Guest

Preview Tool

Cisco Bug: CSCum28756 - ASA: Auth failures for SNMPv3 polling after unit rejoins cluster

Last Modified

Apr 17, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(3)

Description (partial)

Symptom:
When SNMPv3 is enabled on an ASA cluster, polling will fail if the master unit leaves and then rejoins the cluster. SNMP requests will be dropped with the following syslog:

%ASA-3-212006: Dropping SNMP request from 10.1.110.100/7330 to inside:10.1.103.32/snmp because: authentication algorithm failure for user: myuser

This occurs because the hash for the user's auth/priv string is not correctly re-hashed against the physical unit's engine ID after it rejoins the cluster. Since engine IDs are not synced between members of the cluster, the hash on each physical unit should be different:

ASA1:
Engine ID: 80000009fe5d4579a9207e3747684083e2f4c5d427fc8c165b
snmp-server user myuser mygroup v3 encrypted auth sha f7:a2:da:02:3e:89:9f:42:a6:b7:e8:f4:24:8f:23:b9:aa:d6:a0:60 priv aes 128 f7:a2:da:02:3e:89:9f:42:a6:b7:e8:f4:24:8f:23:b9

ASA2:
Engine ID: 80000009fee3fa40539e73ff2d3b3c29eeca4794c9ccb3ada7
snmp-server user myuser mygroup v3 encrypted auth sha ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5:85:2c:a7:2c priv aes 128 ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5

In a broken state, the hashes will be in sync. This means that authentication attempts to that physical unit will fail since a hash against the engnie ID yields a mismatched result:

ASA1:  <<<<< SNMPv3 authentication against this physical unit will fail since it is configured with a hash from ASA2
Engine ID: 80000009fe5d4579a9207e3747684083e2f4c5d427fc8c165b
snmp-server user myuser mygroup v3 encrypted auth sha ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5:85:2c:a7:2c priv aes 128 ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5

ASA2:
Engine ID: 80000009fee3fa40539e73ff2d3b3c29eeca4794c9ccb3ada7
snmp-server user myuser mygroup v3 encrypted auth sha ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5:85:2c:a7:2c priv aes 128 ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5

Conditions:
This issue only occurs if the unit leaves and rejoins the cluster. If the SNMPv3 user is configured while the units are still members of the cluster, the auth/priv strings will be hashed correctly.

Related Community Discussions

SNMP v3 on ASA Cluster? Only Master works.
We have a cluster of two ASA5585-SSP60. One Master and one Slave. From NNM the boxes are polled with v3 on their individual interface address in context admin. The Master is OK with SNMPv3 and returns replies, but the Slave says &quot;Authentication Failure&quot;. If we move the Master, the new Master answers correctly, but the new Slave doesn´t.   According o documentation the snmp v3 credentials should be entered on the slave, in addition to on the Master, but it is not allowed to do any config on a Slave. ...
Latest activity: Feb 28, 2015
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.