Last Modified: Apr 28, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2
Opened: Oct 11, 2019 Severity: 3-Major
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.
SNMPv3 can only work for one member of a configsync group. Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019) engineID needs to be unique per device - Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync We must NOT sync these parameters as they need to match the individual device engineID display-name "Authoritative (security) engineID for SNMPv3" display-name "Authentication pass phrase for SNMPv3 messages" display-name "Privacy pass phrase used for encrypted SNMPV3 messages" display-name "User's passphrase" display-name "Privacy passphrase" ### Mount usr as rw see see K11302 mount -o remount,rw /usr pico /defaults/config_base.conf # use Control-w to search for the display names above # change "configsyncd yes" to "configsyncd no" if necessary in each location # use Control-x y to exit with saving # Restore usr as ro mount -o remount,ro /usr tmsh load sys config Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} } tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } } Then each device should respond OK to query for that same pass phrase snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv For more information about SNMP, see the following articles. K15681: Customizing the SNMP v3 engineID K6821: SNMP v3 fails if the SNMP engine ID is not unique K3727: Configuring custom SNMP traps
None
