13 Replies Latest reply on Jan 30, 2012 5:59 PM by lamw

    problem with snmp verification

    monderick Enthusiast

      I followed a guide to configure and enable snmp via VMware CLI for my licensed ESXi 4.1 hosts and they appear to be reporting properly.

       

      However, the latest version of the script fails the entry "HMT02 Ensure proper SNMP configuration" for every host.

      I'm running the command  as "vmwarevSphereSecurityHardeningReportCheck.pl --recommend_check_level enterprise --server %server%" from CLI version 4.1 on a Windows 7 x64 workstation.

       

      Is there a property in the vSphere client i can check for this entry to confirm it exists?

       

      thanks.

        • 1. Re: problem with snmp verification
          lamw Guru
          VMware EmployeesCommunity Warriors

          Can you run the following vCLI command esxcfg-snmp -s on your ESXi host and paste the results here

          • 2. Re: problem with snmp verification
            monderick Enthusiast

            sorry for the delay, i missed the email notification somehow that there was a response.

            below is the output from one of my hosts, please let me know if i need to clarify.

             

            thanks

             

             

             

            C:\Program Files (x86)\VMware\VMware vSphere CLI\bin> esxcfg-snmp.pl -s --server *server*
            Enter username: root
            Enter password:
            Current SNMP agent settings:
            Enabled  : 1
            UDP port : 161

             

            Communities :
            *communitystring*

             

            Notification targets :
            *server1*@161/*communitystring*
            *server2*@161/*communitystring*
            *server1*@162/*communitystring*
            *server2*@162/*communitystring*

            • 3. Re: problem with snmp verification
              lamw Guru
              VMware EmployeesCommunity Warriors

              Hm, that's odd, from your output SNMP is definitely enabled.

               

              On the report, there should be a resolution field and it should contain some text, do you mind providing me with that as it helps me identify exactly what part of the SNMP check is failing? Also can you confirm you're using the latest version of the script which should be 1.5? You can check the version by running the following:

               

              ./vmwarevSphereSecurityHardeningReportCheck.pl --version
              • 4. Re: problem with snmp verification
                monderick Enthusiast

                D:\new>vmwarevSphereSecurityHardeningReportCheck.pl --version
                vSphere SDK for Perl version: 4.1
                Script 'vmwarevSphereSecurityHardeningReportCheck.pl' version: 1.5

                 

                 

                *server*HMT02Ensure proper SNMP configurationFAILN/ASNMP is not configured on the host

                 

                below is the command i used to configure the hosts in case the syntax is wrong:

                vicfg-snmp.pl --server %host% -c *community string* -t *server1*@162/*community string*,*server2*@162/*community string*,*server1*@161/*community string*,*server2*@161/*community string*

                 

                I appreciate the help with this.

                Please let me know if you need more information.

                • 5. Re: problem with snmp verification
                  lamw Guru
                  Community WarriorsVMware Employees

                  That is super odd, reason being is the message you're getting is hitting the section of code in which it's unable to query the snmpSystem or something unexpected occured during the query.

                   

                  If you don't mind, could you update the script after line #1587 and paste the following:

                   

                  print "Error: " . $@ . "\n";

                   

                  It should look something like this afterwards:

                   

                  } else {
                       print "Error: " . $@ . "\n";
                       $success = 0;
                       $resolution = "SNMP is not configured on the host";
                  }

                   

                  Re run the script and see if you get any additional output which should include the "Error:" line since it is hitting that piece of code logic

                   

                  Thanks for your patience

                   

                  BTW - What specific build and version of ESXi are you using? Is this 4.1 or 4.1 Update 1?

                  • 6. Re: problem with snmp verification
                    monderick Enthusiast

                    the hosts are 4.1.0, built 320092

                     

                    D:\new>vmwarevSphereSecurityHardeningReportCheck.pl --recommend_check_level enterprise --server *server*
                    Enter username:
                    Enter password:

                     

                    Error occurred while processing: vSphereHardenReport.
                    Generating VMware vSphere Security Hardening Report 1.5 (ENTERPRISE) "vmwarevSphereSecurityHardeningReport.html" ...

                     

                    This can take a few minutes depending on environment size.
                    Get a cup of coffee/tea and check out http://www.virtuallyghetto.com

                     

                    The syntax of the command is incorrect.
                    Error: Can't call method "type" on an undefined value at C:/Program Files (x86)/VMware/VMware vSphere CLI/Perl/lib/VMware/VIC
                    ommon.pm line 1501.

                     

                    The syntax of the command is incorrect.
                    Error: Can't call method "type" on an undefined value at C:/Program Files (x86)/VMware/VMware vSphere CLI/Perl/lib/VMware/VIC
                    ommon.pm line 1501.

