Skip to main content
rain
Staff
rain
Staff
October 28, 2025

Troubleshooting Tip: How to troubleshoot SNMPv3 fail authentication on FortiGate and general errors

  • October 28, 2025
  • 0 replies
  • 1987 views
Description This article describes how to troubleshoot the failed authentication of the user and password at the SNMPv3 level.
Scope FortiGate, SNMPv3.
Solution

In order to debug the process of SNMP internally over the FortiGate, run the following commands:

 

diagnose debug application snmpd -1

diagnose debug console timestamp enable

diagnose debug enable

 

After that, and sending a test of connection from the SNMP, the debugs will be shown and will depend on the issue the next could be shown:

 

  • If the user is correct, but the password is wrong:

 

SNMPv3 does not use community; that is for SNMPv1 and v2c. Because of that, SNMPv3 uses a user and a password as an authentication cipher. In case the cipher protocols (used for authentication and encryption) are wrong or the password is wrong, the following will be shown:

 

SNMP1.png

 

If the debug output shows the username correctly but the message 'Message authentication or checking failed' persists with the reason 'USM unsupported security level', see Troubleshooting Tip: SNMPv3 walk failure due to 'Message authentication or checking failed (USM authentication failure)' error.

 

  • If the user is incorrect, but the password and cipher protocols are correct

 

In case the user is wrong, the same message will be shown as before, but the reason will be 'unknown username'. It will be necessary to check the user that the FortiGate is receiving in order to compare if it is correct.

 

SNMP2.png

 

SNMP3.png

 

  • After sending the debug, no lines are shown in the CLI console.

 

This could mean that there are trusted hosts enabled for the Administrators users, or the SNMP service is not enabled over the interface that should be listening to the UDP request. Check that configuration and change it if needed.

 

SNMP5.png 

  • If another type of version of SNMP (v1 or v2c) is being used instead of SNMPv3:

 

If the v3 is not being used, use SNMPv3. As mentioned previously, the log with an attempt to authenticate will be shown. Remember that the use of community is only for SNMPv1 and v2c.

 

SNMP6.png

 

  • If Security level is not specified in SNMPWALK command, it shows below error:

2026-02-06 11:58:37 snmpd: usm secparams parse: msgUserName: mysnmptest (4 left)
2026-02-06 11:58:37 snmpd: usm seclevel check: unsupported secLevel flags=0x00 user=mysnmptest seclevel=2
2026-02-06 11:58:37 snmpd: usm recv parse: Message authentication or checking failed! user=mysnmptest errno=-42
2026-02-06 11:58:37 snmpd: v3 recv: parse failed. errno=-42 (USM unsupported security level)
2026-02-06 11:58:37 snmpd: </msg> 0

 

SNMPWALK command for Linux and parameters are listed below. Not specifying security level (-l authpriv)results in above error.

snmpwalk -v3 -l authPriv -u <username> -a <auth_proto> -A "<auth_password>" -x <priv_proto> -X "<priv_password>" <fortigate_ip> .1.3.6.1.4.1.12356.101.4.1.3.0

 

Parameters:

-v3: Specifies SNMP version 3.
-l authPriv: Security level. Options include noAuthNoPriv, authNoPriv, or authPriv.
-u <username>: The SNMPv3 user configured on the FortiGate SNMP User page.
-a <auth_proto>: Authentication protocol (typically MD5 or SHA).
-A "<auth_password>": The authentication passphrase.
-x <priv_proto>: Encryption/Privacy protocol (typically DES, AES, or AES256).
-X "<priv_password>": The encryption/privacy passphrase.
.1.3: The starting OID.
    Terms & ConditionsAccessibility statement