NMS Cannot Manage an S Series Switch

This document describes how to troubleshoot the fault that a network management system (NMS) fails to manage switches using the Simple Network Management Protocol (SNMP). The fault symptoms include:

• The NMS cannot communicate with a switch.
• The NMS cannot obtain switch information.
• The switch cannot be configured.

This document applies to all versions of all S series switches. In the following troubleshooting procedures, eSight is used as the NMS and switches run V200R019C10.

By default, only SNMPv3 is enabled on a switch. If the NMS uses SNMPv1 or SNMPv2c, it cannot communicate with the switch, and the following log is generated on the switch:

Failed to login through SNMP. (Ip=192.168.1.2, Times=3, Reason=the version was incorrect, VPN= )

snmp-agent sys-info version all

Both read-only and read-write community names need to be checked. If the community names are inconsistent, the following log information is generated on the switch:

Failed to login through SNMP. (Ip=192.168.1.2, Times=2, Reason=the community was incorrect, VPN= )

To rectify the fault, change the community names used by the NMS or modify the community name configuration on the switch. For example, set both the read-only and read-write community names to Test@2000 on the switch.

snmp-agent community read cipher Test@2000
snmp-agent community write cipher Test@2000

SNMPv2c supports more data types than SNMPv1. For details, see the SNMPv2c protocol defined by RFC standards.

For example, Unsigned32 and Counter64 data types are supported by SNMPv2c, but not SNMPv1. If the NMS uses SNMPv1 to communicate with the switch, the NMS cannot access the objects of the Unsigned32 and Counter64 data types.

To rectify the fault, set the SNMP version used by the NMS and switch to SNMPv2c or SNMPv3.

There are three security levels for SNMP users: no authentication and no encryption, authentication and no encryption, as well as authentication and encryption. According to the requirements of the SNMPv3 protocol, the security level of an SNMP user must be equal to or higher than that of the user group to which the user belongs. Otherwise, the NMS cannot communicate with the switch.

In the following example, the security level of the user group vtlgroup is authentication and encryption, and that of the vtluser user in this group is authentication and no encryption. The security level of the user is lower than that of the user group.

...
snmp-agent group v3 vtlgroup privacy write-view testview notify-view testview  //An SNMPv3 user group named vtlgroup is created, and its security level is set to authentication and encryption. 
snmp-agent usm-user v3 vtluser
snmp-agent usm-user v3 vtluser group vtlgroup  //An SNMPv3 user named vtluser is created and added to the user group vtlgroup. 
snmp-agent usm-user v3 vtluser authentication-mode md5 cipher %@%@yC."'f{TAEc{!`;HB'LR6KMk%@%@  //The security level of the vtluser user is set to authentication and no encryption. 
snmp-agent trap enable
...

To rectify the fault in this scenario, change the security level of the SNMPv3 user to authentication and encryption.

snmp-agent usm-user v3 vtluser privacy-mode aes128 cipher %^%#*B_pBF#db*@[a@QduTr09%uLS.fb%$WPP$'j.%[!%^%#

When an SNMPv3 user group is configured on a switch, users in the user group only have the read permission if the write-view and notify-view parameters are not specified. In the following configuration, the write-view and notify-view parameters are not configured for the user group testgroup. Therefore, users in this group have only the read permission. That is, the NMS can perform only the get operation, but not the set operation.

...
snmp-agent group v3 testgroup privacy  //The read, write, and notify views are not configured. Therefore, the user group testgroup only has the permission in the read-only MIB view. In this case, the NMS can obtain device information but cannot change it. 
snmp-agent target-host trap address udp-domain 79.101.119.242 source LoopBack0 params securityname cipher %@%@L[O"fDmmT$V]IOIM89W$%@%@ 
...

To rectify the fault, configure the write and notify MIB views.

snmp-agent group v3 testgroup privacy write-view public-view notify-view public-view

• Understanding SNMP
• SNMP Configuration