Icinga2 SNMPv3 + check_snmp_int.pl

Hello,

I am currently trying to use icinga2 to monitor the interface of a device.

The host is declared like this:

object Host “FortiGate-FWF” {
import “fortigate”

vars.snmp_v2 = false
vars.snmp_v3 = true
vars.snmp_login = “toto”
vars.snmp_password = “password”
vars.snmp_v3_use_privpass = true
vars.snmp_privpass = “password”
vars.snmp_v3_use_authprotocol = true
vars.snmp_authprotocol = “sha,aes”

address = “10.0.0.254”
vars.os = “Linux”

vars.interfaces = [“wan1”, “lan” ]
}

The service to monitor the interface is declared like this:

apply Service “FortiGate-Interface-” for (interface in host.vars.interfaces) {
import “generic-service”

vars.snmp_v2 = false
vars.snmp_v3 = true

// Define interface variables.
vars.snmp_interface_perf = “true”
vars.snmp_interface_bits_bytes = “true”
vars.snmp_interface_megabytes = “true”
vars.snmp_interface_noregexp = “true”
vars.snmp_warncrit_percent = “true”
// Set warning and crits to 100 to disable.
vars.snmp_warn = “100,100”
vars.snmp_crit = “100,100”
check_command = “snmp-interface”

vars.snmp_interface = interface
vars.snmp_interface_label = interface
vars.snmp_timeout = 60

assign where host.address && host.vars.interfaces
}

The service starts and when I go to the icinga2web, I have the following error message

Can’t mix snmp v1,​2c,​3 protocols!

So I have enabled the debug mode to check the command:

[2019-10-22 10:16:40 +0200] notice/Process: PID 18330 (’/usr/lib64/nagios/plugins/check_snmp_int.pl’ ‘-d’ ‘300’ ‘-x’ ‘password’ ‘-w’ ‘100,100’ ‘-t’ ‘60’ ‘-r’ ‘-n’ ‘wan1’ ‘-l’ ‘toto’ ‘-k’ ‘-f’ ‘-e’ ‘–label’ ‘wan1’ ‘-c’ ‘100,100’ ‘-Y’ ‘-X’ ‘password’ ‘-M’ ‘-L’ ‘sha,aes’ ‘-H’ ‘10.0.0.254’ ‘-C’ ‘public’ ‘-B’) terminated with exit code 3

I saw that icinga still trying to pass a community (’-C’ ‘public’) even that I am using snmpv3.

When I launch the command without quotes and ‘-C’ ‘public’, it is working.

./check_snmp_int.pl -d 300 -x password -w 100,100 -t 60 -r -n wan1 -l toto -k -f -e --label wan1 -c 100,100 -Y -X password -M -L sha,aes -H 10.0.0.254 -B

wan1:UP (in=0.0Mbps/out=0.1Mbps):1 UP: OK | ‘wan1_in_bps’=36759;100000000;100000000;0;1000000000 ‘wan1_out_bps’=70392;100000000;100000000;0;1000000000 ‘wan1_in_error’=0c ‘wan1_in_discard’=0c ‘wan1_out_error’=0c ‘wan1_out_discard’=0c

So my question is how can I remove the community?
I tried to set one blank, to disable snmpv2 but it is not working.

Thank you for your help!

Thomas :slight_smile:

Take a look into command definitions (ITL,…), maybe there are rules to use parameters if specific variables are set regardless of their content or prefilled with a default value.

I use Icinga2 Director for config management and always clone the commands to adjust parameters.
You can do the same with command definition files, just use a different command name.

Hi,

the community parameter gets appended because snmp_nocrypt is set to true (default value) (itl).

According to the docs set vars.snmp_nocrypt to false in your service definition.

Define SNMP encryption. If set to false , snmp_v3 needs to be enabled. Defaults to true (no encryption)

Greetz

2 Likes