nv-l
[Top] [All Lists]

Re: Authentication Problem

To: nv-l@lists.tivoli.com
Subject: Re: Authentication Problem
From: "David E. Dimond" <dimond@allina.com>
Date: Wed, 27 Sep 2000 13:44:50 -0500
Tom,

I spend a goodly portion of my day tracking these down.  What you
have here is someone hitting the device luminere.pts.umn.edu with
an incorrect community string every nite at 12:30am.  I don't know
what sort of device this is, but it clearly has some type of SNMP
agent capable of spitting out this trap.  Unfortunately, the vendor
 - apparently IBM in this case - didn't bother encapsulating the
vital piece of information that should accompany this trap.  i.e.
the source address of the device issuing the SNMP request with
the wrong community string.

You have two options:  Convince the vendor that the bloody trap is
useless without the source address and get them to give you proper
code for their agent, or put a sniffer on the wire and capture the
offending packet(s) - you already know when to start the capture...

We've gone around and around with various vendors over this issue,
and so far Cisco is the only one of the big players that seem to
implement this.  Most IOS-based Cisco kit running 12.whatever will
give you the source address if the offender is spewing regular SNMP
gets or '0.0.0.0' if the offender was IPX_SNMP.  Note that this 
does not imply that Cisco is anywhere near having their act
together regarding trap encapsulation... ;-)

As to what could be causing this, it could be anything capable
of performing SNMP autodiscovery.  And there's LOTS of stuff out
there now.  Mostly I find it to be either a misconfigured management
application, HP Jet-admin, or an old Microsoft IPX client looking
for a default printer not on the local wire.

Hope that helps, give me a call if you need further assistance - 
I see you're local...

Oh, and the first field in the trapd.log, from the man page for
trapd, is:

"The time the event or trap was received in seconds since
 the epoch (00:00:00 GMT January 1, 1970)."

Regards,

Dave Dimond
Network Systems Management
Allina Health System
Minneapolis, MN
dimond@allina.com
612-775-1552

Thomas Kunz wrote:
> 
> Hello
> 
> We have NetView 5.1.2, AIX 4.3.1 and Framework 3.6.1.
> Every day at 12:30 A.M. we get the following error message in trapd.log. How 
> can I find out where it is coming from?
> Also what do the numbers at the front of the message mean?
> 
> 970032625  4  Wed Sep 27 00:30:25 2000 luminere.pts.umn.edu      A IBM 
> Incorrect Community Name (authenticationFailure Trap)
> 
> Thanks in advance.
> 
> Thanks and have a great day!  :-)
> Tom Kunz
> OIT/PTS Network & AIX Systems Support
> University of Minnesota
> 1300 S. 2nd St.
> Mpls., MN. 55454-1083
> Suite 660
> Phone: 612-624-8086
> Fax: 612-626-1332
> Email: t-kunz@cafe.tc.umn.edu
> 
> **************************************************************************
> This e-mail and its attachments have been scanned for viruses.
> NDIS/ADCS University of Minnesota
> **************************************************************************


<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web