Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SetCMD error: timing parameters not in windows of trust #107

Open
fmachadodev-zz opened this issue Nov 14, 2017 · 5 comments
Open

SetCMD error: timing parameters not in windows of trust #107

fmachadodev-zz opened this issue Nov 14, 2017 · 5 comments

Comments

@fmachadodev-zz
Copy link

I'm trying to set a var into an agent and i`m getting this error message "SNMP message timing parameters not in windows of trust" . But, when i'try using netsnmp it works

my python3 code is:

setCmd(
            self.create_snmp_engine(),
            ntforg.UsmUserData(userName='usr-md5-des', authKey='authkey1', privKey='privkey1'),
            UdpTransportTarget(('192.168.15.133',161)),
            ContextData(),#None,#ContextData(contextName=''),
            ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysName', 0), 'new system name python')

and the code above returns:
SNMP message timing parameters not in windows of trust
my netsnmp is below:

snmpset -v3 -u usr-md5-des -l authPriv -A authkey1 -x DES -X privkey1 192.168.15.133 SNMPv2-MIB::sysName.0 s 'new system name python'

returns
SNMPv2-MIB::sysName.0 = STRING: new system name python

What i`m doing wrong? anyone can help me?

@etingof
Copy link
Owner

etingof commented Nov 14, 2017

Interesting. Theoretically, this means that peer SNMP engine autodiscovery and time synchronisation procedure fails because either of SNMP parties does not keep up with the time.

Could you please enable security-module debugging and attach its output to this issue?

from pysnmp import debug

debug.setLogger(debug.Debug('secmod', 'msgproc'))

Which pysnmp version are you using? May be try the latest released one?

@fmachadodev-zz
Copy link
Author

@etingof, tomorrow is a holiday in Brazil, so, after that I post the result here ok?

thanks for replying so fast

@etingof
Copy link
Owner

etingof commented Nov 15, 2017

Hey, sure! Enjoy the holiday! ;-)

@fmachadodev-zz
Copy link
Author

fmachadodev-zz commented Nov 21, 2017

Look, this Logger generates a lot of logs hahaha

2017-11-21 17:07:43,125 pysnmp: running pysnmp version 4.3.9
2017-11-21 17:07:43,125 pysnmp: debug category 'secmod' enabled
2017-11-21 17:07:43,125 pysnmp: debug category 'msgproc' enabled
SnmpEngine(snmpEngineID=SnmpEngineID())
2017-11-21 17:07:43,460 pysnmp: prepareOutgoingMessage: new msgID 8895526
2017-11-21 17:07:43,460 pysnmp: prepareOutgoingMessage: peer SNMP engine data None for transport 1.3.6.1.6.1.1, address ('192.168.15.133', 161)
2017-11-21 17:07:43,460 pysnmp: prepareOutgoingMessage: using contextEngineId SnmpEngineID(), contextName OctetString(b'')
2017-11-21 17:07:43,461 pysnmp: prepareOutgoingMessage: SNMPv3Message:
msgVersion=3
msgGlobalData=HeaderData:
msgID=8895526
msgMaxSize=65507
msgFlags=0x07
msgSecurityModel=3

