Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2175
Views
0
Helpful
7
Replies

3750 sw is not sending SSH login failure SNMP trap

Difan Zhao
Level 5
Level 5

‎11-23-2011 11:44 AM

Hi experts,

I want to make my switch send trap when failed SSH login is detected. I found the "login Enhancement" feature and enabled the trap and logging for the failed attempt.

3750# sh run | in login

aaa authentication login default local

login delay 1

login on-failure

3750# sh login

     A login delay of 1 seconds is applied.

     No Quiet-Mode access list has been configured.

     All failed login is logged and generate SNMP traps.

     Router NOT enabled to watch for login Attacks

Then I enabled all the traps except the one for the syslog (because I don't want all the log messages are sent as SNMP traps...)

(config)# snmp-server enable traps

(config)# no snmp-server enable traps syslog

(config)# snmp-server host 10.1.1.1 mysnmpkey

Now when I try to login with incorrect password I do see the log but I don't receive the trap...

Nov 23 12:39:27: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: 10.1.1.1] [localport: 22] [Reason: Login Authentication Failed] at 12:39:27 EST Wed Nov 23 2011

Of course when I enable the "syslog" trap I see something but that's more just for this log message

Any idea why??

My 3750-24TS-E is running

Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)

Thanks!

Difan

Labels:
0 Helpful
7 Replies 7

smitesh kharecha
Level 5
Level 5

‎11-23-2011 09:09 PM

Hi,

Can you please configure following and check:

R1(config)#snmp-server enable traps aaa_server

HTH,

Smitesh

0 Helpful

Difan Zhao
Level 5
Level 5
In response to smitesh kharecha

‎11-23-2011 10:24 PM

Hey Smitesh thanks for the reply. However my switch doesn't support the aaa_server trap...

#snmp-server enable traps ?

  auth-framework    Enable SNMP CISCO-AUTH-FRAMEWORK-MIB traps

  bgp               Enable BGP traps

  ...

Mine is a 3750 switch. Is this command for routers?

Thanks,

Difan

0 Helpful

smitesh kharecha
Level 5
Level 5
In response to Difan Zhao

‎11-23-2011 10:41 PM

Hi,

It is 3725 with IOS 12.4 (15) T5

Regards,

Smitesh

0 Helpful

Difan Zhao
Level 5
Level 5
In response to smitesh kharecha

‎11-24-2011 10:57 AM

Hi Smitesh, does that mean that this feature is supported on my switches? So there is no way to send trap upon failed login?

Thanks

0 Helpful

smitesh kharecha
Level 5
Level 5
In response to Difan Zhao

‎11-24-2011 08:36 PM

Hi,

Not sure, but there iss one 3750 coming to my NOC this afternoon. I will check on that and will get back to you.

Regards,
Smitesh

0 Helpful

smitesh kharecha
Level 5
Level 5
In response to smitesh kharecha

‎11-25-2011 01:45 AM

Hi,

I'm sorry, I couldn't find that option in 3750. Need to do little more digging.

If I find anything, I will get back to you.

Regards,

Smitesh

0 Helpful

Difan Zhao
Level 5
Level 5
In response to smitesh kharecha

‎11-25-2011 10:34 AM

Hey thanks. I appreciate it. Please keep me posted.

0 Helpful
Customers Also Viewed These Support Documents