My Ciscoworks server is making multiple UDP 161 and icmp (ping) request on an external IP 188.8.131.52. and its denying by firewall
Any idea what its causing..?
Thanks in Advance
Assuming you don't have a device with 184.108.40.206 as address
See if it happens when the discovery takes place
Ciscoworks tries to contact the neigbours via SNMP and ping, perhaps a neigbour uses this 220.127.116.11 address.
Also check the discovery report. Maybe you can see which devices see this 18.104.22.168 device as neigbour.
What is the server OS?
if it isn't Discovery, it could be any process where it can cause an issue. You can check which process is using the ping/ICMP.
Following are the features/jobs which can use it :
You can check when you see these messages does stopping corresponding processes fix this or not :
stop ICServer process (NMSROOT/bin/pdterm ICServer) (to start: NMSROOT/bin/pdexec ICServer)
stop ConfigMgmtServer and ConfigUtilityService
Fault Manager :
Check if multiple sm_server processes are running, try to kill them using OS capabilites from task manager of kill -9 sig in sol/unix.
There is a system generated subnet object 22.214.171.124 found in subnet groups, may this is the reason its sending the requests to 126.96.36.199. whats this system generated 188.8.131.52 and its really requitred? how can delete it?
If you have such a group, one of your devices has an address in this range.
It is possible this address is used by CDP and there for will be in the discovery report.
The subnet will go away if you no longer have an interface in this subnet.
Apart from what Michel said, you check the the user tracking subnet aquisition.
The Subnet aquisition is used by the User tracking mechanism which finds the details about the end hosts connected on network.
You can trigger acquisition on a single subnet or a select set of subnets. Subnet based acquisition collects details about the end hosts that are connected to a particular subnet or a select set of subnets. This Acquisition completes faster, since it is not run on all devices managed by LMS.
You can check the settings here :
Admin > Collection Settings > User Tracking > Subnet Acquisition Configuration
Try to exclude the subnet you want and see if this goes away.
For more details check here :
Along with this, please check Ping sweep in UT settings.
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine the range of IP addresses that map to live end hosts (computers). You can use a single ping to find out whether a specific end host exists on the network.
A Ping Sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts.
Try to disable Ping sweep from :
Admin > Collection Settings > User Tracking > Ping Sweep
Choose any of the following:
•Disable Ping Sweep
**Encourage Contributors. RATE them. **