02-14-2005 09:20 AM
Anyone ever here of this? I am getting thousands of authentication failure traps at my NMS. The trap shows the source address of 0.0.0.0 for the originator of the request (not the switch). I have tried to catch the offending device by using an access list (10 permit udp host 0.0.0.0 eq snmp any log-input; 20 permit ip any any). I have placed this access list inbound on every SVI on one of my switches and had no hits. I have 21 Cat 6509s, all of which are sending the trap to my NMS. I have opened a ticket with TAC. They say that this is a known issue with Novell servers, but they cant give me any more specific information they cant remember the details. I would think that if the requests are actually coming to the switch I would have seen them using the access list. It seems to me to be more likely that the switch is reporting bogus information. What do you people think?
02-14-2005 10:04 AM
Can you provide a little more detail on your setup. For instance what CatOS/CatIOS version is running on your 6509s? What NMS are you running that's receiving these traps? Could you try putting a sniffer your NMS connection and post a sample of those packets?
Thanks,
Steve
02-14-2005 10:48 AM
Some of my switches are running s72033-pk9sv-mz.122-18.SXD2.bin and the rest are running s72033-pk9sv-mz.122-17d.SXB6.bin all in native mode. My NMS is Entuity "Eye of the Storm" (EOTS). Below is a captured packet that was set to EOTS. Note the last line.
Frame 22921 (109 bytes on wire, 109 bytes captured)
Arrival Time: Dec 23, 2004 13:48:51.252822000
Time delta from previous packet: 15.263457000 seconds
Time since reference or first frame: 16479.514502000 seconds
Frame Number: 22921
Packet Length: 109 bytes
Capture Length: 109 bytes
Ethernet II, Src: 00:11:20:bc:04:47, Dst: 00:03:ba:84:97:81
Destination: 00:03:ba:84:97:81 (SunMicro_84:97:81)
Source: 00:11:20:bc:04:47 (00:11:20:bc:04:47)
Type: IP (0x0800)
Internet Protocol, Src Addr: XXXXXXXXXXXXXXX.umn.edu , Dst Addr: XXXXXXXXXXXXX.umn.edu
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 95
Identification: 0x2de4 (11748)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 253
Protocol: UDP (0x11)
Header checksum: 0x34c4 (correct)
Source: XXXXXXXXXX.umn.edu
Destination: XXXXXXXXXXXXXX.umn.edu
User Datagram Protocol, Src Port: 51407 (51407), Dst Port: snmptrap (162)
Source port: 51407 (51407)
Destination port: snmptrap (162)
Length: 75
Checksum: 0x37a9 (correct)
Simple Network Management Protocol
Version: 1 (0)
Community: XXXXXXXXXXX
PDU type: TRAP-V1 (4)
Enterprise: 1.3.6.1.4.1.9.1.534 (iso.3.6.1.4.1.9.1.534)
Agent address: XXXXXXXXXXXXXX.umn.edu
Trap type: AUTHENTICATION FAILED (4)
Specific trap type: 0
Timestamp: 149835878
Object identifier 1: 1.3.6.1.4.1.9.2.1.5.0 (iso.3.6.1.4.1.9.2.1.5.0)
Value: IpAddress: 0.0.0.0
02-14-2005 01:35 PM
Michael,
The problem is OID 1.3.6.1.4.1.9.2.1.5 (the second line from the bottom) is from the OLD-CISCO-SYS-MIB, but your IOS doesn't support that MIB Set (in fact I couldn't find any Cisco IOS that does support this OID).
Here's the OID Information link:
and your IOS Image supported MIBs
So the question then is, who or what is querying this OID, forcing the 6509s to respond with invalid data? My first guess would by your NMS. Have you updated your snmp & trap definitions to support the 6509NEB?
If these switches are not on the supported device list for your NMS, you should be able to do an SNMPWalk and provide the results to Entuity.
HTH
Steve
02-15-2005 06:16 AM
Thank you for the great answer. I will pursue this with Entuity. They have been great to work with - they should have a fix for me in a few days or so. This reminds me of what I often say, "any question is easy when you know the answer". Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide