Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20693
Views
15
Helpful
5
Replies

Authentication Failure for snmp even though community ACL deny's NMS

Go to solution
ssiwatibau
Level 1
Level 1

‎09-25-2012 08:56 PM

Getting snmp authentication failures even though I have an applied community ACL that is configured to deny the NMS ip address in the implicit deny all at the end of the ACL.

Sep 26 09:49:11: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Sep 26 09:49:15: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Sep 26 09:49:19: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Sep 26 09:49:23: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Sep 26 09:49:23: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Sep 26 09:49:27: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Router#show access-list 50

Standard IP access list 50

    permit 130.123.128.1

    permit 130.123.128.2

    permit 130.123.128.164

Router#

snmp-server community Public RO 50

snmp-server community Private RW 50

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jreekers
Level 4
Level 4
In response to ssiwatibau

‎09-28-2012 08:20 AM

This is normal behavior for an ACL applied to a Community String.

If you want it blocked before it reaches the snmp engine, you will need to apply the ACL at the Interface level.


Regards,

-Joe

View solution in original post

5 Replies 5

Go to solution
Vinod Arya
Cisco Employee
Cisco Employee

‎09-26-2012 04:06 AM

This error is seen in device, when the device is polled and an incorrect snmp community is used by someone and the device is configured for snmp-server enable traps snmp authentication.

Check who is polling the device with incorrect community string.

-Thanks

-Thanks Vinod **Rating Encourages contributors, and its really free. **

Go to solution
Vinod Arya
Cisco Employee
Cisco Employee
In response to Vinod Arya

‎09-26-2012 04:07 AM

Check who is host # 130.123.97.55.

-Thanks Vinod **Rating Encourages contributors, and its really free. **
0 Helpful

Go to solution
ssiwatibau
Level 1
Level 1
In response to Vinod Arya

‎09-26-2012 02:05 PM

Hi Vinod,

Thanks, i suppose i did'nt pose my question properly.  Why when i have security ACL applied to the snmp community is the snmp daemon even checking an incoming snmp packet against the snmp community string when said packet is supposedly denied by the configured Security ACL.  It should not be reaching the snmp daemon or should it?  How does it work snmp community check first the Security ACL or Security ACL first then snmp community?

0 Helpful

Go to solution
jreekers
Level 4
Level 4
In response to ssiwatibau

‎09-28-2012 08:20 AM

This is normal behavior for an ACL applied to a Community String.

If you want it blocked before it reaches the snmp engine, you will need to apply the ACL at the Interface level.


Regards,

-Joe

Go to solution
johnnylingo
Level 5
Level 5

‎06-29-2016 10:19 AM

IMO this is rather silly behavior on Cisco's part.  If there's an ACL locking down SNMP polling access to certain IPs, I really don't care if nonpermitted IPs are hitting with wrong community.  

My solution is just disable SNMP authentication logging.  

(config)#no logging snmp-authfail

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents