cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11529
Views
5
Helpful
5
Replies
Highlighted
Beginner

Authentication Failure for snmp even though community ACL deny's NMS

Getting snmp authentication failures even though I have an applied community ACL that is configured to deny the NMS ip address in the implicit deny all at the end of the ACL.

Sep 26 09:49:11: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Sep 26 09:49:15: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Sep 26 09:49:19: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Sep 26 09:49:23: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Sep 26 09:49:23: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Sep 26 09:49:27: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 130.123.97.55

Router#show access-list 50

Standard IP access list 50

    permit 130.123.128.1

    permit 130.123.128.2

    permit 130.123.128.164

Router#

snmp-server community Public RO 50

snmp-server community Private RW 50

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Authentication Failure for snmp even though community ACL deny's

This is normal behavior for an ACL applied to a Community String.

If you want it blocked before it reaches the snmp engine, you will need to apply the ACL at the Interface level.


Regards,

-Joe

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Authentication Failure for snmp even though community ACL deny's

This error is seen in device, when the device is polled and an incorrect snmp community is used by someone and the device is configured for snmp-server enable traps snmp authentication.

Check who is polling the device with incorrect community string.

-Thanks

-Thanks Vinod **Rating Encourages contributors, and its really free. **
Highlighted
Cisco Employee

Authentication Failure for snmp even though community ACL deny's

Check who is host # 130.123.97.55.

-Thanks Vinod **Rating Encourages contributors, and its really free. **
Highlighted
Beginner

Authentication Failure for snmp even though community ACL deny's

Hi Vinod,

Thanks, i suppose i did'nt pose my question properly.  Why when i have security ACL applied to the snmp community is the snmp daemon even checking an incoming snmp packet against the snmp community string when said packet is supposedly denied by the configured Security ACL.  It should not be reaching the snmp daemon or should it?  How does it work snmp community check first the Security ACL or Security ACL first then snmp community?

Highlighted
Enthusiast

Authentication Failure for snmp even though community ACL deny's

This is normal behavior for an ACL applied to a Community String.

If you want it blocked before it reaches the snmp engine, you will need to apply the ACL at the Interface level.


Regards,

-Joe

View solution in original post

Highlighted
Contributor

IMO this is rather silly

IMO this is rather silly behavior on Cisco's part.  If there's an ACL locking down SNMP polling access to certain IPs, I really don't care if nonpermitted IPs are hitting with wrong community.  

My solution is just disable SNMP authentication logging.  

(config)#no logging snmp-authfail

CreatePlease to create content
Content for Community-Ad
This widget could not be displayed.