Knowledge Search


×
 

[SRX] Example - Configuring SNMPv3 traps using CLI

  [KB34577] Show Article Properties


Summary:

This article uses an example to describe how to configure SNMPv3 traps on SRX devices by using the Command Line Interface (CLI).

 

Solution:

To configure SNMPv3 traps on SRX devices and verify the configuration by using the Command Line Interface (CLI), perform the following:

CLI Configuration

set snmp v3 usm local-engine user jtac authentication-sha authentication-key Juniper
set snmp v3 usm local-engine user jtac privacy-aes128 privacy-key Juniper

set snmp v3 vacm security-to-group security-model usm security-name JUNOS group JTAC_GROUP
set snmp v3 vacm access group JTAC_GROUP default-context-prefix security-model any security-level privacy read-view ALL
set snmp v3 vacm access group JTAC_GROUP default-context-prefix security-model any security-level privacy write-view ALL
set snmp v3 vacm access group JTAC_GROUP default-context-prefix security-model any security-level privacy notify-view ALL

set snmp v3 target-address NMS address 192.168.100.10 <<<<< IP address of the NMS where you would like to receive the traps
set snmp v3 target-address NMS tag-list MY_TAG 
set snmp v3 target-address NMS target-parameters MY_TARGET

set snmp v3 target-parameters MY_TARGET parameters message-processing-model v3
set snmp v3 target-parameters MY_TARGET parameters security-model usm
set snmp v3 target-parameters MY_TARGET parameters security-level privacy
set snmp v3 target-parameters MY_TARGET parameters security-name jtac
set snmp v3 target-parameters MY_TARGET notify-filter ALL <<<<< Responsible for sending traps out

set snmp v3 notify NOTIFY_ALL type trap
set snmp v3 notify NOTIFY_ALL tag MY_TAG

set snmp v3 notify-filter ALL oid .1 include <<<<< Specific OID can be included/excluded here.

set snmp trap-options source-address 192.168.100.1 <<<<< IP address that is used to source the traps
 

Verification

  1. Check the sessions on the SRX device and keep in mind that there will not be any return traffic for the SNMP traps.
root@SRX> show security flow session source-prefix 192.168.100.1 destination-prefix 192.168.100.10 destination-port 162

Session ID: 70000022, Policy name: self-traffic-policy/1, Timeout: 58, Valid
  In: 192.168.100.1/51740 --> 192.168.100.10/162;udp, Conn Tag: 0x0, If: .local..0, Pkts: 2, Bytes: 662, CP Session ID: 70000022
  Out: 192.168.100.10/162 --> 192.168.100.1/51740;udp, Conn Tag: 0x0, If: xe-2/0/0.0, Pkts: 0, Bytes: 0, CP Session ID: 70000022
Total sessions: 1
  1. Check whether the SNMPv3 traps are being sent out of the SRX device by using the monitor traffic interface command.

root@SRX> monitor traffic interface xe-2/0/0.0 no-resolve size 1500 matching "port 162"
Jun 10 19:44:20
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on xe-2/0/0.0, capture size 1500 bytes


19:45:07.113055 Out IP 192.168.100.1.51740 > 192.168.100.10.162:  F=ap U=jtac [!scoped PDU]ec_91_b8_60_d5_72_a5_53_ca_85_d8_0f_4f_b9_f7_54_f3_bb_b7_ac_db_2a_af_25_65_e8_bb_4d_8f_72_64_8f_fb_a3_f7_79_36_c0_de_f6_90_92_8e_54_dc_e7_8d_c9_3b_bc_f2_c4_06_c4_2b_c1_1e_fc_c3_cb_24_9a_70_8e_08_d3_07_08_48_0b_1b_ab_52_ba_3f_f8_0a_3e_4b_14_4b_26_8f_0d_57_70_a2_22_d5_46_62_df_18_9a_52_66_57_fd_37_21_d9_47_8b_bd_b1_c6_6e_0e_f7_1e_99_a9_75_20_db_c8_82_8d_57_f5_ed_72_41_cb_dc_88_25_10_03_15_26_c7_45_5e_6c_27_b2_a7_14_b9_43_26_e2_70_09_2b_5a_d1_65_a2_3e_94_86_55_21_3b_45_91_62_3d_c0_21_af_c9_8d_cf_73_ac_24_af_dc_b9_3d_df_ad_06_c1_9a_b1_67_a8_23_55_db_cc_00_b4_b8_95_36_a0_f2_7f_91_b3_f4_a6_49_24_0d_5c_9e_9a_7b_b6_9f_b5_15_ef_7e_ed_32_e9_6b_62_de_2e_be_bd_b2_3e_23_7f


