanned.
            • Include Subnet: Select this option if you want to discover devices of a specific subnet. To discover a specific subnet in the Seed IP, enter the subnet IP in CIDR format. Example: You want to discover devices from IPs 172.24.22.0 to 172.24.22.255 in a subnet, provide IP in CIDR format as 172.24.22.0/24.
            • Exclude Subnet: Select this option if you want to discover devices excluding those of a specific subnet. To exclude discovery of a specific subnet in the Seed IP, enter the subnet IP in CIDR format. Example, you want to exclude IPs 172.24.22.0 to 172.24.22.255 in a subnet, provide IP in CIDR format as 172.24.22.0/24.
        SNMP Discovery

          WLAN AP

          If you selected WLAN AP as profile type, provide inputs for the following fields:

          • Credentials: Select a credential from the drop-down list. This credential refers to the access, authorization, or authentication credentials assigned to your devices managed by the network administrators.
            • (Optional) Click + Add to create a credential. The ADD CREDENTIAL window is displayed. Enter the following information.
              • Name: Credential name.
              • Description: Brief description of the credential.
              • SNMP Version: Select a version. Default is V1. Click here for more information.
              • Port: Enter the port. Default is 161. Click here for more information.
              • Community: Enter the community string. Default is public. Click here for more information.
              • Connection Timeout(ms): Specify the connection timeout in milliseconds. Click here for more information.
            • IP Address: Enter the IP address.
            • Monitor Access Points: Select this checkbox, if you want to monitor the access points. Select the frequency (in minutes). The access points monitoring data for the selected frequency will be displayed on the device details page.
      SNMP Discovery

          WLAN Controller

          If you selected WLAN Controller as profile type, provide inputs for the following fields:

          • Credentials: Select a credential from the drop-down list. This credential refers to the access, authorization, or authentication credentials assigned to your devices managed by the network administrators.
            • (Optional) Click + Add to create a credential. The ADD CREDENTIAL window is displayed. Enter the following information.
              • Name: Credential name.
              • Description: Brief description of the credential.
              • SNMP Version: Select a version. Default is V1. Click here for more information.
              • Port: Enter the port. Default is 161. Click here for more information.
              • Community: Enter the community string. Default is public. Click here for more information.
              • Connection Timeout(ms): Specify the connection timeout in milliseconds. Click here for more information.
            • IP Address: Enter the IP address.
      SNMP Discovery

          Network Cloud Controller

          If you selected Network Cloud Controller as profile type, provide inputs for the following fields:

          • Credentials: Select a credential from the drop-down list. This credential refers to the access, authorization, or authentication credentials assigned to your devices managed by the network administrators.
            • (Optional) Click + Add to create a credential. The ADD CREDENTIAL window is displayed. Enter the following information.
              • Name: Credential name.
              • Description: Brief description of the credential.
              • SNMP Version: Select a version. Default is V1. Click here for more information.
              • Port: Enter the port. Default is 161. Click here for more information.
              • Community: Enter the community string. Default is public. Click here for more information.
              • Connection Timeout(ms): Specify the connection timeout in milliseconds. Click here for more information.
            • IP Address: Enter the IP address.
      SNMP Discovery
      1. From the PERFORM ACTIONS section, choose Manage Device to set the resources as managed.
      2. From the FILTER BY QUERY, click + QUERY and select the Attributes, Operator, or use </> to enter the Input query.
      3. In the DISCOVERY SCHEDULE section, select recurrence pattern to add one of the following patterns:
        • Minutes
        • Hourly
        • Daily
        • Weekly
        • Monthly
      4. Click ADD.
      SNMP Discovery

      Now the configuration is saved and displayed on the configurations page after you save it. Note: From the same page, you may Edit and Remove the created configuration.

      1. Click NEXT.

      2. (Optional) Click +ADD to create a new collector by providing a name or use the pre-populated name.

        SNMP Discovery
      3. Select an existing registered profile.

      SNMP Discovery
      1. Click FINISH.

      The application is now installed and displayed on the Installed Integration page. Use the search field to find the installed application.

      Modify the Installed Integration

      SNMP Definition Requests

      You can view and submit SNMP definitions for review.

      Only Service Provider (SP) and partner-level users can submit SNMP definition requests. All user levels, including SP, partner, and client, can view existing definitions.

