CLI log:

date=2024-11-14 time=00:13:00 eventtime=1731523380957393442 tz="+0530" logid="0100029021" type="event" subtype="system" level="warning" vd="root" logdesc="SNMP query failed" user="snmp_user" dstip=10.210.1.3 dstport=161 srcip=10.210.2.56 srcport=3747 version="SNMP_v3" msg="Message authentication or checking failed (USM authentication failure)."

Debug output:

FW1 # diagnose debug console timestamp en

FW1 # diagnose debug app snmpd -1
Debug messages will be on for 30 minutes.

FW1 # diagnose debug enable
2024-11-14 00:03:18 snmpd: <msg> 157 bytes 10.210.2.56:63414 -> 10.210.1.3/10.210.1.3:161 (itf 3.3)
2024-11-14 00:03:18 snmpd: v3 recv parse: packet (157 left)
2024-11-14 00:03:18 snmpd: v3 recv parse: version: 3 (151 left)
2024-11-14 00:03:18 snmpd: v3 recv parse: msgGlobalData (132 left)
2024-11-14 00:03:18 snmpd: data [(17) (02 04 e0 12 85 jj 02 03 00 hf e3 04 01 05 02 01 03 )(.....y...........)]
2024-11-14 00:03:18 snmpd: v3 recv parse: msgFlags: 0x05
2024-11-14 00:03:18 snmpd: usm recv parse: packet (132 left)
2024-11-14 00:03:18 snmpd: usm recv parse: msgSecurityParameters: sz=76 left=54
2024-11-14 00:03:18 snmpd: usm secparams parse: msgSecurityParameters: sz=74 left=0
2024-11-14 00:03:18 snmpd: data [(74) (04 15 80 00 30 44 04 46 47 32 30 30 46 54 39 32 33 39 31 37 31 34 38 02 04 66 6d cb 33 02 04 00 c
7 25 ba 04 09 73 6e 6d 70 5f 75 73 65 72 04 18 97 45 90 b8 e9 fd 55 ae 7e c8 73 30 40 47 1b 1e cf 07 ce 55 ab c2 b0 5c 04 00 )(....0D.FG
2048..fm.3....%...snmp_user...E....U.~.s0@G.....U...\..)]
2024-11-14 00:03:18 snmpd: usm secparams parse: msgUserName: snmp_user (28 left)
2024-11-14 00:03:18 snmpd: usm recv parse: Message authentication or checking failed! user=snmp_user errno=-44
2024-11-14 00:03:18 snmpd: v3 recv: parse failed. errno=-44 (USM authentication failure)
2024-11-14 00:03:18 snmpd: </msg> 0

One of the reasons this error is encountered is when the '$' character is used in either password or username; This string is altered when received on the firewall, resulting in authentication failure.

Non-Working:

 
Working:

To avoid this issue, do not use the '$' character when using SNMPv3.

Another reason could be a mismatch between the authentication algorithm selected on the FortiGate and the monitoring server. Ensure that the authentication algorithm configured (e.g., MD5, SHA1, SHA224, SHA384, SHA256, SHA512) matches on both sides.

Take a packet capture and verify that the SNMP manager is sending authentication and encryption parameters.

Note: Third-party SNMP agents will request a complexity of the password at the Authentication/Encryption algorithm, because of this, the base length should be at least 8 characters. If the password is not that long, the error 'parse failed. errno=-44 (USM authentication failure)' will be shown.