19:45:14.809418 Out IP 192.168.100.1.51740 > 192.168.100.10.162:  F=ap U=jtac [!scoped PDU]1f_51_3c_5a_2f_1b_dd_ae_8c_87_04_dd_a1_61_28_88_f1_06_a3_27_8c_7a_94_10_31_d9_1d_c6_b8_c4_5a_1a_62_dc_a8_cf_ed_b8_96_86_46_a5_be_35_6f_43_b9_db_ec_94_a7_32_25_7c_36_db_59_a3_58_2d_cd_67_ed_09_3b_4c_61_07_f8_1c_48_92_28_b0_9b_7e_1f_b3_89_93_10_92_f0_d5_dc_51_cb_cb_ae_3f_bc_a4_c0_3e_02_54_85_88_99_06_f5_74_be_ad_b8_c9_90_54_dc_08_b3_93_bd_ec_54_94_53_59_2a_ad_cf_a6_df_55_e6_98_7d_c3_4d_53_cd_ef_b9_56_04_22_82_f5_83_8b_7a_18_e0_28_77_55_32_bf_9e_4e_26_11_1f_8f_03_c2_e2_5e_64_68_69_58_82_80_fe_76_ad_e5_bc_40_9e_af_42_e5_ec_90_93_d8_01_93_71_60_1c_d1_91_75_4c_39_f8_8b_8f_e1_1a_e1_88_b2_58_bd_15_3f_ea_7b_2f_9e_36_48_07_f9_8f_66_4e_b6_89_1d_dc_af_84_30_c6_e5_af_5e_1f
^C
4 packets received by filter
0 packets dropped by kernel
  1. Check for User, Group name, Access control, SNMP target, Parameters, Notify, and Filter information by using the following command:

root@SRX> show snmp v3

Jun 11 03:59:55

Local engine ID: 80 00 0a 4c 01 c0 a8 64 01
Engine boots:          10
Engine time:         1624 seconds
Max msg size:       65507 bytes


Engine ID: local
    User                            Auth/Priv   Storage      Status
    jtac                             sha/aes128 nonvolatile  active


Group name           Security  Security              Storage      Status
                     model     name                  type
JTAC_GROUP           usm       JUNOS                 nonvolatile  active


Access control:
Group                Context Security      Read       Write     Notify
                     prefix  model/level   view       view      view
JTAC_GROUP                    any/privacy  ALL        ALL       ALL


SNMP Target:
Address     Address                     Port  Parameters  Storage     Status
name                                          name        type
NMS         192.168.100.10              162   MY_TARGET   nonvolatile active


Parameters     Security        Security     Notify  Storage      Status
name           name            model/level  filter  type
MY_TARGET      jtac             usm/privacy ALL     nonvolatile  active


SNMP Notify:
Notify               Tag                Type         Storage      Status
name                                                 type
NOTIFY_ALL           MY_TAG             trap         nonvolatile  active


Filter               Subtree            Filter       Storage      Status
name                                    type         type
ALL                  1                  include      nonvolatile  active
  1. SNMPv3 traps are logged in SNMP traceoptions with the flag "ALL".

Jun 10 19:45:14.810116 jnxcm_send_trap: sent jnxCmCfgChange trap, event index:52
Jun 10 19:45:14.810126 jnxcm_read_commit_log: index: 52, time: 1560195914, user: root, source: cli
Jun 10 19:45:14.810149 jnxcm_read_rescue_log: Warning cannot open rescue log file
Jun 10 19:45:18.123795 sr_ifdm_handler: interface: xe-2/0/0, op: 2
Jun 10 19:45:18.167235 mdb_ifd_rts_handler: xe-2/0/0 (ifdindex: 138, snmpid: 512), rtsm_op: 2, generation number: 2199023255693
Jun 10 19:45:18.167264 mdb_ifd_update: Received ifdm (0x27fbf910) for interface xe-2/0/0
Jun 10 19:45:18.167279 if_track_update_ifd: kernel ifd CHANGE(2) from kernel snmpid(512) ifname(xe-2/0/0) snmp_index_consolidated(1)
Jun 10 19:45:18.167290 if_track_update_ifd: snmpid(512) old ifname(xe-2/0/0) new ifname(xe-2/0/0)
Jun 10 19:45:18.167300 media_specific_add_ifd: if name: xe-2/0/0, if index: 512, linktype = 1,porttype = 138, ifm_type = 3, desc = 6


Jun 10 19:45:18.167317 if_ether_add: setting lacp port data, snmp index: 512, lacp_data: 0x27fb8a24, mode: 1
Jun 10 19:45:18.167330 if_ether_add: setting lacp port data, snmp index: 512, lacp_data: 0x27fb8a24, mode: 1
Jun 10 19:45:18.173339 get_auto_neg_speed: get auto-neg speed = 0


