SNMP enrichment - authorizationError

dmgeurts · October 30, 2025, 12:29pm

Trying to get EF_PROCESSOR_ENRICH_NETIF_SNMP_* working, but hitting an error, when snmpget works fine.

snmpget command and response:

user@server:~$ snmpget -v3 -l authPriv -u ******** -a SHA-256 -A "********" -x AES -X "********" 10.2.0.2 .1.3.6.1.2.1.2.2.1.2.300003116 .1.3.6.1.2.1.2.2.1.3.300003116 .1.3.6.1.2.1.2.2.1.5.300003116 .1.3.6.1.2.1.31.1.1.1.1.300003116 .1.3.6.1.2.1.31.1.1.1.15.300003116 .1.3.6.1.2.1.31.1.1.1.18.300003116
iso.3.6.1.2.1.2.2.1.2.300003116 = STRING: "loopback.3116"
iso.3.6.1.2.1.2.2.1.3.300003116 = INTEGER: 24
iso.3.6.1.2.1.2.2.1.5.300003116 = Gauge32: 0
iso.3.6.1.2.1.31.1.1.1.1.300003116 = STRING: "loopback.3116"
iso.3.6.1.2.1.31.1.1.1.15.300003116 = Gauge32: 0
iso.3.6.1.2.1.31.1.1.1.18.300003116 = STRING: "Interface description"

The related tcpdump:

12:26:16.685950 IP (tos 0x0, ttl 64, id 2327, offset 0, flags [DF], proto UDP (17), length 92)
    10.2.1.5.40429 > 10.2.0.2.161: [bad udp cksum 0x22b9 -> 0x7b10!]  { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="" { GetRequest(14) R=1870473911  } } }
12:26:16.687669 IP (tos 0x0, ttl 61, id 52202, offset 0, flags [DF], proto UDP (17), length 146)
    10.2.0.2.161 > 10.2.1.5.40429: [udp sum ok]  { SNMPv3 { F= } { USM B=53 T=63310 U="" } { ScopedPDU E=_80_00_..._31_38 C="" { Report(32) R=1870473911  .1.3.6.1.6.3.15.1.1.4.0=680 } } }
12:26:16.687812 IP (tos 0x0, ttl 64, id 2328, offset 0, flags [DF], proto UDP (17), length 300)
    10.2.1.5.40429 > 10.2.0.2.161: [bad udp cksum 0x2389 -> 0x022c!]  { SNMPv3 { F=apr } { USM B=53 T=63310 U="********" } { ScopedPDU [!scoped PDU]38_30_..._fa_a4} }
12:26:16.691450 IP (tos 0x0, ttl 61, id 52204, offset 0, flags [DF], proto UDP (17), length 349)
    10.2.0.2.161 > 10.2.1.5.40429: [udp sum ok]  { SNMPv3 { F=ap } { USM B=53 T=63310 U="********" } { ScopedPDU [!scoped PDU]3d_9f_..._7d_c7} }

And when flowcoll polls the same device using the same credentials:

12:30:11.349648 IP (tos 0x0, ttl 64, id 39932, offset 0, flags [DF], proto UDP (17), length 92)
    10.2.1.5.52326 > 10.2.0.2.161: [bad udp cksum 0x22b9 -> 0xefbc!]  { SNMPv3 { F=r } { USM B=0 T=0 U="" } { ScopedPDU E= C="" { GetRequest(14) R=944826627  } } }
12:30:11.353041 IP (tos 0x0, ttl 60, id 56754, offset 0, flags [DF], proto UDP (17), length 146)
    10.2.0.2.161 > 10.2.1.5.52326: [udp sum ok]  { SNMPv3 { F= } { USM B=53 T=63545 U="" } { ScopedPDU E=_80_00_..._31_38 C="" { Report(32) R=944826627  .1.3.6.1.6.3.15.1.1.4.0=681 } } }
12:30:11.353242 IP (tos 0x0, ttl 64, id 39933, offset 0, flags [DF], proto UDP (17), length 264)
    10.2.1.5.52326 > 10.2.0.4.161: [bad udp cksum 0x2365 -> 0xe5d3!]  { SNMPv3 { F=r } { USM B=53 T=63545 U="********" } { ScopedPDU E=_80_00_..._31_38 C="" { GetRequest(137) R=944826628  .1.3.6.1.2.1.2.2.1.2.300001036 .1.3.6.1.2.1.2.2.1.3.300001036 .1.3.6.1.2.1.2.2.1.5.300001036 .1.3.6.1.2.1.31.1.1.1.1.300001036 .1.3.6.1.2.1.31.1.1.1.15.300001036 .1.3.6.1.2.1.31.1.1.1.18.300001036 } } }
12:30:11.355440 IP (tos 0x0, ttl 60, id 56756, offset 0, flags [DF], proto UDP (17), length 264)
    10.2.0.2.161 > 10.2.1.5.52326: [udp sum ok]  { SNMPv3 { F= } { USM B=53 T=63545 U="********" } { ScopedPDU E=_80_00_..._31_38 C="" { GetResponse(137) R=944826628  authorizationError[errorIndex==0] .1.3.6.1.2.1.2.2.1.2.300001036= .1.3.6.1.2.1.2.2.1.3.300001036= .1.3.6.1.2.1.2.2.1.5.300001036= .1.3.6.1.2.1.31.1.1.1.1.300001036= .1.3.6.1.2.1.31.1.1.1.15.300001036= .1.3.6.1.2.1.31.1.1.1.18.300001036= } } }

The differences I can see:

F=apr vs F=r : FIN flags - should have no impact on the issue I’m trying to solve.

Flowcoll sends a very small ScopedPDU plus a GetRequest, where snmpget only sends a ScopedPDU.

I’m trying to grab interface names from Palo Alto firewalls. There’s little to no snmp debugging or logging on these appliances.

After checking the documentation again, I found that I was possibly using the wrong values for the auth’ and priv’ protocols. Here’s the relevant config section:

EF_PROCESSOR_ENRICH_NETIF_SNMP_ENABLE: "true"
EF_PROCESSOR_ENRICH_NETIF_SNMP_PORT: 161
EF_PROCESSOR_ENRICH_NETIF_SNMP_RETRIES: 2
EF_PROCESSOR_ENRICH_NETIF_SNMP_TIMEOUT: 1000
EF_PROCESSOR_ENRICH_NETIF_SNMP_V3_AUTHENTICATION_PASSPHRASE: '********'
EF_PROCESSOR_ENRICH_NETIF_SNMP_V3_AUTHENTICATION_PROTOCOL: sha256
EF_PROCESSOR_ENRICH_NETIF_SNMP_V3_PRIVACY_PASSPHRASE: '********'
EF_PROCESSOR_ENRICH_NETIF_SNMP_V3_PRIVACY_PROTOCOL: AES
EF_PROCESSOR_ENRICH_NETIF_SNMP_V3_USERNAME: '********'
EF_PROCESSOR_ENRICH_NETIF_SNMP_VERSION: 3

Flowcoll does throw this error if there’s a mismatch in the passphrases:

Oct 30 13:09:02 server.domain.com flowcoll[3072974]: {"level":"warn","ts":"2025-10-30T13:09:02.006+0100","caller":"snmp/snmp.go:205","msg":"SNMP Enricher: fetching attributes failed for 10.2.0.2 ifIndex 101232902 - wrong digest"}

dxturner · October 30, 2025, 1:03pm

Valid values for the EF_PROCESSOR_ENRICH_NETIF_SNMP_V3*PROTOCOL options are listed in the documentation, and I believe they are case sensitive … so ‘AES’ should be ‘aes’

Try that and let us know if it helps.

Regards,

Dexter

dmgeurts · October 30, 2025, 2:27pm

GAH, I missed this one value…! This appears to have fixed this problem, thank goodness this was just user error.

Topic		Replies	Views
Enrichment using NETIF_SNMP_ACCESS not working? ElastiFlow Community flow-collector	3	84	December 7, 2024
Snmpcoll unable to find device ElastiFlow Community snmp-collector	18	180	December 22, 2024
SNMP enrichment with non default community string ElastiFlow Community flow-collector	4	16	August 17, 2025
Snmp version 3 doesn't work with EF_PROCESSOR_ENRICH_NETIF_SNMP_ACCESS_* ElastiFlow Community flow-collector	6	16	October 31, 2025
SNMP Collector Error ElastiFlow Community snmp-collector	2	80	August 21, 2024

SNMP enrichment - authorizationError

Related topics