SPECTRUM loses ability over time to communicate via SNMPV3 with some types of Cisco devices (Legacy KB ID CNC TS31167 )

Document ID : KB000051982
Last Modified Date : 14/02/2018
Show Technical Document Details

SPECTRUM 9.0 provides support for devices in which their snmpEngineTime drifts over time.

With problematic Cisco devices, though, the snmpEngineTime does not drift over time, it changes all at once. Because of this, you will most likely continue to experience connectivity issues even with 9.0

There are no options planned in 9.0 to disable snmpEngineTime/boots checks.

Since SPECTRUM is complying with standards to prevent insertion attacks by threats trying to slip in, and this is a problem with the device that prevents proper secure management, CA recommends contacting Cisco to correct this problem.  The known Cisco bug to reference is CSCSE-80032. There may be many other devices from the vendor which have this problem-contact Cisco to get the most up to date list.

Related Issues/Questions:

SPECTRUM loses ability to communicate via SNMPV3 with some types of Cisco devices - for example, this known to be problem with Model type SwCat45xx

Problem Environment:
Command line SNMPV3 works fine


Causes of this problem:

The reason it works using command line is that the command line utility is doing a one-time interaction with the device. Command line tools would not cache the snmpEngineTimeS of devices they are connecting to. If this value is not cached (and hence rediscovered each time a connection is made) then these tools will not have "previous" values of snmpEngineTime to compare the "current" value with, and will not be able to assert a "usmStatsNotInTimeWindows" error.

However, a properly constructed network monitoring system should have additional security built-in. SPECTRUM implements standard SNMPV3 functionality that prevents other devices from covertly inserting themselves while SPECTRUM is monitoring a previously modeled SNMP V3 device (called a "Replay Intrusion").

RFC2264 includes detailed descriptions of the security model of SNMPv3-a useful section is 2.3 (Time Synchronization). It is quite possible that an NMS less sophisticated then SPECTRUM may not include this feature, but they run the risk of vulnerabilities/intrusions. Single instance interactions using command line will not test this safety feature for the reasons stated above.

(Legacy KB ID CNC TS31167 )