2017-11-21 17:07:43,461 pysnmp: prepareOutgoingMessage: force engineID discovery
2017-11-21 17:07:43,461 pysnmp: prepareOutgoingMessage: securityModel SnmpSecurityModel(3, subtypeSpec=ConstraintsIntersection(ConstraintsIntersection(ConstraintsIntersection(ConstraintsIntersection(), ValueRangeConstraint(-2147483648, 2147483647)), ValueRangeConstraint(0, 2147483647)), ValueRangeConstraint(1, 2147483647))), securityEngineId OctetString(b''), securityName OctetString(b''), securityLevel 1
2017-11-21 17:07:43,461 pysnmp: __generateRequestOrResponseMsg: use empty USM data
2017-11-21 17:07:43,462 pysnmp: __generateRequestOrResponseMsg: local usmUserName b'' usmUserSecurityName b'' usmUserAuthProtocol (1, 3, 6, 1, 6, 3, 10, 1, 1, 1) usmUserPrivProtocol (1, 3, 6, 1, 6, 3, 10, 1, 2, 1) securityEngineID OctetString(b'') securityName OctetString(b'')
2017-11-21 17:07:43,462 pysnmp: __generateRequestOrResponseMsg: assuming zero snmpEngineBoots, snmpEngineTime
2017-11-21 17:07:43,462 pysnmp: __generateRequestOrResponseMsg: use snmpEngineBoots 0 snmpEngineTime 0 for securityEngineID OctetString(b'')
2017-11-21 17:07:43,462 pysnmp: __generateRequestOrResponseMsg: ScopedPduData:
plaintext=ScopedPDU:
contextEngineId=
contextName=
data=PDUs:
set-request=SetRequestPDU:
request-id=11327263
error-status='noError'
error-index=0
variable-bindings=VarBindList:

2017-11-21 17:07:43,463 pysnmp: __generateRequestOrResponseMsg: UsmSecurityParameters:
msgAuthoritativeEngineId=
msgAuthoritativeEngineBoots=0
msgAuthoritativeEngineTime=0
msgUserName=
msgAuthenticationParameters=
msgPrivacyParameters=

2017-11-21 17:07:43,463 pysnmp: __generateRequestOrResponseMsg: plain outgoing msg: SNMPv3Message:
msgVersion=3
msgGlobalData=HeaderData:
msgID=8895526
msgMaxSize=65507
msgFlags=0x04
msgSecurityModel=3

msgSecurityParameters=0x300e0400020100020100040004000400
msgData=ScopedPduData:
plaintext=ScopedPDU:
contextEngineId=
contextName=
data=PDUs:
set-request=SetRequestPDU:
request-id=11327263
error-status='noError'
error-index=0
variable-bindings=VarBindList:

2017-11-21 17:07:43,464 pysnmp: __generateRequestOrResponseMsg: plain outgoing msg:
00000: 30 3E 02 01 03 30 11 02 04 00 87 BC 26 02 03 00
00016: FF E3 04 01 04 02 01 03 04 10 30 0E 04 00 02 01
00032: 00 02 01 00 04 00 04 00 04 00 30 14 04 00 04 00
00048: A3 0E 02 04 00 AC D7 1F 02 01 00 02 01 00 30 00
2017-11-21 17:07:43,474 pysnmp: prepareDataElements: SNMPv3Message:
msgVersion=3
msgGlobalData=HeaderData:
msgID=8895526
msgMaxSize=484
msgFlags=0x00
msgSecurityModel=3

msgSecurityParameters=0x301704088000000001020304020101020204e5040004000400
msgData=ScopedPduData:
plaintext=ScopedPDU:
contextEngineId=0x8000000001020304
contextName=
data=PDUs:
report=ReportPDU:
request-id=0
error-status='noError'
error-index=0
variable-bindings=VarBindList:
VarBind:
name=1.3.6.1.6.3.15.1.1.4.0
=_BindValue:
value=ObjectSyntax:
application-wide=ApplicationSyntax:
counter-value=1

2017-11-21 17:07:43,474 pysnmp: prepareDataElements: msg data msgVersion 3 msgID 8895526 securityModel 3
2017-11-21 17:07:43,474 pysnmp: processIncomingMsg: securityParameters
00000: 30 17 04 08 80 00 00 00 01 02 03 04 02 01 01 02
00016: 02 04 E5 04 00 04 00 04 00
2017-11-21 17:07:43,475 pysnmp: processIncomingMsg: UsmSecurityParameters:
msgAuthoritativeEngineId=0x8000000001020304
msgAuthoritativeEngineBoots=1
msgAuthoritativeEngineTime=1253
msgUserName=
msgAuthenticationParameters=
msgPrivacyParameters=

