Troubleshooting Tip: Unable to perform SNMPv3 walk on management port due to error 'Message authentication or checking failed (snmp general error)'

rishab444 · ‎11-17-2024

Description

This article describes a solution for a scenario where 'Message authentication or checking failed (snmp general error)' is encountered while performing an SNMPv3 walk.

Scope

FortiGate.

Solution

CLI log:

date=2024-11-14 time=00:01:00 eventtime=1731522660931348589 tz="+0530" logid="0100029021" type="event" subtype="system" level="warning" vd="root" logdesc="SNMP query failed" dstip=10.210.1.3 dstport=161 srcip=10.210.2.56 srcport=27549 version="SNMP_v3" msg="Message authentication or checking failed (snmp general error)."

Debug output:

FW1 # diagnose debug console timestamp en

FW1 # diagnose debug app snmpd -1
Debug messages will be on for 30 minutes.FW1 # diagnose debug enable
2024-11-13 23:48:34 snmpd: updating cache: idx_cache (:)
2024-11-13 23:48:45 snmpd: <msg> 64 bytes 10.210.2.56:57008 -> 10.210.1.3/10.210.1.3:161 (itf 3.3)
2024-11-13 23:48:45 snmpd: v3 recv parse: packet (64 left)
2024-11-13 23:48:45 snmpd: v3 recv parse: version: 3 (59 left)
2024-11-13 23:48:45 snmpd: v3 recv parse: msgGlobalData (40 left)
2024-11-13 23:48:45 snmpd: data [(17) (02 04 4b ed 7a a8 02 03 00 ff ff 04 01 04 02 01 03 )(..K.z............)]
2024-11-13 23:48:45 snmpd: v3 recv parse: msgFlags: 0x04
2024-11-13 23:48:45 snmpd: usm recv parse: packet (40 left)
2024-11-13 23:48:45 snmpd: usm recv parse: msgSecurityParameters: sz=16 left=22
2024-11-13 23:48:45 snmpd: usm secparams parse: msgSecurityParameters: sz=14 left=0
2024-11-13 23:48:45 snmpd: data [(14) (04 00 02 01 00 02 01 00 04 00 04 00 04 00 )(..............)]
2024-11-13 23:48:45 snmpd: usm secparams parse: msgUserName: (4 left)
2024-11-13 23:48:45 snmpd: usm scopedpdu parse: scoped PDU sz=22
2024-11-13 23:48:45 snmpd: data [(22) (30 14 04 00 04 00 a0 0e 02 04 4b ed 7a a8 02 01 00 02 01 00 30 00 )(0.........K.z.......0.)]
2024-11-13 23:48:45 snmpd: usm scopedpdu parse: msgData (0 left)
2024-11-13 23:48:45 snmpd: usm scopedpdu parse: msgType: 0xa0 (14 left)
2024-11-13 23:48:45 snmpd: usm scopedpdu parse: b_vars: <>(0) (0 left)
2024-11-13 23:48:45 snmpd: usm scopedpdu parse: no varbinds.
2024-11-13 23:48:45 snmpd: v3 recv: parse failed. errno=-1 (snmp general error)
2024-11-13 23:48:45 snmpd: </msg> 0

This error is usually found in an HA setup where the SNMP walk is done on the management port:

HA configuration:

config system ha
    set group-name "HA"
    set mode a-p
    set password ENC
    set hbdev "ha" 0
    set session-pickup enable
    set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt" <------------------------
                set gateway 10.210.1.1
            next
        end
    set override disable
    set priority 200
end

Management reserved interface:

config system interface
    edit "mgmt"
        set vdom "root"
        set ip 10.210.1.3 255.255.255.0
        set allowaccess ping https ssh snmp http
        set type physical
        set role lan
        set snmp-index 1
    next

By default, the reserved interface will not be available for any routing on the FortiGate for management traffic like SNMP. To allow the interface to be used for SNMP, 'ha-direct' should be enabled.

config system snmp user
edit "snmp_user"
set notify-hosts 10.210.2.56
set ha-direct enable <-------------

set security-level auth-no-priv
set auth-proto sha256
set auth-pwd ENC XXXXXXXXXXYYYYYYYYYYYY
next

Once HA-direct is enabled, FortiGate allows the HA management reserved interface to send SNMP traps.

Before enabling 'ha-direct', refer to Technical Tip: Sending messages (logs, SNMP, RADIUS) directly from the HA management interface.

Troubleshooting Tip: Unable to perform SNMPv3 walk on management port due to error 'Message authentication or checking failed (snmp general error)'

You are leaving our website