CA Spectrum 10.2.1 and above supports modeling SNMPv3 devices with duplicate EngineID

Document ID : KB000007566
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When modeling devices that have the same engine id in CA Spectrum, either you cannot create the model or Spectrum does not manage the models appropriately and you receive false Management Agent Lost alarms.

Cause:

This is due to devices having the same engineid.  Per RFC 3414, the SNMP Engine ID needs to be unique:

https://tools.ietf.org/html/rfc3414

Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the SNMP engine.

 

Spectrum was adhering to the RFC.

However it is commond now for vendors to use the same engineID for high availability on failover devices, such as the Cisco ASA.  Also, firewall contexts are using the same engineid with a unique context name.  When trying to model a primary and secondary pair of firewalls in Spectrum, or modeling a firewall with contexts that have the same engineid, the first model might be created however the second model would not since they have the same engineid. If you manually create the models, you may see "Management Agent Lost" alarms on the models.  This is because Spectrum stores the SNMPv3 information by engineid.  If there are duplicate engine ids in Spectrum's cache, the v3 data sent to the device may be from the other devices v3 information.

Resolution:

This is enhanced in CA Spectrum release 10.2.2 and higher as noted in the Issues Resolved list:

Symptom: SpectroSERVER unable to manage SNMPv3 devices with duplicate engineIDs. 
Resolution: SpectroSERVER now able to manage SNMPv3 devices with duplicate engineIDs.
(10.2.2, DE285769, 00704767)

 

The change does the following:

1.  Maintains all SNMPv3 security.  No SNMPv3 functionality or security is removed.

2.  Spectrum stores the engineid in conjunction with the IPAddress (Previously Spectrum was storing the SNMPv3 model info only by engine id so duplicate engine ids would conflict in the cache).  When security verification is done internally, it is now done with the IPAddress and the engine id.

3.  Removes the "Duplicate EngineID" alarming functionality

 

A Linux and Solaris patch for 10.2.0 (there is no Windows patch) and a Linux, Windows, and Solaris patch for 10.2.1 have been created that allow Spectrum to model and monitor devices that share the same engine id.  The patch 

The patches for 10.2.0 and 10.2.1 are:

10.2.0 - Spectrum_10.02.00.PTF_10.2.050 - Linux and Solaris only

10.2.1 - Spectrum_10.02.01.BMP_10.2.101 - Linux, Windows, and Solaris

This is tentatively scheduled to be fixed in 10.2.2 and above. 

The Release Notes and Fixed Issues show the following:

Symptom: SpectroSERVER unable to manage SNMPv3 devices with duplicate engineIDs.

Resolution: SpectroSERVER now able to manage SNMPv3 devices with duplicate engineIDs.

(DE285769, 00704767)

 

Additional Information:

To obtain the 10.2.0 patch (Spectrum_10.02.00.PTF_10.2.050 - Linux and Solaris only) please open a case with CA Support and request this PTF patch. 

If you need Windows functionality, you must upgrade to 10.2.1 and use Spectrum_10.02.01.BMP_10.2.101 or upgrade to 10.2.2 or 10.3 once they are released.

To obtain the 10.2.1 patch (10.2.1 - Spectrum_10.02.01.BMP_10.2.101) please access the Spectrum Solutions and Patches page:

https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-spectrum-r10-2-solutions-patches.html