      View SNMP definition requests

      1. Go to Setup > Resources.
      2. Click SNMP Device Type Definitions. This displays the list of available definitions, as shown in the example:
      SNMP Definition List

      Submit SNMP definition request

      1. Go to Setup > Resources.

      2. Click SNMP Device Type Definitions.

      3. Click the +Submit button.

      4. In the Add SNMP Device Type Definition page, enter the following information:

        Device Type Definition:

        FieldRequiredDescription
        Object OIDYesObject identifier.
        MakeYesChoose the make from the drop-down list.
        ModelNoIf you selected Model, choose the model from the drop-down list.
        Model OIDNoIf you selected Model OID, enter a model identifier.
        Device TypeYesChoose a device type from the drop-down list.
        Operating SystemYesChoose an operating system from the drop-down list.
        Serial Number OIDNoSerial number identifier.
        Firmware Revision OIDNoFirmware revision identifier.
        Hardware Revision OIDNoHardware revision identifier.
        Software Revision OIDNoSoftware revision identifier.

        SNMP OIDs for Network Interface Information:

        FieldRequired
        Number of InterfacesNo
        NameNo
        AliasNo
        IndexNo
        TypeNo
        SpeedNo
        Operational StatusNo
        Admin StatusNo
      5. Click Cancel to discard your definition or click Submit, which displays the following advisory message:

        This definition will reflect on devices only after it is reviewed by a vistara admin. You can check the status on the definition listing page.

      6. Click Yes to continue and submit your definition for review.

      SNMP Discovery Troubleshooting Steps

      1. Unable to see the discovered devices under discovery profiles?

        Device should be enabled with SNMP protocol or device should be reachable from the gateway

      2. How to check the device reachable?

      3. If the device is enabled with SNMP, then make sure whether the device responds to SNMP.

          SNMP version 1:
          Example: snmpwalk -v1 -c community 10.10.10.10 1.3.6.1.2.1.1

          SNMP version 2:
          Example: snmpwalk -v2c -c community 10.10.10.10 1.3.6.1.2.1.1

          SNMP version 3:
          Example: snmpwalk -v3 -l authPriv -u user4 -a MD5 -A 1234567890abcdef -x DES -X 1234567890abcdef 10.197.1.1 1.3.6.1.2.1.1

      4. Unable to see the discovered devices under discovery profiles even snmp is working?

        • If the SNMPwalk command is functioning correctly, it is essential to verify the SNMPget command as well. This is crucial as we rely on the SNMPget command to retrieve information from the Netscaler.
          Example: snmpget -v2c -c Ac-5nmp! 192.168.147.26 1.3.6.1.2.1.1.5.0

        • If SNMPwalk is operational but the SNMPget command is not functioning, resulting in request timeouts, credentials cannot be obtained. Without valid credentials, device discovery using SNMP becomes impossible. Therefore, it is imperative to ensure the functionality of both commands.

        • If the device responds to SNMP, it is crucial to confirm that the SNMP credentials utilized align with those assigned in the discovery profile. The SNMP credentials eliciting a response from the device should precisely match the credentials specified in the SNMP discovery profile.

        • Ensure that the correct gateway selected in the discovery profile is being utilized.

        • If SNMPv3 credentials are in use and a context name is specified in the credentials, it is important to note that when checking SNMPwalk or SNMPget commands from the gateway, the context name must be explicitly included in the command. In the event of a request timeout, it is advised to remove the context name from the credentials and initiate a re-discovery process.

          Note:In general context is used to differentiate multiple instances managed by the SNMP Agent.

      5. If device is reachable from the gateway as well as device is also responding with SNMP but still unable to see the discovered devices.

        • Need to check the vprobe logs in the gateway. The vprobe logs is saved in /var/log/app/vprobe.log.

        • Issue the following command to check the ongoing discovery logs.

                  tail -f /var/log/app/vprobe.log
                  
        • Perform SNMP discovery again and observe the logs.

          logs analyzation:

          • SNMP started: Snmp4JSessionImpl#63: Snmp session intialized
                AbstractNetworkDiscovery#62: ************ Discovery scan started for profile 3008 ************
          • Device not reachable from gateway: NetworkDiscoveryResponseListenerImpl#114: Resource failed to discover V4:172.26.1.16, sourceNMAP
          • Device SNMP credential timeout: SnmpResourceDiscoveryImpl#82: Snmp time out : V4:172.26.1.14
          • Device discovery failed with SNMP: NetworkDiscoveryResponseListenerImpl#114: Resource failed to discover V4:172.26.1.14, sourceSNMP
          • Discovery is completed: Snmp4JSessionImpl#83: Snmp session disconnected.
        • If no conclusive information is found, consider enabling additional debug logs for a more detailed analysis.

      6. How to enable more debug logs?

        • Connect to gcli

                  vgprompt#gcli + enter
                  
        • Enter following command

                  gcli@gateway>nd log on <30 no of mins>
                  

          Example: gcli@gateway>nd log on 30
          ntwrk.disc on A Timer with timeout 30min has created to revert the val to off
          snmp.disc on A Timer with timeout 30min has created to revert the val to off
          snmp.topology on A Timer with timeout 30min has created to revert the val to off
          disc.response on A Timer with timeout 30min has created to revert the val to off
          gcli@gateway>

        • Perform the discovery process again after executing the following command.

                  tail -f /var/log/app/vprobe.log
                  
      • After the completion of the discovery process, analyze the vProbe logs as indicated in the previous comments.

        logs analyzation:

        • Device snmp timeout: com.vistara.gateway.plugin.discovery.error.snmp.SnmpTimeOutException: Snmp is not working with any credential for device :V4:172.26.1.14
        • Successfully discovered devices json files: AbstractDiscoveryResponseSerializer#39: Response is saved to /var/log/app/tmp/network-discovery-chunk-1559559930044.json
          Notes:
          • Upon discovery, devices will transmit their information to the cloud, and this data is logged in files. Kindly review the log files located in the /var/log/app/tmp/ directory for further details.
          • File name start from network-discovery-chunk-.json
          • To view the timestamps of the most recent files, execute the following commands:
            1. cd /var/log/app/tmp/ folder

            2. ll network-discovery-chunk-*.json

      1. Discovered devices data is not matching with actual device data like device type,os,etc..

        • Improper/wrong device data can be possible in following case:

          • Check /var/log/app/tmp/network-discovery-chunk-<1559559930044>.json files whether device data is correct or not.
        • If the data is incompatible with the fields in SNMP device type definitions within the UI, the device data may become inconsistent. In such cases, navigate to the corresponding Management Profile, synchronize SNMP Device Type Definitions. This action will push the SNMP device type definitions back to the respective gateway. Subsequently, initiate a rescan of the SNMP Discovery Profile to ensure that the changes are reflected in the device.

      2. How to capture SNMP packets on specific device?

        • Execute the following command at gateway and perform the discovery

        • To stop the above command press ‘ctrl + enter’

        • Above command can be used to check the device behavior while discovery is going on. As well as we can analyze the collected data.

        • You may read the tcpdump generated file with help of wireshark tool.

      SNMP Troubleshooting steps in Nextgen Gateway

      1. How to enable flags in gcli and view vprobe logs in nextgen-gateway?

        1. Login to the gateway CLI
        2. Execute command kubectl exec -it nextgen-gw-0 -c vprobe -n <namespace> – bash
          Note: Here we need to replace the <namespace> if applicable, otherwise execute kubectl exec -it nextgen-gw-0 -c vprobe – bash
        3. To enable flags by using this command gcli nd log on 30
        4. To exit the gcli, enter the “exit” command.
        5. To view the logs, execute tail -100f /var/log/app/vprobe.log
        6. Within the directory /var/log/app, you will find the logs generated by vprobe. For discovery chunk files and topology JSON files, navigate to the /var/log/app/tmp folder. These files are in the format of “network-discovery-chunk-xyz.json” and “network-topology-xyz.json”.
        7. To copy files from the vprobe container to the gateway cli, execute the following command after exiting the container kubectl cp <namespace>/nextgen-gw-0:<source_path> <dest_path> -c vprobe
          Example: kubectl cp nextgen-gw-0:/var/log/app/vprobe.log /home/gateway-admin/vprobe.log -c vprobe
        8. Download files from the gateway cli.

      For discovery trouble shooting, perform SNMP Discovery troubleshooting steps using above mentioned nextgen-gateway steps.