Bug ID 837481: SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID

Last Modified: Jan 06, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1

Opened: Oct 11, 2019
Severity: 3-Major

Symptoms

SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.

Impact

SNMPv3 can only work for one member of a configsync group. Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.

Conditions

Using SNMPv3 to read or receive Traps from high availability (HA) pairs.

Workaround

- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019) engineID needs to be unique per device - Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync We must NOT sync these parameters as they need to match the individual device engineID display-name "Authoritative (security) engineID for SNMPv3" display-name "Authentication pass phrase for SNMPv3 messages" display-name "Privacy pass phrase used for encrypted SNMPV3 messages" display-name "User's passphrase" display-name "Privacy passphrase" ### Mount usr as rw see see K11302 mount -o remount,rw /usr pico /defaults/config_base.conf # use Control-w to search for the display names above # change "configsyncd yes" to "configsyncd no" if necessary in each location # use Control-x y to exit with saving # Restore usr as ro mount -o remount,ro /usr tmsh load sys config Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} } tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } } Then each device should respond OK to query for that same pass phrase snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv For more information about SNMP, see the following articles. K15681: Customizing the SNMP v3 engineID K6821: SNMP v3 fails if the SNMP engine ID is not unique K3727: Configuring custom SNMP traps

Fix Information

None

Behavior Change