Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Authentication fails on one of the nodes in the SRX cluster when trying to poll it with SNMPv3

0

0

Article ID: KB27191 KB Last Updated: 24 Mar 2020Version: 4.0
Summary:
This article describes the issue of authentication failure, when trying to poll one of the nodes in the SRX cluster with SNMPv3.
Symptoms:
When trying to poll one of the SRX cluster nodes, authentication failure occurs. The following output is generated with the SNMP Walk tool:
# snmpwalk -v3 -u user -a SHA -A password -l authNoPriv srx-node1
snmpwalk: Authentication failure (incorrect password, community or key)
At the same time, the polling of the second node is successful. This error occurs, when SNMPv3 is used with authentication being enabled (authNoPriv or authPriv mode). For SNMPv1/2c and SNMPv3, in noAuthNoPriv mode, the polling is sucessful for both of the nodes.
Cause:
The SNMPv3 authentication key is calculated, based on the user's password and the value of the engine ID. Initially, when SNMPv3 users are being configured, the RE which is the primary, uses its engine ID and configured password to calculate the key.

Later, when the user polls the nodes, each node uses its own engine-ID and the provided password to authenticate the user. So, it is possible that the engine ID, which was used when creating the key, is not the same as the one being used during authentication (that is, if the polled node was in the secondary state, when the user was configured). If the engine ID differs between the two nodes, then the authentication will fail.


Solution:
You must ensure that the engine ID is equal on both of the nodes in the SRX cluster. A common wrong way is to use the MAC address to automatically generate  the engine ID:
{primary:node0}[edit]
root@node0# set snmp engine-id use-mac-address
In the SRX cluster, this will result in two different engine ID values. 

The correct way is to configure an explicit engine ID value. You can use the MAC address of one of the nodes to ensure that this value is unique across the network:
{primary:node0}[edit]
root@node0# set snmp engine-id local 0021599d3c3a
After the engine ID is changed, you have to re-configure all the SNMPv3 users to re-calculate authentication keys, based on the new engine ID. To do so, perform the following procedure:

  1. Configure an explicit engine-id value under the [edit snmp] hierarchy.

  2. Commit.

  3. Remove all the SNMPv3 users and re-configure them again.

  4. Commit.

The above procedure will ensure that the engine-id is the same on both the nodes and it is the same as the one that was used during the initial calculation of the authentication keys. Now the SNMPv3 authentication should succeed for both of the nodes.

Note: After an equal engine-id is configured on both of the nodes, some monitoring solutions may represent your SRX cluster as a single node. This is because they use the engine-id to distinguish between nodes.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search