Cisco MDS Downgrade attempt from NX-OS 8.5.1 fails with error: Service: snmpd, Capability : CAP_FEATURE_SNMP_USER_PRIV_TYPE

Summary: Downgrade from 8.5.1 to earlier 8.x versions fails to execute due to compatibility error in snmp config.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

1. ISSD form nx-os 8.5.1 fails with error:  Service: snmpd, Capability : CAP_FEATURE_SNMP_USER_PRIV_TYPE

2. ISSU to NX-OS 8.5(1) with snmp-server user configured gets des parameter included in configuration which prevents ISSD:
  
At 8.4(1a) username test841a is created:

MDS9710(config)# username test841a password 
This is what it looks like in the 8.4(1a) running-config:

username test841a password 5 $5$BHHjWJKi$NLeBFmSWaiG9bdtlchxDdC0MqMOIB5GetNr/g4idtv6  role network-operator
username test841a passphrase  lifetime 99999 warntime 14 gracetime 3
snmp-server user test841a network-operator auth md5 0x83c6f217cef0f643fee4a3130f488a14 priv 0x83c6f217cef0f643fee4a3130f488a14 localizedkey

ISSU to 8.5(1).

This is what it looks like in the 8.5(1) running-config. Note that the des keyword is now inserted:
  
username test841a password 5 $5$BHHjWJKi$NLeBFmSWaiG9bdtlchxDdC0MqMOIB5GetNr/g4idtv6  role network-operator
username test841a passphrase  lifetime 99999 warntime 14 gracetime 3
snmp-server user test841a network-operator auth md5 0x83c6f217cef0f643fee4a3130f488a14 priv des 0x83c6f217cef0f643fee4a3130f488a14 localizedkey

3. Unable to ISSD back to 8.4(1a): compatibility check logs error and indicates how to remove the user with DES privacy type
  
F241-15-09-9710-1# show incompatibility-all system bootflash:m9700-sf4ek9-mz.8.4.1a.bin
Checking incompatible configuration(s):
The following configurations on active are incompatible with  the system image
1) Service : snmpd , Capability : CAP_FEATURE_SNMP_USER_PRIV_TYPE

Description : SNMP user (show running snmp) with DES privacy config present which is not compatible with older image. Please re-configure to remove the DES priv type.
Capability requirement : STRICT
Enable/Disable command :  no snmp-server user 


Cause

Cisco bug id CSCvy23094  Unable to ISSD from NX-OS 8.5(1) with 'snmp-server user' with 'des' parameter in running-config


Conditions:
Applies to all MDS switches running NX-OS 8.5(1) with snmp-server user users configured at prior releases.





Resolution

Workaround:
Update or delete the snmp-server user to proceed with downgrade from NX-OS 8.5.1. If the snmp-server user is updated on NX-OS 8.5(1) then the des encryption parameter will be changed to aes-128 and ISSD will be allowed.


example commands to delete:
config
no snmp-server user test841a network-operator auth md5 0x83c6f217cef0f643fee4a3130f488a14 priv des 0x83c6f217cef0f643fee4a3130f488a14 localizedkey

example commands to recreate/reconfigure:
config
snmp-server user test841a network-operator auth md5 password  priv password




Fix:  upgrade to NX-OS 9.2.1 or higher.  downgrade/ISSD form this versions will not encounter the bug.

Additional Information

Refer to this video:

Affected Products

Connectrix MDS-Series
Article Properties
Article Number: 000206287
Article Type: Solution
Last Modified: 08 Jun 2023
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.