AI Docs

Discovering SNMPv3 network devices - known issues | v8.8+

5 min read

Certero network discovery may fail to populate the network devices data grid with SNMP device information for some devices when SNMPv3 AuthPriv (Authentication and Privacy) is being utilized. This issue can occur even when SNMP credentials have been correctly defined for each network within Administration > Networks and a network discovery has been executed.

Background:

Certero's network discovery process relies on configured SNMP credentials to communicate with network devices and retrieve their information. For devices utilizing SNMPv3 with AuthPriv, which provides both authentication and encryption, matching credentials must be present in Certero for successful network discovery. Once these credentials are in place and a network scan is completed, device information should become visible in the Network Devices data grids.

However, several exceptions can prevent Certero from successfully discovering and populating data for devices using SNMPv3 AuthPriv.

Troubleshooting and Resolution:

If you are experiencing issues with Certero not discovering network devices using SNMPv3 AuthPriv, please consider the following potential causes and solutions, The troubleshooting steps detailed in this article are designed to be followed sequentially. Please address each potential issue in the order it appears:

  1. Network Connectivity & SNMP Testing

  2. Device is Built on Linux

  3. Device Does Not Report a MAC Address via SNMP

  4. Complex Passwords Causing Authentication Issues

  5. General Recommendations

    1. Missing or Incorrect Context Name

1. Network Connectivity & SNMP Testing:

  • Verify network connectivity between the Certero endpoint server (or discovery probe server) and the target network devices on the configured SNMP port (typically UDP port 161).

  • Check for firewalls or network segmentation (ACLs) that could be blocking SNMP traffic.

  • Consider using tools like snmpwalk (from the Certero Endpoint Server) to test SNMP reachability and credential validity independently of Certero.

2. Device is Built on Linux:

  • Cause: Certero's network discovery mechanism is designed to detect devices with a Linux operating system stack. When such a device is identified, Certero may intentionally ignore it for SNMP polling purposes.

  • Verification: This behavior can typically be observed in the network discovery logs. Look for entries indicating that a Linux device has been detected and subsequently skipped for SNMP discovery.

3. Device Does Not Report a MAC Address via SNMP:

  • Cause: Certero requires a MAC address to be reported by the device during SNMP discovery to uniquely identify and populate the device information in the data grid. If a device, once successfully queried via SNMP, does not return a MAC address, Certero cannot process it correctly.

  • Verification: The network discovery logs should contain entries indicating whether a MAC address was successfully retrieved from the device. If a device was queried via SNMP but no MAC address is logged, this is a likely cause.

  • Resolution:

    • Verify that the SNMP user configured on the device has sufficient privileges to access the MIBs (Management Information Bases) containing MAC address information.

    • Consult the device vendor's documentation for information on exposing MAC addresses via SNMP.

    • Ensure the device's firmware is up-to-date, as this can sometimes resolve issues with MIB data exposure.

4. Complex Passwords Causing Authentication Issues:

  • Cause: Some network devices may experience authentication failures when complex passwords, particularly those containing special characters (e.g., !, @, #, $, %, ^, &, *), are used for SNMPv3 AuthPriv. This issue often lies with the device's SNMP agent's ability to correctly parse or handle these characters.

  • Verification: Authentication failures may be logged either on the Certero server (in the network discovery logs) or on the target network device itself (in its system or SNMP logs).

  • Workaround: As a troubleshooting step, try configuring the SNMPv3 credentials on both the network device and in Certero using a simpler password that avoids special characters. If discovery is successful with a simpler password, this confirms the issue.

  • Resolution:

    • If a simpler password works, you may choose to use it as a permanent solution if your security policies allow.

    • Alternatively, consult the network device vendor's documentation for any known issues or specific guidelines regarding the use of special characters in SNMPv3 passwords. There might be specific characters that are problematic or a particular way to escape them.

    • Ensure the device's firmware is up to date, as this may resolve issues with SNMPv3 password handling.

5. General Recommendations:

  • Exact Credential Match: Always ensure that the SNMPv3 credentials (username, authentication protocol [MD5/SHA], authentication password, privacy protocol [DES/AES], and privacy password) configured in Certero under Administration > Networks exactly match those configured on the target network devices. Case sensitivity is critical.

  • Review the network discovery logs in Certero thoroughly. These logs often provide specific error messages or indications as to why a device might not be discovered or populated correctly.

6. Missing or Incorrect Context Name

  • Cause : Some SNMPv3 devices have a Context name as well as a Username. When a device has a SNMPv3 Context name configured, then the SNMPv3 credentials defined in Certero must match. Otherwise SNMPv3 device will not be recognized.
    Examples scenarios:
    An SNMPv3 device has a defined context name but the SNMPv3 credentials defined in Certero do not have the Context name defined.
    An SNMPv3 device does not support a context name but the SNMPv3 credentials defined in Certero have a context name specified.

  • Verification : The Network Discovery logs on the appropriate Endpoint server will show: “WARNING: Failed SNMPv3 negotiation with <IP Address> due to incorrect context name or credentials”. N.B. The warning does not pinpoint which specific SNMPv3 credential setting is as fault.

  • Resolution : Validate the SNMPv3 configuration on the device checking for a context name. In the Certero platform, check the SNMP credentials defined for the appropriate network. Add additional credentials as required to add the Context Name.

If issues persist after checking these points, please gather all relevant information, including excerpts from the network discovery logs and details of the affected devices, and contact Certero support for further assistance.