2017-11-21 17:07:43,475 pysnmp: processIncomingMsg: cache write securityStateReference 15650087 by msgUserName
2017-11-21 17:07:43,475 pysnmp: processIncomingMsg: non-synchronized securityEngineID OctetString(hexValue='8000000001020304')
2017-11-21 17:07:43,476 pysnmp: processIncomingMsg: read from securityParams msgAuthoritativeEngineId OctetString(hexValue='8000000001020304') msgUserName OctetString(b'', subtypeSpec=ConstraintsIntersection(ConstraintsIntersection(), ValueSizeConstraint(0, 32)))
2017-11-21 17:07:43,476 pysnmp: processIncomingMsg: now have usmUserName b'' usmUserSecurityName b'' usmUserAuthProtocol (1, 3, 6, 1, 6, 3, 10, 1, 1, 1) usmUserPrivProtocol (1, 3, 6, 1, 6, 3, 10, 1, 2, 1) for msgUserName OctetString(b'', subtypeSpec=ConstraintsIntersection(ConstraintsIntersection(), ValueSizeConstraint(0, 32)))
2017-11-21 17:07:43,476 pysnmp: processIncomingMsg: scopedPDU decoded ScopedPDU:
contextEngineId=0x8000000001020304
contextName=
data=PDUs:
report=ReportPDU:
request-id=0
error-status='noError'
error-index=0
variable-bindings=VarBindList:
VarBind:
name=1.3.6.1.6.3.15.1.1.4.0
=_BindValue:
value=ObjectSyntax:
application-wide=ApplicationSyntax:
counter-value=1

2017-11-21 17:07:43,476 pysnmp: processIncomingMsg: cached msgUserName info by securityStateReference 15650088
2017-11-21 17:07:43,476 pysnmp: prepareDataElements: SM succeeded
2017-11-21 17:07:43,477 pysnmp: prepareDataElements: cache securityEngineId OctetString(hexValue='8000000001020304') for (1, 3, 6, 1, 6, 1, 1) ('192.168.15.133', 161)
2017-11-21 17:07:43,477 pysnmp: prepareDataElements: using sendPduHandle 7251134 for msgID 8895526
2017-11-21 17:07:43,477 pysnmp: StatusInformation: {'errorIndication': UnknownEngineID('Unknown SNMP engine ID encountered',), 'sendPduHandle': 7251134, 'val': Counter32(1), 'oid': ObjectName('1.3.6.1.6.3.15.1.1.4.0')}
2017-11-21 17:07:43,478 pysnmp: prepareOutgoingMessage: new msgID 8895527
2017-11-21 17:07:43,478 pysnmp: prepareOutgoingMessage: peer SNMP engine data {'securityEngineId': OctetString(hexValue='8000000001020304'), 'contextName': OctetString(b''), 'contextEngineId': OctetString(hexValue='8000000001020304')} for transport 1.3.6.1.6.1.1, address ('192.168.15.133', 161)
2017-11-21 17:07:43,478 pysnmp: prepareOutgoingMessage: using contextEngineId OctetString(hexValue='8000000001020304'), contextName OctetString(b'')
2017-11-21 17:07:43,478 pysnmp: prepareOutgoingMessage: SNMPv3Message:
msgVersion=3
msgGlobalData=HeaderData:
msgID=8895527
msgMaxSize=65507
msgFlags=0x07
msgSecurityModel=3

msgSecurityParameters=0x300e0400020100020100040004000400
msgData=ScopedPduData:
plaintext=ScopedPDU:
contextEngineId=0x8000000001020304
contextName=
data=PDUs:
set-request=SetRequestPDU:
request-id=11327262
error-status='noError'
error-index=0
variable-bindings=VarBindList:
VarBind:
name=1.3.6.1.4.1.50317.6.8.1
=_BindValue:
value=ObjectSyntax:
simple=SimpleSyntax:
integer-value=1

2017-11-21 17:07:43,479 pysnmp: prepareOutgoingMessage: securityModel SnmpSecurityModel(3, subtypeSpec=ConstraintsIntersection(ConstraintsIntersection(ConstraintsIntersection(ConstraintsIntersection(), ValueRangeConstraint(-2147483648, 2147483647)), ValueRangeConstraint(0, 2147483647)), ValueRangeConstraint(1, 2147483647))), securityEngineId OctetString(hexValue='8000000001020304'), securityName SnmpAdminString(b'usr-md5-des'), securityLevel SnmpSecurityLevel('authPriv')
2017-11-21 17:07:43,479 pysnmp: _sec2usr: built snmpEngineId + securityName to userName map, version 2: {(SnmpEngineID(hexValue='80004fb8054d6163426f6f6b2d4169722d64652d460ed29948'), SnmpAdminString(b'usr-md5-des')): SnmpAdminString(b'usr-md5-des', subtypeSpec=ConstraintsIntersection(ConstraintsIntersection(ConstraintsIntersection(ConstraintsIntersection(), ValueSizeConstraint(0, 65535)), ValueSizeConstraint(0, 255)), ValueSizeConstraint(1, 32)))}
2017-11-21 17:07:43,479 pysnmp: _sec2usr: no entry exists for snmpEngineId OctetString(hexValue='8000000001020304'), securityName SnmpAdminString(b'usr-md5-des')
2017-11-21 17:07:43,480 pysnmp: _sec2usr: using userName SnmpAdminString(b'usr-md5-des', subtypeSpec=ConstraintsIntersection(ConstraintsIntersection(ConstraintsIntersection(ConstraintsIntersection(), ValueSizeConstraint(0, 65535)), ValueSizeConstraint(0, 255)), ValueSizeConstraint(1, 32))) for snmpEngineId SnmpEngineID(), securityName SnmpAdminString(b'usr-md5-des')
2017-11-21 17:07:43,507 pysnmp: __generateRequestOrResponseMsg: clone user info
2017-11-21 17:07:43,507 pysnmp: __generateRequestOrResponseMsg: local usmUserName SnmpAdminString(b'usr-md5-des', subtypeSpec=ConstraintsIntersection(ConstraintsIntersection(ConstraintsIntersection(ConstraintsIntersection(), ValueSizeConstraint(0, 65535)), ValueSizeConstraint(0, 255)), ValueSizeConstraint(1, 32))) usmUserSecurityName SnmpAdminString(b'usr-md5-des') usmUserAuthProtocol 1.3.6.1.6.3.10.1.1.2 usmUserPrivProtocol 1.3.6.1.6.3.10.1.2.3 securityEngineID OctetString(hexValue='8000000001020304') securityName SnmpAdminString(b'usr-md5-des')
2017-11-21 17:07:43,507 pysnmp: __generateRequestOrResponseMsg: no timeline for securityEngineID OctetString(hexValue='8000000001020304')
2017-11-21 17:07:43,507 pysnmp: __generateRequestOrResponseMsg: use snmpEngineBoots 0 snmpEngineTime 0 for securityEngineID OctetString(hexValue='8000000001020304')
2017-11-21 17:07:43,508 pysnmp: __generateRequestOrResponseMsg: scopedPDU ScopedPDU:
contextEngineId=0x8000000001020304
contextName=
data=PDUs:
set-request=SetRequestPDU:
request-id=11327262
error-status='noError'
error-index=0
variable-bindings=VarBindList:
VarBind:
name=1.3.6.1.4.1.50317.6.8.1
=_BindValue:
value=ObjectSyntax:
simple=SimpleSyntax:
integer-value=1

2017-11-21 17:07:43,508 pysnmp: __generateRequestOrResponseMsg: scopedPDU encoded into
00000: 30 2E 04 08 80 00 00 00 01 02 03 04 04 00 A3 20
00016: 02 04 00 AC D7 1E 02 01 00 02 01 00 30 12 30 10
00032: 06 0B 2B 06 01 04 01 83 89 0D 06 08 01 02 01 01
2017-11-21 17:07:43,513 pysnmp: __generateRequestOrResponseMsg: scopedPDU ciphered into
00000: 01 AC 90 53 EB 9D 45 A7 D9 58 D5 10 1C 0C 2B 73
00016: E1 02 CA 1E 3A 5D C2 FA FB 38 87 35 88 3D 12 CA
00032: 73 7C 96 18 25 B8 88 E2 D5 B8 09 BE 68 31 8C 9F
00048: B6 16 92 C7 DE 02 A3 5E
2017-11-21 17:07:43,513 pysnmp: __generateRequestOrResponseMsg: ScopedPduData:
encryptedPDU=0x01ac9053eb9d45a7d958d5101c0c2b73e102ca1e3a5dc2fafb388735883d12ca737c961825b888e2d5b809be68318c9fb61692c7de02a35e

2017-11-21 17:07:43,513 pysnmp: __generateRequestOrResponseMsg: UsmSecurityParameters:
msgAuthoritativeEngineId=0x8000000001020304
msgAuthoritativeEngineBoots=0
msgAuthoritativeEngineTime=0
msgUserName=usr-md5-des
msgAuthenticationParameters=0x000000000000000000000000
msgPrivacyParameters=0x000000009c74c880

2017-11-21 17:07:43,514 pysnmp: __generateRequestOrResponseMsg: auth outgoing msg: SNMPv3Message:
msgVersion=3
msgGlobalData=HeaderData:
msgID=8895527
msgMaxSize=65507
msgFlags=0x07
msgSecurityModel=3

msgSecurityParameters=0x303504088000000001020304020100020100040b7573722d6d64352d646573040c0000000000000000000000000408000000009c74c880
msgData=ScopedPduData:
encryptedPDU=0x01ac9053eb9d45a7d958d5101c0c2b73e102ca1e3a5dc2fafb388735883d12ca737c961825b888e2d5b809be68318c9fb61692c7de02a35e

2017-11-21 17:07:43,515 pysnmp: __generateRequestOrResponseMsg: authenticated outgoing msg:
00000: 30 81 89 02 01 03 30 11 02 04 00 87 BC 27 02 03
00016: 00 FF E3 04 01 07 02 01 03 04 37 30 35 04 08 80
00032: 00 00 00 01 02 03 04 02 01 00 02 01 00 04 0B 75
00048: 73 72 2D 6D 64 35 2D 64 65 73 04 0C B5 C8 70 82
00064: 91 65 53 77 B4 79 80 D8 04 08 00 00 00 00 9C 74
00080: C8 80 04 38 01 AC 90 53 EB 9D 45 A7 D9 58 D5 10
00096: 1C 0C 2B 73 E1 02 CA 1E 3A 5D C2 FA FB 38 87 35
00112: 88 3D 12 CA 73 7C 96 18 25 B8 88 E2 D5 B8 09 BE
00128: 68 31 8C 9F B6 16 92 C7 DE 02 A3 5E
2017-11-21 17:07:43,519 pysnmp: prepareDataElements: SNMPv3Message:
msgVersion=3
msgGlobalData=HeaderData:
msgID=8895527
msgMaxSize=484
msgFlags=0x00
msgSecurityModel=3

msgSecurityParameters=0x301704088000000001020304020101020204e5040004000400
msgData=ScopedPduData:
plaintext=ScopedPDU:
contextEngineId=0x8000000001020304
contextName=
data=PDUs:
report=ReportPDU:
request-id=0
error-status='noError'
error-index=0
variable-bindings=VarBindList:
VarBind:
name=1.3.6.1.6.3.15.1.1.2.0
=_BindValue:
value=ObjectSyntax:
application-wide=ApplicationSyntax:
counter-value=1

2017-11-21 17:07:43,519 pysnmp: prepareDataElements: msg data msgVersion 3 msgID 8895527 securityModel 3
2017-11-21 17:07:43,519 pysnmp: processIncomingMsg: securityParameters
00000: 30 17 04 08 80 00 00 00 01 02 03 04 02 01 01 02
00016: 02 04 E5 04 00 04 00 04 00
2017-11-21 17:07:43,521 pysnmp: processIncomingMsg: UsmSecurityParameters:
msgAuthoritativeEngineId=0x8000000001020304
msgAuthoritativeEngineBoots=1
msgAuthoritativeEngineTime=1253
msgUserName=
msgAuthenticationParameters=
msgPrivacyParameters=

2017-11-21 17:07:43,521 pysnmp: processIncomingMsg: cache write securityStateReference 15650089 by msgUserName
2017-11-21 17:07:43,521 pysnmp: processIncomingMsg: non-synchronized securityEngineID OctetString(hexValue='8000000001020304')
2017-11-21 17:07:43,521 pysnmp: processIncomingMsg: read from securityParams msgAuthoritativeEngineId OctetString(hexValue='8000000001020304') msgUserName OctetString(b'', subtypeSpec=ConstraintsIntersection(ConstraintsIntersection(), ValueSizeConstraint(0, 32)))
2017-11-21 17:07:43,521 pysnmp: processIncomingMsg: now have usmUserName b'' usmUserSecurityName b'' usmUserAuthProtocol (1, 3, 6, 1, 6, 3, 10, 1, 1, 1) usmUserPrivProtocol (1, 3, 6, 1, 6, 3, 10, 1, 2, 1) for msgUserName OctetString(b'', subtypeSpec=ConstraintsIntersection(ConstraintsIntersection(), ValueSizeConstraint(0, 32)))
2017-11-21 17:07:43,522 pysnmp: processIncomingMsg: scopedPDU decoded ScopedPDU:
contextEngineId=0x8000000001020304
contextName=
data=PDUs:
report=ReportPDU:
request-id=0
error-status='noError'
error-index=0
variable-bindings=VarBindList:
VarBind:
name=1.3.6.1.6.3.15.1.1.2.0
=_BindValue:
value=ObjectSyntax:
application-wide=ApplicationSyntax:
counter-value=1

2017-11-21 17:07:43,522 pysnmp: processIncomingMsg: cached msgUserName info by securityStateReference 15650090
2017-11-21 17:07:43,522 pysnmp: prepareDataElements: SM succeeded
2017-11-21 17:07:43,522 pysnmp: prepareDataElements: using sendPduHandle 7251135 for msgID 8895527
2017-11-21 17:07:43,523 pysnmp: StatusInformation: {'errorIndication': NotInTimeWindow('SNMP message timing parameters not in windows of trust',), 'sendPduHandle': 7251135, 'val': Counter32(1), 'oid': ObjectName('1.3.6.1.6.3.15.1.1.2.0')}

@etingof
Copy link
Owner

etingof commented Nov 26, 2017

What worries me in the log is that your SNMP agent does not return msgUserName in its second REPORT message:

2017-11-21 17:07:43,521 pysnmp: processIncomingMsg: UsmSecurityParameters:
msgAuthoritativeEngineId=0x8000000001020304
msgAuthoritativeEngineBoots=1
msgAuthoritativeEngineTime=1253
msgUserName=
msgAuthenticationParameters=
msgPrivacyParameters=

This seems against RFC3414 section 3.2.2 which implies that msgUserName should be present. I wonder how Net-SNMP handles this though...

What would be of great help to understand this business and possibly come up with some sort of compatibility mode for pysnmp is a tcpdump snoop of similar NEt-SNMP query. Even better if you would do both Net-SNMP and pysnmp queries within a single tcpdump session so I could peek at it and figure out the difference. ;-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants