Wrong SNMP answer if comunity changed

Document ID : KB000009167
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

In versions of PAM prior to 3.X it was possible to use public as the name of the community used for SNMP polling in the Configuration section of PAM, when using SNMP version 2c or previous.

 

However, in version 3.X, if this is done, one comes across problems when trying to retrieve information from the PAM server via SNMP by using snmpget or snmpwalk, one comes across errors. For instance

snmpwalk -v 2c -c public 192.168.80.241 1.3.6.1.4.1.2021.11 

UCD-SNMP-MIB::systemStats = No more variables left in this MIB View (It is past the end of the MIB tree) 

For higher OID the query finishes with HOST-RESOURCES-MIB::hrSystemMaxProcesses.0 = No more variables left in this MIB View (It is past the end of the MIB tree) 

For instance:

snmpwalk -v 2c -c public 192.168.80.241 1.3.6.1 

If any other community name is used (e.g. xcdgkpub) then this works normally. This does not happen in older versions of the product. Why is this so ?

Environment:
CA PAM 3.X
Cause:

This is working as designed. It is not a limitation of PAM but of the underlying OS. Prior to version 3.X, PAM was built on Debian 5, for which the behaviour is the expected one (all MIB variables are retrieved just fine), but PAM 3.X is based upon Debian 8.

For Debian 8, the default for snmp is that the public community will only allow system information to be retrieved. In particular, the snmp.conf file inside the appliance will contain the following line

rocommunity public default -V systemonly

which will allow this community to access only system variables

Resolution:

Specify a community name other than public. Possible changes to any file inside the appliance would require support intervention.