nv-l

RE: [nv-l] Authentication Failure Traps Root Cause Question

2003-12-08 12:36:09
Subject: RE: [nv-l] Authentication Failure Traps Root Cause Question
From: "Bursik, Scott {PBSG}" <Scott.Bursik AT pbsg DOT com>
To: "'nv-l AT lists.us.ibm DOT com'" <nv-l AT lists.us.ibm DOT com>
Date: Mon, 8 Dec 2003 11:26:27 -0600
Thanks for the input. I understand what I am looking at now. I will sniff
one of the nodes and see "who" is trying to access the SNMP agent.

Thanks,

Scott Bursik
PepsiCo Business Solutions Group
Enterprise Systems Management
scott.bursik AT pbsg DOT com
(972) 963-1400
 

-----Original Message-----
From: Jeff Fitzwater [mailto:jfitz AT princeton DOT edu] 
Sent: Monday, December 08, 2003 11:15 AM
To: nv-l AT lists.us.ibm DOT com
Subject: Re: [nv-l] Authentication Failure Traps Root Cause Question

"Bursik, Scott {PBSG}" wrote:

> NetView 7.1.3 AIX 4.3.3
>
> I am getting a lot of these events in my trapd.log for different nodes and
I
> am a bit confused. I know this is probably a basic question but what is
the
> root cause for these events? It appears that I have the community names
> configured correctly in xnmsnmpconf so I am at a loss here. It is probably
a
> concept that I am missing.
>
> nodea.pepsi.com  A Incorrect Community Name (authenticationFailure Trap)
> enterprise:ENTERPRISES (1.3.6.1.4.1.311.1.1.3.1.2) args(0):
>
> Thanks,
>
> Scott Bursik
> PepsiCo Business Solution Group

Scott, there are two basic reasons you are seeing the
AUTHENTICATION FAILURE traps.   Number one is obvious but take a close look
at
#2.2.  This is what we see a lot.

1.   The node receiving them, is in your database.

2.1     Some host is sending an SNMP packet with that devices IP and wrong
SNMP
community name.


2.2   It can also be a host using HP printer software trying to find
printers
on that subnet if they did not specifically choose one.  The packets they
send
out have a DST of BROADCAST and an incorrect SNMP community name.   So the
packet touches every host on that subnet and if any of those hosts support
SNMP traps and are in your database, you get the trap.  The clear indicator
is
when other devices on the same subnet, including the CISCO router interface
for
that subnet, report the same trap.  With the router trap you also get the
offending host IP.




Jeff Fitzwater
OIT Systems & Networking
Princeton University

<Prev in Thread] Current Thread [Next in Thread>