Jun 10 19:45:18.173363 if_stack_update_ifd: snmpindex: 512
Jun 10 19:45:57.269978 ns_trap_internal
Jun 10 19:45:57.270048 ns_trap_internal
Jun 10 19:45:57.270168 snmpd[0]  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Jun 10 19:45:57.270184 snmpd[0]  <<< V2 Trap
Jun 10 19:45:57.270196 snmpd[0]  <<<  Source:      192.168.100.1
Jun 10 19:45:57.270205 snmpd[0]  <<<  Destination: 192.168.100.10
Jun 10 19:45:57.270214 snmpd[0]  <<<  Version:     SNMPv3
Jun 10 19:45:57.270223 snmpd[0]  <<<  Security Parameters:
Jun 10 19:45:57.270231 snmpd[0]  <<<   SecModel: USM
Jun 10 19:45:57.270245 snmpd[0]  <<<   EngId: 80 00 0a 4c 01 c0 a8 64 01
Jun 10 19:45:57.270253 snmpd[0]  <<<   User: jtac
Jun 10 19:45:57.270266 snmpd[0]  <<<   EngBoots: 2  EngTime: 116
Jun 10 19:45:57.270303 snmpd[0]  <<<   
Jun 10 19:45:57.270322 snmpd[0]  <<<   OID  : sysUpTime.0
Jun 10 19:45:57.270332 snmpd[0]  <<<   type : TimeTicks
Jun 10 19:45:57.270343 snmpd[0]  <<<   value: (11603)  0:01:56.03
Jun 10 19:45:57.270353 snmpd[0]  <<<   
Jun 10 19:45:57.270369 snmpd[0]  <<<   OID  : snmpTrapOID.0
Jun 10 19:45:57.270379 snmpd[0]  <<<   type : Object
Jun 10 19:45:57.270392 snmpd[0]  <<<   value: jnxCmCfgChange
Jun 10 19:45:57.270401 snmpd[0]  <<<   
Jun 10 19:45:57.270416 snmpd[0]  <<<   OID  : jnxCmCfgChgEventTime.53
Jun 10 19:45:57.270426 snmpd[0]  <<<   type : TimeTicks
Jun 10 19:45:57.270436 snmpd[0]  <<<   value: (11603)  0:01:56.03
Jun 10 19:45:57.270445 snmpd[0]  <<<   
Jun 10 19:45:57.270457 snmpd[0]  <<<   OID  : jnxCmCfgChgEventDate.53
Jun 10 19:45:57.270466 snmpd[0]  <<<   type : OctetString
Jun 10 19:45:57.270479 snmpd[0]  <<<   HEX  : 07 e3 06 0a  13 2d 39 00  
Jun 10 19:45:57.270490 snmpd[0]  <<<          2b 00 00
Jun 10 19:45:57.270499 snmpd[0]  <<<   
Jun 10 19:45:57.270511 snmpd[0]  <<<   OID  : jnxCmCfgChgEventSource.53
Jun 10 19:45:57.270520 snmpd[0]  <<<   type : Number
Jun 10 19:45:57.270530 snmpd[0]  <<<   value: 2
Jun 10 19:45:57.270539 snmpd[0]  <<<   
Jun 10 19:45:57.270551 snmpd[0]  <<<   OID  : jnxCmCfgChgEventUser.53
Jun 10 19:45:57.270560 snmpd[0]  <<<   type : OctetString
Jun 10 19:45:57.270570 snmpd[0]  <<<   value: "root"
Jun 10 19:45:57.270607 snmpd[0]  <<<   HEX  : 72 6f 6f 74  
Jun 10 19:45:57.270618 snmpd[0]  <<<   
Jun 10 19:45:57.270631 snmpd[0]  <<<   OID  : jnxCmCfgChgEventLog.53
Jun 10 19:45:57.270640 snmpd[0]  <<<   type : OctetString
Jun 10 19:45:57.270650 snmpd[0]  <<<   HEX  :
Jun 10 19:45:57.270659 snmpd[0]  <<<   
Jun 10 19:45:57.270672 snmpd[0]  <<<   OID  : snmpTrapEnterprise.0
Jun 10 19:45:57.270681 snmpd[0]  <<<   type : Object
Jun 10 19:45:57.270811 snmpd[0]  <<<   value: jnxProductNameSRX5400
Jun 10 19:45:57.270820 snmpd[0]  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Jun 10 19:45:57.270838 jnxcm_send_trap: sent jnxCmCfgChange trap, event index:53
Jun 10 19:45:57.270847 jnxcm_read_commit_log: index: 53, time: 1560195957, user: root, source: cli
Jun 10 19:45:57.270870 jnxcm_read_rescue_log: Warning cannot open rescue log file
Jun 10 19:45:57.309117 re-reading configuration, pid 3707
Jun 10 19:45:57.312139 re-reading configuration, PID 1711
  1. A packet capture on SNMPv3 trap with Authentication-SHA and Privacy-AES128 is as follows:

 

Common configuration mistakes

  • The name defined for tag-list under "snmp v3 target-address" must be the same as that defined for tag under "snmp v3 notify". For example, in the above configuration, the name defined is MY_TAG.

  • The line, "set snmp v3 target-parameters MY_TARGET notify-filter ALL" is responsible for sending the traps out. So, it needs to be configured properly.

  • You can include or exclude an appropriate OID in the notify-filter options in order to send/filter particular OIDs to the NMS. Pay attention to these OIDs because a misconfiguration might result in traps not being sent out. For more information about OIDs, refer to SNMP MIB Explorer.

 

Related Links: