Router – Troubleshoot SNMP – NPEG2 – Purpose of snmp mib community-map engineid command

cisco-7200cisco-iosroutersnmp

we have several cisco 7225 vxr deployed on our network and we have an issue on SNMP access.

On last new deployment, we can't reach the last router implemented through SNMP. Comparing two router with similar config (change only IP address) rest it's the same, we can't reach on SNMP the last deployed Router.

From our monitoring server, we can ping both machine 10.30.0.12 and 10.30.0.40.
And we reach over SNMP 10.30.0.12

Output server :

MON # ping 10.30.0.12
PING 10.30.0.12 (10.30.0.12): 56 data bytes
64 bytes from 10.30.0.12: icmp_seq=0 ttl=254 time=1.288 ms
64 bytes from 10.30.0.12: icmp_seq=1 ttl=254 time=1.270 ms
^C
--- 10.30.0.12 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.270/1.279/1.288/0.009 ms
MON # snmpwalk -v 2c -c comm3 10.30.0.12
^C
MON # snmpwalk -v 2c -c comm3 10.30.0.12
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, 7200 Software (UBR7200P-JK9SU2-M), Version 12.2(33)SCG6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 31-Oct-13 13:45 by prod_rel_team
SNMPv2-MIB::sysObjectID.0 = OID: CISCO-DOCS-EXT-MIB::cisco.1.827

MON # ping 10.30.0.40
PING 10.30.0.40 (10.30.0.40): 56 data bytes
64 bytes from 10.30.0.40: icmp_seq=0 ttl=254 time=1.034 ms
64 bytes from 10.30.0.40: icmp_seq=1 ttl=254 time=0.945 ms
^C
--- 10.30.0.40 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.945/0.990/1.034/0.044 ms
MON # snmpwalk -v 2c -c comm3 10.30.0.40
Timeout: No Response from 10.30.0.40

SNMP configuration (output from show run all) same on both router :

snmp-server group ADM v3 auth match exact read v1default write CFGCOPY access 8
snmp-server view *ilmi system included
snmp-server view *ilmi atmForumUni included
snmp-server view CFGCOPY ccCopyTable.* included
snmp-server view v1default iso included
snmp-server view v1default internet included
snmp-server view v1default snmpMPDMIB excluded
snmp-server view v1default snmpTargetMIB excluded
snmp-server view v1default snmpNotificationMIB excluded
snmp-server view v1default snmpUsmMIB excluded
snmp-server view v1default snmpVacmMIB excluded
snmp-server view v1default snmpCommunityMIB excluded
snmp-server view v1default ciscoIpTapMIB excluded
snmp-server view v1default cisco802TapMIB excluded
snmp-server view v1default ciscoTap2MIB excluded
snmp-server view v1default ciscoUserConnectionTapMIB excluded
snmp-server view *tv.00000000.00000010.00000080.000000007F iso.2.840.10036 included
snmp-server view *tv.00000000.00000010.00000080.000000007F internet included
snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F iso.2.840.10036 included
snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F internet included
snmp-server community comm1default RO 1
snmp-server community comm2default RO 2
snmp-server community comm3default RW 3
snmp-server community comm4default RO 51
snmp-server priority normal
no snmp-server trap link ietf
no snmp-server trap link switchover
snmp-server trap authentication vrf
snmp-server trap authentication acl-failure
snmp-server trap retry 3
snmp-server trap-source Loopback1
snmp-server packetsize 1500
snmp-server trap timeout 30
snmp-server queue-length 10
snmp-server location Hub
snmp-server contact 0461523
snmp-server chassis-id SN
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon fan shutdown supply temperature
snmp-server enable traps cable
snmp-server enable traps rtr
snmp-server host 10.10.254.10 traps version 1 comm1 udp-port 162 
snmp-server host 10.10.10.253 traps version 1 comm1 udp-port 162 
snmp-server host 10.11.161.11 traps version 1 comm1 udp-port 162 
snmp-server host 10.11.168.240 traps version 1 comm1 udp-port 162 
snmp-server host 10.11.126.96 traps version 2c comm1 udp-port 162 
snmp-server host 10.11.167.5 traps version 1 public udp-port 162  comm1 docsis-cmts
snmp-server manager session-timeout 600
snmp-server manager
snmp-server inform retries 3 timeout 15 pending 25
snmp ifmib ifindex persist
snmp mib notification-log globalsize 500
snmp mib notification-log globalageout 15
snmp mib community-map  comm1 engineid 800000090300A44C11809A1B
snmp mib community-map  comm2 engineid 800000090300A44C11809A1B
snmp mib community-map  comm3 engineid 800000090300A44C11809A1B
snmp mib community-map  comm4 engineid 800000090300A44C11809A1B
snmp mib community-map  comm5 engineid 80000009030024E9B301AC1B
snmp mib community-map  comm6 engineid 800000090300A44C11809A1B

Edit1:
Solution :
– Removing the snmp mib community-map command solve the issue and I get access to router through SNMP.

What is the purpose of such command ? Why on this router isn't working and on the others it is.

Best Answer

snmp mib community-map

To associate a Simple Network Management Protocol (SNMP) community with an SNMP context, engine ID, or security name, use the snmp mib community-map command in global configuration mode. To change an SNMP community mapping to its default mapping, use the no form of this command.

Cisco IOS Network Management Command Reference

This fails when copying configs between routers because each will have a unique engineid. On the clone router, you've associated all your communities with a non-existent engineid. I'm not sure there's a way to force IOS to use the same (user supplied) engineid.

[UPDATE] So you can... snmp-server engineID local 800000090300A44C11809A1B (I don't recommend doing that, 'tho)

Related Solutions

Routing – n SNMP MIB for Cisco Track Objects

I don't believe there is a way to directly poll the results of the OR via SNMP, but you can certainly poll for the IP SLA results and calculate it yourself.

Using the CISCO-RTTMON-MIB (1.3.6.1.4.1.9.9.42), you can check the timeout value of your reachability checks, take the true/false value it returns and do the OR in whatever scripting language you're using to poll via SNMP.

For example, I setup a similar test to yours above:

track 10 ip sla 1 reachability
!
track 20 ip sla 2 reachability
!
track 30 list boolean or
 object 10
 object 20
!
ip sla 1
 icmp-echo 8.8.8.8 source-ip 10.129.10.62
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 4.2.2.2 source-ip 10.129.10.62
ip sla schedule 2 life forever start-time now
!
ip route 10.171.20.0 255.255.255.252 10.129.10.61 track 30

Then, I verified the output in IOS:

R-VOIPLAB#show track 30
Track 30
  List boolean or
  Boolean OR is Up
    2 changes, last change 00:01:21
    object 10 Up
    object 20 Up

Next, with the IP SLA tracking in place, I installed the CISCO-RTTMON-MIB on my monitoring server, and walked the value of rttMonCtrlOperTimeoutOccurred (1.3.6.1.4.1.9.9.42.1.2.9.1.6) for it's True/False output.

The key item to note is that since we are polling whether a timeout occurred or not, that False means that the destination is reachable, and True means that it is not reachable and a timeout has occurred.

snmpwalk -v3 -a SHA -A SNMP-AUTH-PASS -l authNoPriv -u SNMPUSER r-voiplab rttMonCtrlOperTimeoutOccurred
CISCO-RTTMON-MIB::rttMonCtrlOperTimeoutOccurred.1 = INTEGER: false(2)
CISCO-RTTMON-MIB::rttMonCtrlOperTimeoutOccurred.2 = INTEGER: false(2)

Finally, I blackholed traffic to 8.8.8.8 from that box, and checked the Track results in IOS again:

R-VOIPLAB(config)#ip route 8.8.8.8 255.255.255.255 null 0
R-VOIPLAB(config)#end
R-VOIPLAB#show track 30
Track 30
  List boolean or
  Boolean OR is Up
    2 changes, last change 00:21:18
    object 10 Down
    object 20 Up
  Tracked by:
    STATIC-IP-ROUTING 0

Now that we have one of the test objects in a Down state, let us see the results of polling rttMonCtrlOperTimeoutOccurred again:

snmpwalk -v3 -a SHA -A SNMP-AUTH-PASS -l authNoPriv -u SNMPUSER r-voiplab rttMonCtrlOperTimeoutOccurred
CISCO-RTTMON-MIB::rttMonCtrlOperTimeoutOccurred.1 = INTEGER: true(1)
CISCO-RTTMON-MIB::rttMonCtrlOperTimeoutOccurred.2 = INTEGER: false(2)

Now, as I stated above, you would just have to poll those values and use them however you need to in your script.

Cisco SNMP – Exporting IF-MIB Stats Interval in Cisco IOS

Is this native to the 1900 series to only update the SNMP agent (forgive me if this is the wrong terminology) like it is doing at the moment.

What you're seeing is expected behavior. IOS has cached IF-MIB statistics for on 10-second intervals (by default) for a while, for instance see this entry in the SNMP FAQ.

That said, I have a few switches which seem to defy this "typical" 10-second SNMP stats export interval.

Is there a setting or configuration that I can set?

Use service counters max age [age-in-seconds]; this command will show up in the running configuration; however, it's not available in older versions of IOS.

You can also change the IF-MIB 64-bit counters to update interval with this hidden command: snmp-server hc poll [interval], where the interval is measured in hundredths of seconds; however, this command will not show up in the running configuration.

Will it be better to use traps instead of query?

It won't matter whether you push or pull, unless your platform exports the stats quickly enough.

Best Answer

Related Solutions

Routing – n SNMP MIB for Cisco Track Objects

Cisco SNMP – Exporting IF-MIB Stats Interval in Cisco IOS

Related Topic