What is the server OS?if it

shanilkumar2003 · ‎04-02-2014

Hi

My Ciscoworks server is making multiple UDP 161 and icmp (ping) request on an external IP 1.1.1.1. and its denying by firewall

Any idea what its causing..?

Thanks in Advance

Shanil

Michel Hegeraat · ‎04-02-2014

Assuming you don't have a device with 1.1.1.1 as address

See if it happens when the discovery takes place

Ciscoworks tries to contact the neigbours via SNMP and ping, perhaps a neigbour uses this 1.1.1.1 address.

Also check the discovery report. Maybe you can see which devices see this 1.1.1.1 device as neigbour.

Cheers,

Michel

Vinod Arya · ‎04-03-2014

What is the server OS?

if it isn't Discovery, it could be any process where it can cause an issue. You can check which process is using the ping/ICMP.

Following are the features/jobs which can use it :

Device availability for DCR
Inventory Job
Configuration Archive
Polling by Fault Management.

You can check when you see these messages does stopping corresponding processes fix this or not :

Inventory :

stop ICServer process (NMSROOT/bin/pdterm ICServer) (to start: NMSROOT/bin/pdexec ICServer)

Config Archive:

stop ConfigMgmtServer and ConfigUtilityService

Fault Manager :

Check if multiple sm_server processes are running, try to kill them using OS capabilites from task manager of kill -9 sig in sol/unix.

-Thanks

Vinod

-Thanks Vinod **Rating Encourages contributors, and its really free. **

shanilkumar2003 · ‎04-03-2014

There is a system generated subnet object 1.1.1.1 found in subnet groups, may this is the reason its sending the requests to 1.1.1.1. whats this system generated 1.1.1.1 and its really requitred? how can delete it?

Shanil

Michel Hegeraat · ‎04-03-2014

If you have such a group, one of your devices has an address in this range.

It is possible this address is used by CDP and there for will be in the discovery report.

The subnet will go away if you no longer have an interface in this subnet.

Cheers,

Michel

Vinod Arya · ‎04-03-2014

Apart from what Michel said, you check the the user tracking subnet aquisition.

The Subnet aquisition is used by the User tracking mechanism which finds the details about the end hosts connected on network.

You can trigger acquisition on a single subnet or a select set of subnets. Subnet based acquisition collects details about the end hosts that are connected to a particular subnet or a select set of subnets. This Acquisition completes faster, since it is not run on all devices managed by LMS.

You can check the settings here :
Admin > Collection Settings > User Tracking > Subnet Acquisition Configuration

Try to exclude the subnet you want and see if this goes away.

<<screenshot>>

For more details check here :

Configuring Subnet UT Acquisition

Along with this, please check Ping sweep in UT settings.

A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine the range of IP addresses that map to live end hosts (computers). You can use a single ping to find out whether a specific end host exists on the network.

A Ping Sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts.

Try to disable Ping sweep from :

Admin > Collection Settings > User Tracking > Ping Sweep

Choose any of the following:

•Disable Ping Sweep

-Thanks

Vinod
**Encourage Contributors. RATE them. **

-Thanks Vinod **Rating Encourages contributors, and its really free. **

CiscoWorks making multiple UDP 161 and icmp (ping) request on an external IP 1.1.1.1