snmpv3... yes, again

RouterOS General
1

Hello. I have RB1100AHx2 and today i’ve found problems with MRTG and SNMPv3 connection. And i’d like to make some kind of bugreport.

I’ve found similar problems here:
http://forum.mikrotik.com/t/ros-and-mrtg-and-snmpv3-anybody-know-the-magic-formula/38398/1 (ROS and MRTG and SNMPv3 - anybody know the magic formula?)
http://forum.mikrotik.com/t/snmp-v3/56787/1 (snmp v3)

Here is bug-report and little overview what’s wrong:
https://rt.cpan.org/Public/Bug/Display.html?id=75191

Shortly according to RFC 3414 Section 4 there is no usmStatsNotInTimeWindows inside varBindList of the Report PDU from Mikrotik

2

If someone would do MRTG on Centos, here is short how-to

  1. don’t forget to install rpmforge assets (to install additional snmpv3 perl libs)

  2. configure mikrotik

/snmp community add addresses=0.0.0.0/0 authentication-password=12345678 authentication-protocol=MD5 encryption-password=87654321 encryption-protocol=DES name=cactiuser read-access=yes security=private write-access=no
/snmp set contact=contact enabled=yes engine-id="" location=location trap-community=cactiuser trap-generators="" trap-target="" trap-version=3
  1. install apps
yum install net-snmp net-snmp-utils mrtg httpd
  1. fix ‘usmStatsNotInTimeWindows’ in /usr/share/perl5/vendor_perl/Net/SNMP.pm
--- Net/SNMP.pm.orig	2014-12-04 12:46:17.736487353 +0300
+++ Net/SNMP.pm	2014-12-04 12:28:05.582495561 +0300
@@ -2541,8 +2541,9 @@ sub _discovery_synchronization_cb
    # counter in the varBindList..."  If another error is returned, we 
    # assume that the synchronization has failed.
 
-   if (($this->{_security}->discovered) &&
-      ($this->{_error} =~ /usmStatsNotInTimeWindows/))
+   # if (($this->{_security}->discovered) &&
+   #    ($this->{_error} =~ /usmStatsNotInTimeWindows/))
+   if ($this->{_security}->discovered)
    {
       $this->_error_clear;
     
@@ -2559,7 +2560,8 @@ sub _discovery_synchronization_cb
    # If we received the usmStatsNotInTimeWindows report or no error, but 
    # we are still not synchronized, provide a generic error message.
 
-   if ((!$this->{_error}) || ($this->{_error} =~ /usmStatsNotInTimeWindows/)) {
+   # if ((!$this->{_error}) || ($this->{_error} =~ /usmStatsNotInTimeWindows/)) {
+   if (!$this->{_error}) {
       $this->_error_clear;
       $this->_error('Time synchronization failed during discovery');
    }
  1. fix access in /etc/httpd/conf.d/mrtg.conf
<Location /mrtg>
    Order deny,allow
    Deny from all
    Allow from 192.168.0.0/24
    Allow from 127.0.0.1
    Allow from ::1
    # Allow from .example.com
</Location>
  1. add cron task (every 5 min)
*/1 * * * * env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
  1. generate index (once!)
/usr/bin/indexmaker --output /var/www/mrtg/index.html /etc/mrtg/mrtg.cfg
  1. generate proper mrtg.cfg
cfgmaker --global 'Workdir: /var/www/mrtg' --global 'Options[_]: bits, growright' --output /etc/mrtg/mrtg.cfg --enablesnmpv3 --username=cactiuser --authprotocol=md5 --privprotocol=des --authpassword=12345678 --privpassword=87654321 --ifref=descr --contextengineid=80003a8c04 --snmp-options=:::::3 192.168.0.1

if you add interfaces repeat steps 7 and 8 after:

rm -rf /var/www/mrtg/*

ps. change passwords on your own, contextengineid selected according to wiki