snmp monitoring of bgp and ospf neighbors and states

  • 1
  • Question
  • Updated 2 months ago
How is the snmpd.conf file properly edited to allow for the monitoring of BGP and OSPF OIDs?
Looking in /usr/share/snmp/mibs directory, I don't see mibs for bgp4 or ospf.  If I download those mib files to that directory, what is the process required to monitor those states and neighbors externally via an SNMP monitoring tool?  Is this the agentx/frr set up, or do the mibs need to be in that directory first?
Photo of Troy MacDonald

Troy MacDonald

  • 720 Points 500 badge 2x thumb

Posted 3 months ago

  • 1
Photo of Pete B

Pete B, Official Rep

  • 2,774 Points 2k badge 2x thumb
Hi Troy, it should work with the AgentX setup. Plus you need to uncomment the relevant lines in snmpd.conf for BGP/OSPFv2/v3. Here are the steps if you haven't already found them:

https://docs.cumulusnetworks.com/display/DOCS/SNMP+Monitoring#SNMPMonitoring-frrEnablingSNMPSupportf...
Photo of Troy MacDonald

Troy MacDonald

  • 720 Points 500 badge 2x thumb
I have followed the steps at https://docs.cumulusnetworks.com/display/CL34/SNMP+Monitoring to the "T" and cannot perform a MIB walk against .1.3.6.1.2.1.15. Keep getting OID not found error.  snmpd@mgmt.service is running, and the configuration looks like this: 

snmp-server
  listening-address all
  readonly-community [REDACTED] access any
  system-location [REDACTED]
  system-name [REDACTED]
  trap-cpu-load-average one-minute 90 five-minute 80 fifteen-minute 70
  trap-destination 10.100.21.101 community-password [REDACTED] version 2c
  trap-destination 10.20.20.25 community-password [REDACTED] version 2c
  trap-link-down check-frequency 60
  trap-link-up check-frequency 60
  trap-snmp-auth-failures
  viewname systemonly included .1.3.6.1.2.1.15
  viewname systemonly included .1.3.6.1.2.1.14

AgentX info from the snmpd.conf file:

agentAddress udp:161agentxperms 777 777 snmp snmp
agentxsocket /var/agentx/master
authtrapenable 1
createUser _snmptrapusernameX
iquerySecName _snmptrapusernameX
load 90 80 70
master agentx

there is a directory called agentx in /var, not /run
frr.conf: agentXSocket /var/agentx/master

The switch is indeed running frr not quagga and is on version 3.4.1  

restarted frr and snmpd@mgmt, still cannot poll that OID, or snmpwalk against it: 
sudo snmpwalk -v2c -c[REDACTED] localhost .1.3.6.1.2.1.15

SNMPv2-SMI::mib-2.15 = No Such Object available on this agent at this OID
(Edited)
Photo of Pete B

Pete B, Official Rep

  • 2,774 Points 2k badge 2x thumb
Hi Troy, I'm following up with one of our engineers who works on SNMP. I'll get back to you shortly.
Photo of Pete B

Pete B, Official Rep

  • 2,774 Points 2k badge 2x thumb
Hmm, our single sign on is having issues, so I'm pasting Sam's reply to you, Troy:

You config looks mostly correct.  Just make sure your /etc/snmp/snmpd.conf file contains separate lines like so:

agentAddress udp:161
agentxperms 777 777 snmp snmp
agentxsocket /var/agentx/master

You should remove the file called /etc/snmp/frr.conf as this is
not really needed if you specify an agentxsocket in snmpd.conf.

Make sure you stop all snmpd instances:

systemctl stop snmpd
systemctl stop snmpd@mgmt

Now check to make sure they’re all gone with
“ps aux | grep snmpd”.  If needed, kill -9 these remaining processes.
All of these daemons have to be stopped at this point.

##########
Now, since you appear to be using a management VRF, snmpd
needs to be configured to run only in that management VRF and
only listen on IP addresses *in that management VRF*.  This complicates
your config slightly.   To start with, you should listen only on your
management VRF IP addresses (presumably eth0).   Listening on all
interfaces does not work when using VRFs.   Let’s say this
eth0 is indeed in your management VRF (it will be if you didn’t change
the VRF config and simply enabled the management VRF) and it has
an IP address of 10.10.10.10.   You would need to change your agentAddress
line in /etc/snmp/snmpd.conf to be (change this IP address to your actual eth0 IP address):

agentAddress  10.10.10.10

Next, make sure /etc/frr/frr.conf has a line that says “agentx” (this should
be right after the hostname).  Next, start snmpd in the correct VRF and restart
FRR:

systemctl start snmpd@mgmt.service
systemctl restart frr

Check it:
systemctl status snmpd@mgmt.service
systemctl status frr

You can check snmp functionality but with management VRF it is
slightly more complicated:  On the cumulus switch itself, you can try
a simple walk:

 vrf task exec mgmt   snmpwalk -v 2c -c public 10.10.10.10  .1

(This simply runs the snmpwalk from *within* that manamagement
vrf called mgmt).

Now, for the real test, on a machine in the same VRF, and so that the requests
will come in eth0 on the Cumulus Linux switch, make sure you can
ping the eth0 IP address.  If you can ping it, try a simple snmpwalk
from this other machine (change the IP address and community string
accordingly):

snmpwalk -v2c -cpublic 10.10.10.10 .1

If that works, try the BGP MIB:

snmpwalk -v2c -cpublic 10.10.10.10  .1.3.6.1.2.1.15

Hope this helps,
Sam Tannous
Photo of Troy MacDonald

Troy MacDonald

  • 720 Points 500 badge 2x thumb
followed all that, still cannot snmpwalk against the OIDs and now frr is returning this:

bgpd[11439]: snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]):
zebra[11432]: snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]):

agentx is in frr.conf, and perms are 777 777
Photo of Troy MacDonald

Troy MacDonald

  • 720 Points 500 badge 2x thumb
okay, so I was able to get agentx to connect to frr by chmod 755 /var/agentx/
Photo of Sam Tannous

Sam Tannous, Employee

  • 370 Points 250 badge 2x thumb
Glad you got it working.   

Short version:  The "agentxperms 777 777 snmp snmp" is required for FRR subagent to be able to talk to the snmp master agent.  The agentxsocket default for snmpd and FRR is /var/agentx/master
and is fine if left out of snmpd.

Log version:
When snmpd first starts up, it should have created /var/agentx/master with the correct permissions for snmpd (if agentxperms is set in snmpd.conf) and FRR.
And you are correct to set /var/agentx to 755.  Recent versions of Quagga/FRR expect the default to be this path and snmpd does default the agentxsocket to /var/agentx/master (so the agentxsocket setting in snmpd.conf is not really needed)  but the default permissions for snmpd (/var/agentx/master has 755 instead of 777) so the agentxperms in snmpd.conf must be set for FRR to be able to use this socket.

The NCLU command "net add routing agentx" simply adds "agentx" in /etc/frr/frr.conf.