                     

                    The syntax of the command is incorrect.
                    Error: Can't call method "type" on an undefined value at C:/Program Files (x86)/VMware/VMware vSphere CLI/Perl/lib/VMware/VIC
                    ommon.pm line 1501.

                     


                    Start Time: 03-04-2011 11:08:17
                    End   Time: 03-04-2011 11:10:24
                    Duration  : 2.1 Minutes

                     

                     

                     

                    thanks.

                    • 7. Re: problem with snmp verification
                      lamw Guru
                      VMware EmployeesCommunity Warriors

                      hm, it looks like you're hitting another error in the very beginning and unfortunately the error output is a really generic error.

                       

                      Can you use the same credentials you're using and try connecting to the vSphere MOB to see if you can see information about SNMP configurations

                       

                      Paste the following URL substituting your ESXi hostname - https://[server]/mob/?moid=ha-snmp-agent

                       

                      Once authenticated, you should be able to click on the "configuration" link which will provide you with information regarding the SNMP port, community string and trap targets

                       

                      This is very odd issue you're hitting.

                      • 8. Re: problem with snmp verification
                        monderick Enthusiast

                        The credentials I'm using to run the vmwarevSphereSecurityHardeningReportCheck.pl script is an AD user account that has full privileges over the vCenter server, unless I'm misunderstanding your request.  The hosts are not configured for domain authentication.

                         

                        If using root credentials instead to access "https://*esxihost*/mob/?moid=ha-snmp-agent" directly, I can see the below information:

                         

                         

                         

                        Home

                        Data Object Type: HostSnmpDestination[]
                        Parent Managed Object ID: ha-snmp-agent
                        Property Path: configuration.trapTargets

                        Properties

                        Name Type Value
                        [0]HostSnmpDestination
                        Name Type Value
                        communitystring"community string"
                        dynamicPropertyDynamicProperty[]Unset
                        dynamicTypestringUnset
                        hostNamestring"server1"
                        portint161
                        [1]HostSnmpDestination
                        Name Type Value
                        communitystring"community string"
                        dynamicPropertyDynamicProperty[]Unset
                        dynamicTypestringUnset
                        hostNamestring"server2"
                        portint161
                        [2]HostSnmpDestination
                        Name Type Value
                        communitystring"community string"
                        dynamicPropertyDynamicProperty[]Unset
                        dynamicTypestringUnset
                        hostNamestring"server1"
                        portint162
                        [3]HostSnmpDestination
                        Name Type Value
                        communitystring"community string2"
                        dynamicPropertyDynamicProperty[]Unset
                        dynamicTypestringUnset
                        hostNamestring"server2"
                        portint162

                        Out of curiosity, i ran the script against just a single host with D:\new>vmwarevSphereSecurityHardeningReportCheck.pl --recommend_check_level enterprise --server *esxihost* and the SNMP check passed:

                         

                        *esxihost*HMT02Ensure proper SNMP configurationPASSN/AN/A

                         

                        I tried it another another of the hosts directly and same result.

                        • 9. Re: problem with snmp verification
                          lamw Guru
                          VMware EmployeesCommunity Warriors

                          This is really good information, it looks like for whatever reason, the snmpSystem is not accessible when going through vCenter. I've just confirmed that this is the case, which seems quite odd as you can access all the other sub-system. This is why the SNMP query is failing, it's unable to query the ESX(i) host when going through vCenter. This looks like they forgot to expose the property when going through vCenter, though for now you'll need to run the script directly against an ESX(i) host to get a full report

                          • 10. Re: problem with snmp verification
                            monderick Enthusiast

                            lamw wrote:

                             

                            This is really good information, it looks like for whatever reason, the snmpSystem is not accessible when going through vCenter. I've just confirmed that this is the case, which seems quite odd as you can access all the other sub-system. This is why the SNMP query is failing, it's unable to query the ESX(i) host when going through vCenter. This looks like they forgot to expose the property when going through vCenter, though for now you'll need to run the script directly against an ESX(i) host to get a full report

                             

                            Understood, thanks for clarifying my results and the assist.  I thought maybe it was doing something wrong on my end.

                            Perhaps they will fix the vCenter issue in a future release and I can get the results by running the script directly against the hosts.

                            • 11. Re: problem with snmp verification
                              lamw Guru
                              VMware EmployeesCommunity Warriors

                              I've filed a bug with VMware, let's hope this gets resolved in a future release/patch. For now as you mentioned, going directly to ESX(i) host is the only way to query for the SNMP information.

                              • 12. Re: problem with snmp verification
                                aliby19 Novice

                                William, did you ever get an answer back regarding the bug you filed with VMware? I am experiencing the same issues still with being unable to pull SNMP information out of vCenter...

                                 

                                Thanks!

                                • 13. Re: problem with snmp verification
                                  lamw Guru
                                  VMware EmployeesCommunity Warriors

                                  Currently to retrieve SNMP information, you will need to go directly to the host