[AGENT++] Duplicate Engine IDs?
Frank Fock
fock at agentpp.com
Tue Nov 20 01:02:27 CET 2012
Hi Adam,
Yes, duplicate engine IDs in a network violate the SNMPv3 standard.
The standard defines a procedure to derive a engine ID from the devices
IP address to get the engine ID unique. This is a bug in the Cisco devices.
The only chance to communicate with the failover devices, is to use a
second USM instance (with its own cache) or to reset the cache everytime
(which undermines the security).
Best regards,
Frank
Am 05.10.2012 16:21, schrieb Kerrison, Adam:
> We are using SNMP++ to do some SNMPv3 scanning and have encountered some devices with duplicate SNMPv3 engine IDs. These are a pair of firewall devices running in a failover mode, so one is an exact duplicate of the other (apart for a management IP address obviously!). Duplicate Engine IDs seem like a very bad thing to me but this seems to be how Cisco set them up ...
>
> When we try to talk to these devices we can successfully query one of them but the queries to the other always fail with a timeout.
>
> The process doing this is long running so I am thinking that maybe something is caching the engine ID? A test using standalone tools like NET-SNMP snmpwalk always works with both devices
>
> Anyone have any clues!?
>
> Thanks
>
> Adam
> --
> Adam Kerrison
>
> _______________________________________________
> AGENTPP mailing list
> AGENTPP at agentpp.org
> http://lists.agentpp.org/mailman/listinfo/agentpp
--
---
AGENT++
Maximilian-Kolbe-Str. 10
73257 Koengen, Germany
https://agentpp.com
Phone: +49 7024 8688230
Fax: +49 7024 8688231
More information about the AGENTPP
mailing list