Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3881
Views
0
Helpful
4
Replies

SNMP source 0.0.0.0

michael-faust
Level 1
Level 1

‎02-14-2005 09:20 AM

Anyone ever here of this? I am getting thousands of ‘authentication failure’ traps at my NMS. The trap shows the source address of ‘0.0.0.0’ for the originator of the request (not the switch). I have tried to catch the offending device by using an access list (10 permit udp host 0.0.0.0 eq snmp any log-input; 20 permit ip any any). I have placed this access list inbound on every SVI on one of my switches and had no hits. I have 21 Cat 6509s, all of which are sending the trap to my NMS. I have opened a ticket with TAC. They say that this is a known issue with Novell servers, but they can’t give me any more specific information – they can’t remember the details. I would think that if the requests are actually coming to the switch I would have seen them using the access list. It seems to me to be more likely that the switch is reporting bogus information. What do you people think?

Labels:
0 Helpful
4 Replies 4

steve.busby
Level 5
Level 5

‎02-14-2005 10:04 AM

Can you provide a little more detail on your setup. For instance what CatOS/CatIOS version is running on your 6509s? What NMS are you running that's receiving these traps? Could you try putting a sniffer your NMS connection and post a sample of those packets?

Thanks,

Steve

0 Helpful

michael-faust
Level 1
Level 1
In response to steve.busby

‎02-14-2005 10:48 AM

Some of my switches are running s72033-pk9sv-mz.122-18.SXD2.bin and the rest are running s72033-pk9sv-mz.122-17d.SXB6.bin all in native mode. My NMS is Entuity "Eye of the Storm" (EOTS). Below is a captured packet that was set to EOTS. Note the last line.

Frame 22921 (109 bytes on wire, 109 bytes captured)

Arrival Time: Dec 23, 2004 13:48:51.252822000

Time delta from previous packet: 15.263457000 seconds

Time since reference or first frame: 16479.514502000 seconds

Frame Number: 22921

Packet Length: 109 bytes

Capture Length: 109 bytes

Ethernet II, Src: 00:11:20:bc:04:47, Dst: 00:03:ba:84:97:81

Destination: 00:03:ba:84:97:81 (SunMicro_84:97:81)

Source: 00:11:20:bc:04:47 (00:11:20:bc:04:47)

Type: IP (0x0800)

Internet Protocol, Src Addr: XXXXXXXXXXXXXXX.umn.edu , Dst Addr: XXXXXXXXXXXXX.umn.edu

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 95

Identification: 0x2de4 (11748)

Flags: 0x00

0... = Reserved bit: Not set

.0.. = Don't fragment: Not set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 253

Protocol: UDP (0x11)

Header checksum: 0x34c4 (correct)

Source: XXXXXXXXXX.umn.edu

Destination: XXXXXXXXXXXXXX.umn.edu

User Datagram Protocol, Src Port: 51407 (51407), Dst Port: snmptrap (162)

Source port: 51407 (51407)

Destination port: snmptrap (162)

Length: 75

Checksum: 0x37a9 (correct)

Simple Network Management Protocol

Version: 1 (0)

Community: XXXXXXXXXXX

PDU type: TRAP-V1 (4)

Enterprise: 1.3.6.1.4.1.9.1.534 (iso.3.6.1.4.1.9.1.534)

Agent address: XXXXXXXXXXXXXX.umn.edu

Trap type: AUTHENTICATION FAILED (4)

Specific trap type: 0

Timestamp: 149835878

Object identifier 1: 1.3.6.1.4.1.9.2.1.5.0 (iso.3.6.1.4.1.9.2.1.5.0)

Value: IpAddress: 0.0.0.0

0 Helpful

steve.busby
Level 5
Level 5
In response to michael-faust

‎02-14-2005 01:35 PM

Michael,

The problem is OID 1.3.6.1.4.1.9.2.1.5 (the second line from the bottom) is from the OLD-CISCO-SYS-MIB, but your IOS doesn't support that MIB Set (in fact I couldn't find any Cisco IOS that does support this OID).

Here's the OID Information link:

http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.2.1.5&translate=Translate&submitValue=SUBMIT

and your IOS Image supported MIBs

http://tools.cisco.com/Support/SNMP/do/MIBSupport.do?imageName=s72033-pk9sv-mz.122-18.SXD2&submit=Search&submitValue=SUBMIT

So the question then is, who or what is querying this OID, forcing the 6509s to respond with invalid data? My first guess would by your NMS. Have you updated your snmp & trap definitions to support the 6509NEB?

If these switches are not on the supported device list for your NMS, you should be able to do an SNMPWalk and provide the results to Entuity.

HTH

Steve

0 Helpful

michael-faust
Level 1
Level 1
In response to steve.busby

‎02-15-2005 06:16 AM

Thank you for the great answer. I will pursue this with Entuity. They have been great to work with - they should have a fix for me in a few days or so. This reminds me of what I often say, "any question is easy when you know the answer". Thanks again.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card