SNMP Trap Processing

Network systems are prone to errors. Anomalies can occur at any time due to hardware or network issues. Whenever an issue occurs, it's important to quickly troubleshoot and resolve it, which requires instant notifications upon detection of hardware and network issues. Site24x7 aids admins with timely resolutions by instantly processing SNMP traps upon detection of an issue and sending out a notification. 

Here is the video to demonstrate Site24x7's SNMP Trap Processing:

Table of contents

• What are SNMP traps?
• Configuring SNMP traps
• The Trap Processors view
• Adding trap processors
• The SNMP traps view
• Unsolicited traps
• Editing and deleting trap processors
• Device-wise traps
• Alert mechanisms

What are SNMP traps?

An SNMP trap is any event, generated and sent by a device and received by a trap receiver whenever a change of state or anomaly is detected. These event messages generated by devices are received by a network management system like Site24x7. Site24x7 not only processes these traps and displays them, but also instantly notifies you based on the thresholds you configure for different traps.

SNMP v1 traps

Basic SNMP v1 traps generally fall into one of two broad categories: generic traps and enterprise traps.

Generic traps are further classified into six types:

Coldstart: This implies that the sending entity has reinitialized and that the configuration is altered. In simple terms, the SNMP device has powered on.
Warmstart: This is similar to Coldstart; the only difference is that the configuration remains unaltered. In simple terms, the SNMP device has reloaded the software.
Linkup: This indicates that one of the connected interfaces has changed states from down to up.
Linkdown: This indicates that one of the connected interfaces has changed states from up to down.
Authentication fails: This happens when an SNMP agent gets a request from an unrecognized community name.
egpNeighborloss: This happens when the agent cannot communicate with its Exterior Gateway Protocol (EGP) peer.

Enterprise specific: Vendor-specific error conditions and error codes.

SNMP v2c/v3 traps

SNMP v2c/v3 traps are classified based on the trap OID, as defined in the vendor's MIB. 

Configuring SNMP traps

You have to configure your device to send SNMP traps to Site24x7 by specifying the IP and the port. The traps should be received via port UDP 162. Ensure that this port is free.

The Trap Processors view

Log in to Site24x7, click Network on the left panel, and select Trap Processors. 
Here, you can view the list of natively supported traps as well as add new, edit, and delete traps.

Trap Processors process the raw SNMP traps sent by network devices and display them as simple understandable messages.

Click on a trap processor to view its details like name, SNMP version, description, trap OID, severity, threshold criteria, rearm criteria, and associated devices.

Figure 1. The Trap Processors view 

Adding trap processors

You can create and configure trap processors from the Trap Processors view.

1. Log in to Site24x7.
2. Navigate to Network > Trap Processors.
3. Click Add Trap Processor(outlined in red in Figure 1 above) and enter the following:
   • Name: Enter a name to identify your trap.
   • Description: Enter a description to define your trap.
   • SNMP version: Select your device's SNMP version (v1 or v2c/v3).
   • Generic type/trap OID: For SNMP v1, enter the generic type. These are generic trap types generated by SNMP v1 agents and defined by SNMP. If your SNMP version is v2c/v3, then enter your trap OID. Trap OIDs are object identifiers that identify which type of trap is being received. 
   • Specific type: When you choose enterpriseSpecific(6) as the generic type, you can enter the specific type.
4. You can also directly import the above from a MIB browser.
   • Generic MIBs: These are available by default in Site24x7. Choose the Vendor and the MIB from the drop-down list.
   • Custom MIBs: You can upload MIBs from your system and use them to add custom performance counters.
     • On-Premise Poller: Choosing an On-Premise Poller will list all the MIBs inside the folder Poller-home/NetworkPlus/mibs. Choose the On-Premise Poller which stores the MIB files you uploaded. If you choose ‘Recently Viewed’, all the MIBs that were uploaded or recently used will be shown. 
     • MIB: Choose an already uploaded MIB from the drop-down menu or click + to add new ones. 
       
       In the Upload MIB screen, select files and upload them from your computer. Also, choose the On-Premise Poller which has to store the MIB files. 
       
       
5. Source: This option is useful if the trap is forwarded from another source. It is the IP from which Site24x7 receives traps and can either be the source IP of the device, or the agent that generates traps. Choose $Source when the trap is directly sent to the On-Premise Poller machine, and choose $Agent when it is forwarded.
6. Severity: Select one of the following options from the drop-down list—Clear, Down, or Trouble. You need to specify the threshold and rearm criteria when you select Down or Trouble. 
7. Daily limit: Choose from the drop-down menu the total number of traps that Site24x7 should process per day.
8. Click Save.

Figure 2. Adding trap processors.

Threshold and rearm criteria

You can set multiple conditions for threshold and rearm criteria when you select Down or Trouble for the severity. 

Threshold criteria:

Set the threshold criteria and receive a notification when that threshold is breached.

Rearm criteria: 

Rearm criteria is the value that determines whether the monitor has been restored to normal condition. Rearm criteria corresponds to the value beyond which you can revert the Trouble/Down statuses to Clear. 

Example: Let's say the trouble threshold condition for a monitor is set at > 65, but during a poll it reaches 70, so you'll receive an alert and the monitor is labeled as being in severe condition. During the next poll, if the monitored value falls back down to a normal level—62 for example—you'll receive an alert about its return to normal condition. Should the value go back up to 71 for the next poll, you'll once again receive a breach alert. In order to avoid all these alerts, you can enter a rearm value. By entering a rearm value (in this case, it can be 50), the monitor will only be considered in normal condition once it drops down to this value. 

You can set multiple threshold conditions and choose whether they're triggered by:

• All the conditions
• Any of the conditions
• Individual conditions

Each threshold condition is usually defined as Varbind Condition Value AND/OR, with the following attributes:

Varbind: Choose a necessary Varbind. Varbinds are variable bindings. Varbinds denote the variable number of packets included in an SNMP packet of a received trap message. Each Varbind is identified by its OID, type, and value. 

Condition: Choose any of the following conditions from the drop-down list: Equals, Not equals, Starts with, Contains, Doesn't contain, =, =!, >, >=, <=, or <. Make sure you choose the appropriate numeric or string conditions based on the Varbind.

Value: Enter the appropriate numeric or string value. 

The SNMP Traps view

The configured and added trap processors are listed in the SNMP Traps view based on their current statuses: Down, Up, or Trouble. In this view, you can quickly see the count of total and active trap processors, as well as the number of trap processors remaining as per your license. Click on a trap to view details like time of receipt and message.

Figure 3. The SNMP Traps view.

Unsolicited Traps

Any SNMP Trap that hasn't been configured for monitoring is collected and displayed as a list of unsolicited traps. These can be viewed and added from the SNMP Traps tab as shown in the image below.

You can add the SNMP Trap by clicking on the "+" icon and then follow the instructions described above. While creating the Trap Processor, you can select the devices in which that trap has to be monitored. After this, you can view the data under the tab SNMP Traps.

Editing and deleting trap processors

All the added trap processors are listed in the Trap Processors view. You can edit and delete them by clicking on the pencil 
() or trash bin () icons respectively.

Device-wise traps

View device-specific traps by clicking on a device name. You can access this from Network > Network Devices.

Here, you can view the trap name, trap message, time of receipt, and status. You can also add trap processors and bulk suspend them.

Click the hamburger icon () to edit threshold conditions or activate a suspended trap processor.

Figure 4. Device-specific traps.

Alert mechanisms

You can configure trap alerts to notify you through email, SMS, phone call, or push notifications. You can also receive these notifications through integrated applications, including ManageEngine's Alarms One and ServiceDesk Plus, as well as third-party applications like Zapier, Slack, PagerDuty, and Microsoft Teams.

Follow the steps below to configufre alerts:

1. Go to the Network tab and click on the desired device name. 
2. Go to Traps tab. All your device-wise traps will be listed here. 
3. Click on the hamburger icon under Actions and click Edit Threshold Profile. 
4. Toggle Yes against Mark the device as Trouble when the trap's status is Trouble/Down.
5. Click Save.

Related articles

• Configuring a network device to send SNMP traps
• How to use MIB browser
• Testing if the traps are received by Site24x7 On-Premise Poller 
• Custom SNMP monitoring