discovery_agent failing to find devices with IP range or mask in discovery scope

Document ID : KB000112252
Last Modified Date : 29/08/2018
Show Technical Document Details
Issue:
Seeing some weird behavior with the discovery process when attempting to apply snmpcollector probe.

The provisioning group is seeing that only using a scope with a single IP address added allows discovery to complete successfully.
When leveraging a scope with an IP range or mask fails to capture the device data but once the individual IPs are broken out into an individual scope with a single IP the device can be discovered properly.

When using an IP masked range, the devices discovered changes with each discovery run,
Environment:
UIM/UMP:   8.51
discovery_server:  8.52
discovery_agent:  8.52
Cause:
When the discovery_agent performs multiple SNMPv3 discoveries in parallel you get inconsistent results if two or more of these devices have the same engineID when the probe performs the SNMP discovery.  The probe is designed with the following in mind:

According to RFC3411 (https://tools.ietf.org/html/rfc3411 ), the snmpEngineID is supposed to be unique in a network domain:

"Within an administrative domain, an snmpEngineID is the unique and unambiguous identifier of an SNMP engine. Since there is a one-to-one association between SNMP engines and SNMP entities, it also uniquely and unambiguously identifies the SNMP entity within that administrative domain. Note that it is possible for SNMP entities in different administrative domains to have the same value for snmpEngineID."

EngineID needs to be unique because SNMPv3 uses it to perform time synchronization (https://tools.ietf.org/html/rfc3414#section-2.3 ) between the local engine and remote engine to help authentication and detect spoofing. With messages coming from multiple remote engines with the same engineID, it confuses the local engine and results in messages being considered to be outside of the expected time window.

If multiple devices in the IP masked IP address range share the same engineID, warnings similar to the following will appear in the discovery_agent.log file:

28 Aug 2018 05:58:16,714 [DefaultUDPTransportMapping_0.0.0.0/0] WARN org.snmp4j.MessageDispatcherImpl - statusInfo=1.3.6.1.6.3.15.1.1.2.0 = 0, status=1411

The 1.3.6.1.6.3.15.1.1.2.0 OID corresponds to the usmStatsNotInTimeWindows error.

At loglevel 5, you will be able to see all discovered SNMP devices that share the same engineIDs in the log file.  For example, if discovering devices using an SNMPv3 profile with the following IP range scope defined:

12.34.56.1/24

messages similar to the following can be found in the discovery_agent.log file:

Aug 28 05:58:16:644 [PerIpDiscovery-8, discovery_agent] Discovered remote engine ID for 12.34.56.3/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:650 [PerIpDiscovery-3, discovery_agent] Discovered remote engine ID for 12.34.56.82/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:650 [PerIpDiscovery-2, discovery_agent] Discovered remote engine ID for 12.34.56.74/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:652 [PerIpDiscovery-7, discovery_agent] Discovered remote engine ID for 12.34.56.2/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:653 [PerIpDiscovery-11, discovery_agent] Discovered remote engine ID for 12.34.56.28/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:655 [PerIpDiscovery-19, discovery_agent] Discovered remote engine ID for 12.34.56.101/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:657 [PerIpDiscovery-10, discovery_agent] Discovered remote engine ID for 12.34.56.20/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:660 [PerIpDiscovery-9, discovery_agent] Discovered remote engine ID for 12.34.56.15/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:661 [PerIpDiscovery-13, discovery_agent] Discovered remote engine ID for 12.34.56.38/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:663 [PerIpDiscovery-18, discovery_agent] Discovered remote engine ID for 12.34.56.92/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:666 [PerIpDiscovery-17, discovery_agent] Discovered remote engine ID for 12.34.56.75/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:669 [PerIpDiscovery-16, discovery_agent] Discovered remote engine ID for 12.34.56.67/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:672 [PerIpDiscovery-15, discovery_agent] Discovered remote engine ID for 12.34.56.44/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:672 [PerIpDiscovery-20, discovery_agent] Discovered remote engine ID for 12.34.56.114/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:675 [PerIpDiscovery-1, discovery_agent] Discovered remote engine ID for 12.34.56.1/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:675 [PerIpDiscovery-12, discovery_agent] Discovered remote engine ID for 12.34.56.31/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0
Aug 28 05:58:16:678 [PerIpDiscovery-14, discovery_agent] Discovered remote engine ID for 12.34.56.43/161 : engineID=80:00:07:7c:03:01:05:96:6d:48:c0

The discovery_agent expects the engineID to be unique on each device in the IP masked range.
Resolution:
The discovery_agent probe is working as designed.

If you wish to discover SNMP devices using and SNMPV3 profile for a set of devices on the same network that all have the same engineID, you have 2 options:

1.  Work with the SNMP device administrators to make sure each device in the same network has a unique engineID
2.  Do not use a masked IP range in the discovery scope specified for the device.  Use single IP address scopes instead.