SNMP stats not available from read user

aussiewan · September 7, 2011, 4:35am

Hi all,

I’ve done a lot of googling for this problem, but have not been able to find anything helpful.

We use The Dude 3.6 to monitor, amongst other things, Cisco ADSL2+ routers. We have the tooltip for links set to show the ADSL2+ sync speed, but it only shows that info for admin, not for read users. The link tooltip uses a function called adsl_sync_rate which was originally (ie by someone else before I was here) defined as this:

if(oid_column("iso.org.dod.internet.mgmt.mib-2.transmission.94.1.1.4.1.2") > "0",  concatenate("ADSL Down Sync: ", bitrate(oid_column("iso.org.dod.internet.mgmt.mib-2.transmission.94.1.1.4.1.2")), "  ADSL Up Sync: ", bitrate(oid_column("iso.org.dod.internet.mgmt.mib-2.transmission.94.1.1.5.1.2"))), "")

The default label is set to this (note square brackets replaced with curly brackets so that the forum will post it…):

Interface {Interface.Name}
Type: {Interface.Type}
Mtu: {Interface.Mtu}
Speed: {Interface.Speed}
MAC: {Interface.PhysAddress}
Status: {Interface.AdminStatus} (operational: {Interface.OperStatus})
{adsl_sync_rate()}

If I put a message in the 3rd parameter for the if statement in the function, that text appears for read users.

I have tried changing the OID to be the numerical version - 1.3.6.1.2.1.10.94.1.1.5.1.2
I have also tried installing a compatible MIB and using the named version - iso.org.dod.internet.mgmt.mib-2.transmission.adslMIB.adslLineMib.adslMibObjects.adslAtucChanTable.adslAtucChanEntry.adslAtucChanCurrTxRate

They all work in labels for all users, including an exact copy of the default link tooltip. It’s only when putting the function in the default link label or tooltip that it fails. Unfortunately I can’t see a way to have a custom tooltip for an individual link to test that.

Does anyone have any suggestions of what I can do to resolve this?

lebowski · September 7, 2011, 1:47pm

(3rd)

The if statement for the dude is if true return “nothing” else return “error”. (correction; The if statement when used in the error line of a probe!)
The if statement for some data is if true return “something” else return “error”. (correction; Your if statement when used in the label of a link)

Your if statement is returning “” for error. So even when it doesn’t work you don’t get a message. You should put error in the last “” of your code just so you know when the function didn’t read the OID(s).

if(oid_column("iso.org.dod.internet.mgmt.mib-2.transmission.94.1.1.4.1.2") > "0",  concatenate("ADSL Down Sync: ", bitrate(oid_column("iso.org.dod.internet.mgmt.mib-2.transmission.94.1.1.4.1.2")), "  ADSL Up Sync: ", bitrate(oid_column("iso.org.dod.internet.mgmt.mib-2.transmission.94.1.1.5.1.2"))), "Couldn't read any values")

There is a tool called SNMPWALK. Right click on your device, select tools, snmpwalk. Select the read only user profile then set the subtree radio button and put 1.3.6.1.2.1.10.94.1.1 in the OID box. Click start and you should see all the values under that OID including the 4.1.2 and the 5.1.2. If there is an snmp timeout try the read/write profile and if that works then fix your profile for your read only user somehow it is corrupt…

HTH,
Lebowski

aussiewan · September 7, 2011, 10:55pm

Hi Lebowski, thanks so much for your response.

Sorry, I was aware of the 3rd parameter for being the return for a false condition on the if function, I explained the result without saying why I did it I did something like the function you suggested and got the equivalent of your “Couldn’t read any values” for the read user, and the actual data I wanted using the full user.

I attempted an snmpwalk from the “read” user, and it only shows a status at the bottom of the window with “no response”. Performing the same thing on the “full” user shows the SNMP data as expected. I created a new read account and it still only shows no response. I changed the read account to be write and it still says no response. I changed the account to be full, and it works as expected, showing all SNMP data.

The SNMP profile information shows all the same information including community string for all accounts. I tried the same tests on a device that uses a different SNMP profile and it showed the same symptoms - no response when read or write, correct data when changing the account to full.

What is really confusing me is that, regardless of whether snmpwalk works or not, if I put the function in the label text for an individual link, it shows the correct data, however if I put it in as the default label or tooltip, it fails. Is it possible that when I assign the function to a specific label, the server itself is doing the polling of that info, so it has access, but when it’s a tooltip, it polls it only as needed and runs as the user viewing the information?

It is possible that our database for TheDude has issues, as it was around before I supported it and has been migrated between servers at least once. I really don’t fancy re-creating it all from scratch if I can help it, but if time permits I will look at adding a subset of the devices to a local instance on my machine to see if the same symptoms appear.

aussiewan · September 7, 2011, 11:22pm

I have just tested a new, clean, local instance of The Dude, adding just 2 devices with a link between them, and adding an OID to the link tooltip. It shows up for full user, but not for read user. I might try install a beta of The Dude 4 later on and see if it shows the same behaviour.

Is there any chance anyone out there could test to see if the same issue appears outside of my environment? Or if anyone has any suggestions of other tests I can do, I would greatly appreciate it.

lebowski · September 8, 2011, 2:40pm

Lets be clear here, are you talking about read only snmp string or read only login on the dude?
It sounds like you are saying a user who logs into the dude with read only access is not able to view anything other than built in snmp data.

OTOH If you have two snmp profiles, one read only and one read/write then it sounds like your snmp string for the read only user is incorrect.

I put [oid(“1.3.6.1.2.1.1.5.0”)] on a link label and logged into the dude with a read only dude user and I was able to see the upgraded label.

Obligatory SNMP info…
SNMP has both read only and read/write but the Dude only reads snmp values. I only use a “read” snmp profile. Somewhat like the standard “Public” snmp string but of course for security I changed it. Note: all the results are in sent clear text so someday plan on switching to SNMP v3. We use an access list to only allow certain servers to read or write snmp data. With Cisco you can modify a routers configuration with an SMNP write. I have used SNMP write to give my self access to a device I accidentally screwed up remote access on.

So the function works for admins but not for read only users? still sounds crazy!
When did the problem start or it has been that way since the beginning?

Lebowski

aussiewan · September 8, 2011, 10:38pm

Sorry, this is all with read-only SNMP access, and the access level change I was describing is the user level in The Dude under the Admin section. I don’t have SNMP write access on these devices at all, only read and only from specific IP addresses.

As far as I know, this issue has existed from the start, but I wasn’t around back then. It’s been an annoyance for as long as I can remember, but I’ve only recently had a chance to investigate further.

In further testing, although it takes a while to propagate, having the SNMP query as part of the default label does appear to work. But having it in the tooltip (makes the map much less cluttered) it fails. Can you try add the OID to the tooltip for the link? Also, the SNMP Walk only works for The Dude users with Full level access. Is there anyone who can answer whether this is by design or not? It might be from a security point of view… however, read users have access to the list of SNMP profiles, including reading the community strings from them, which I would have thought would be at least changed to asterisks. With those strings (depending on ACLs on the device, of course), people could use other tools to do SNMP walks anyway. People should be sensible and not use the same string as passwords elsewhere at least, especially as it’s a clear-text authentication system

lebowski · September 9, 2011, 4:35pm

So you are correct a user logged in as read only can’t use SNMPwalk. So there must be a subset of allowed SNMP things that read only users can do.

Althought we have not solved your issue… you might like to add this to your link tooltip.
Description: {oid(“1.3.6.1.2.1.31.1.1.1.18.[Interface.Index]”)} - this will not show up for read only users as well.

This did not work as well as you already knew…
Description: {oid(“iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifAlias.{Interface.Index}”)}

So why do read only users get to read the built in SNMP stuff but any custom SNMP stuff is not allowed including SNMPwalk?

I’ll let you know as soon as I find anything…
Lebowski

lebowski · September 9, 2011, 4:53pm

I have verified that the server doesn’t send packets at all for users logged in as read only and using SNMPwalk.

aussiewan · September 9, 2011, 10:13pm

Thanks for taking the time to help and test, Lebowski. We get such great value out of The Dude, even though the powers that be would only be happy if we paid less for it… ie if we were paid to use it!!

So in summary, you have confirmed that the behaviour I see is happening for you too, which means it’s not related to my particular installation. That means there is no benefit in me rebuilding it. If/when time permits, I will see if the issues still happen in The Dude 4.0 beta 3. This isn’t a major issue that would prevent us from using The Dude in the future, we can live with it, it would just be nice to give the additional information to our techs.

Thanks again, I’ll update when I’ve tested version 4.

lebowski · September 12, 2011, 5:09pm

Oh I am running The Dude 4.0 beta 3… So another day another bug! Thankfully there isn’t a single bug I have encountered that has been a show stopper!

As far as The dude goes it is exactly what I would have built so I just wish they would allow us to pay for it so things could get fixed faster or open up the source so we could fix it. Maybe they can hire someone to work for free!!! Get them under a contract to not disclose the source and then they could have someone who is only working on The Dude.

Waiting for next release…
Lebowski

aussiewan · September 13, 2011, 12:07am

Thanks Lebowski, I won’t waste time testing until there is a new version then.

And I reckon The Dude would grow massively if it was released as open source… it’s already so incredible, and does things that many expensive products don’t. I can be patient for a release too though, because those expensive products often aren’t very quick at updating either

Thanks again for the help, it’s great to see knowledgeable people supporting such a wonderful product.