Hi all,
We have 2 DMAs, one running 9.6 and one running 10.3. We configured same number of SNMPv3 traps to be received on either DMA and we noticed 10.3 is missing some traps while 9.6 is receiving them - verified via Wireshark.
Once the 10.3 DMA is restarted, traps are being processed for 30 minutes after which they fail.
- It is confirmed that Windows firewall has an inbound rule for local UDP port 162 for Domain, Private and Public
- CMTS devices use credentials from Credential Library that uses noAuthNoPriv.
After further checking, we noticed that the traps sent by the CMTS devices were missing the msgUserName (see screenshot below).
An update was made on the CMTS devices to populate the correct msgUserName. After this update was done, the traps were observed to be processed without a DMA restart.
Could you explain why this is the case ? Is there something we could check here ?
The User-based Security Model for SNMPv3 (RFC3414) requires the presence of a valid username in the msgUserName field for proper authentication and authorization. An empty or missing msgUserName will result in a security-related error, as the security model relies on the identification of the user who generated the SNMP message.
The library that DataMiner is using to capture these incoming traps (snmp++) is discarding them for above described reason. If you rectified it on the CMTS devices for the traps to include a valid username, it is expected that they should start coming through. That should be sufficient and a DataMiner restart is not required.
With DataMiner 10, the snmp++ library got a significant upgrade to version 3.3.11. I did not find any release note which can clearly confirm this, but that might be a reason why those traps were still coming through in DataMiner 9.6. With that security issue now being patched, the behavior in DataMiner 10 and newer is correct and what is expected.
Having this clearly logged in the SLSNMPManager logging should be a good improvement to quickly understand why some traps are not being processed. I will create an internal ticket to look into this.