05-13-2011 07:10 AM - edited 03-06-2019 05:02 PM
I'm getting lots SNMP Authentication Failures Traps from my N7K (10.1.1.100). Unfortunately the trap doesn't contain information the origin (who was trying to communicate with N7K).
Time of Trap: 07:54 AM
IP Address: 10.1.1.100
Trap Details: snmpTrapEnterprise = SNMPv2-MIB:authenticationFailure
snmpTrapOID = SNMPv2-MIB:authenticationFailure
sysUpTime = 35 days 21 hours 31 minutes 35.21 seconds
# ethanalyzer local interface inband capture-filter "udp port 162"
Capturing on inband
2011-05-13 09:50:12.849677 10.1.1.100 -> 10.200.30.164 SNMP sNMPv2-Trap 1.3.6.1.2.1.1.3.0 1.3.6.1.6.3.1.1.4.1.0 1.3.6.1.6
.3.1.1.4.3.0
2011-05-13 09:50:12.949624 10.1.1.100 -> 10.200.30.164 SNMP sNMPv2-Trap 1.3.6.1.2.1.1.3.0 1.3.6.1.6.3.1.1.4.1.0 1.3.6.1.6
.3.1.1.4.3.0
2011-05-13 09:50:13.049587 10.1.1.100 -> 10.200.30.164 SNMP sNMPv2-Trap 1.3.6.1.2.1.1.3.0 1.3.6.1.6.3.1.1.4.1.0 1.3.6.1.6
.3.1.1.4.3.0
2011-05-13 09:50:13.249582 10.1.1.100 -> 10.200.30.164 SNMP sNMPv2-Trap 1.3.6.1.2.1.1.3.0 1.3.6.1.6.3.1.1.4.1.0 1.3.6.1.6
# ethanalyzer local interface inband capture-filter "udp port 161 and host 10.1.1.100"
Capturing on inband
2011-05-13 09:44:35.670895 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.10.151060596
2011-05-13 09:44:35.671482 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.10.369098878
2011-05-13 09:44:35.671855 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.10.369098879
2011-05-13 09:44:35.672835 10.1.1.100 -> 10.50.1.194 SNMP get-response 1.3.6.1.2.1.2.2.1.10.151060596
2011-05-13 09:44:35.674354 10.1.1.100 -> 10.50.1.194 SNMP get-response 1.3.6.1.2.1.2.2.1.10.369098878
2011-05-13 09:44:35.675554 10.1.1.100 -> 10.50.1.194 SNMP get-response 1.3.6.1.2.1.2.2.1.10.369098879
2011-05-13 09:44:35.689346 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.11.151060596
2011-05-13 09:44:35.689596 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.11.369098878
2011-05-13 09:44:35.689844 10.50.1.194 -> 10.1.1.100 SNMP get-request 1.3.6.1.2.1.2.2.1.11.369098879
2011-05-13 09:44:35.690860 10.1.1.100 -> 10.50.1.194 SNMP get-response 1.3.6.1.2.1.2.2.1.11.151060596
10 packets captured
Program exited with status 0
Ethernalyer exits too quickly and doesn't tell me if the authentication is failing...Is there a better way to troubleshoot this?
Solved! Go to Solution.
05-14-2011 02:05 AM
Greetings,
To capture more than the default 10 frames with Ethanalyser you can add the 'limit-capture
For SNMP authentication failures, you can most likely get a log event from the switch by increasing the default snmpd message level with 'logging level snmpd 6'. Then you should see a message in the log such as:
%SNMPD-3-ERROR: SNMP log error : snmp Auth fail:bad community name from host: 10.55.230.123
Cheers,
/Phil
05-14-2011 02:05 AM
Greetings,
To capture more than the default 10 frames with Ethanalyser you can add the 'limit-capture
For SNMP authentication failures, you can most likely get a log event from the switch by increasing the default snmpd message level with 'logging level snmpd 6'. Then you should see a message in the log such as:
%SNMPD-3-ERROR: SNMP log error : snmp Auth fail:bad community name from host: 10.55.230.123
Cheers,
/Phil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide