cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9202
Views
0
Helpful
1
Replies

SNMP Authentication Failure

normanzhang
Level 1
Level 1

I'm getting lots SNMP Authentication Failures Traps from my N7K (10.1.1.100). Unfortunately the trap doesn't contain information the origin (who was trying to communicate with N7K).

Time of Trap: 07:54 AM
IP Address: 10.1.1.100
Trap Details: snmpTrapEnterprise = SNMPv2-MIB:authenticationFailure
snmpTrapOID = SNMPv2-MIB:authenticationFailure
sysUpTime = 35 days 21 hours 31 minutes 35.21 seconds

# ethanalyzer local interface inband capture-filter "udp port 162"

Capturing on inband
2011-05-13 09:50:12.849677 10.1.1.100 -> 10.200.30.164 SNMP sNMPv2-Trap 1.3.6.1.2.1.1.3.0 1.3.6.1.6.3.1.1.4.1.0 1.3.6.1.6
.3.1.1.4.3.0
2011-05-13 09:50:12.949624 10.1.1.100 -> 10.200.30.164 SNMP sNMPv2-Trap 1.3.6.1.2.1.1.3.0 1.3.6.1.6.3.1.1.4.1.0 1.3.6.1.6
.3.1.1.4.3.0
2011-05-13 09:50:13.049587 10.1.1.100 -> 10.200.30.164 SNMP sNMPv2-Trap 1.3.6.1.2.1.1.3.0 1.3.6.1.6.3.1.1.4.1.0 1.3.6.1.6
.3.1.1.4.3.0
2011-05-13 09:50:13.249582 10.1.1.100 -> 10.200.30.164 SNMP sNMPv2-Trap 1.3.6.1.2.1.1.3.0 1.3.6.1.6.3.1.1.4.1.0 1.3.6.1.6

# ethanalyzer local interface inband capture-filter "udp port 161 and host 10.1.1.100"

Capturing on inband

2011-05-13 09:44:35.670895 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.10.151060596

2011-05-13 09:44:35.671482 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.10.369098878

2011-05-13 09:44:35.671855 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.10.369098879

2011-05-13 09:44:35.672835 10.1.1.100 -> 10.50.1.194 SNMP get-response 1.3.6.1.2.1.2.2.1.10.151060596

2011-05-13 09:44:35.674354 10.1.1.100 -> 10.50.1.194 SNMP get-response 1.3.6.1.2.1.2.2.1.10.369098878

2011-05-13 09:44:35.675554 10.1.1.100 -> 10.50.1.194 SNMP get-response 1.3.6.1.2.1.2.2.1.10.369098879

2011-05-13 09:44:35.689346 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.11.151060596

2011-05-13 09:44:35.689596 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.11.369098878

2011-05-13 09:44:35.689844 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.11.369098879

2011-05-13 09:44:35.690860 10.1.1.100 -> 10.50.1.194 SNMP get-response 1.3.6.1.2.1.2.2.1.11.151060596

10 packets captured

Program exited with status 0

Ethernalyer exits too quickly and doesn't tell me if the authentication is failing...Is there a better way to troubleshoot this?

1 Accepted Solution

Accepted Solutions

phiharri
Level 1
Level 1

Greetings,

To capture more than the default 10 frames with Ethanalyser you can add the 'limit-capture ' argument.

For SNMP authentication failures, you can most likely get a log event from the switch by increasing the default snmpd message level with 'logging level snmpd 6'. Then you should see a message in the log such as:

%SNMPD-3-ERROR: SNMP log error : snmp Auth fail:bad community name from host: 10.55.230.123

Cheers,

/Phil

View solution in original post

1 Reply 1

phiharri
Level 1
Level 1

Greetings,

To capture more than the default 10 frames with Ethanalyser you can add the 'limit-capture ' argument.

For SNMP authentication failures, you can most likely get a log event from the switch by increasing the default snmpd message level with 'logging level snmpd 6'. Then you should see a message in the log such as:

%SNMPD-3-ERROR: SNMP log error : snmp Auth fail:bad community name from host: 10.55.230.123

Cheers,

/Phil