Leslie Clark wrote:
> George, what platform are the two host which are generating the traps?
> Those are the boxes where you have to do the tracing. They are the ones
> being polled by something. There is nothing for Netview to reveal,
> regardless
> of which platform it is running on.
>
> Since it is often difficult to get the complainer to tell you who it is
> complaining
> about, Les' suggestion is what most of us do: take a guess as to what other
> snmp-pollers might be in the network, and check them directly to see if
> they
> are the ones bothering your two hosts. Look for other Netviews, Openviews,
> home-grown programs, and, a common culprit, a JetDirect.
>
> Now, if the two hosts you mention are Solaris, then your request for
> information
> on how to turn on snmp tracing on Solaris makes sense. And I don't know the
> answer. But someone else probably does.
>
> Cordially,
>
> Leslie A. Clark
> IBM Global Services - Systems Mgmt & Networking
> Detroit
>
> "Beeler, George" <GBeeler@us.britannica.com>@tkg.com on 02/27/2001 12:26:42
> PM
>
> Please respond to IBM NetView Discussion <nv-l@tkg.com>
>
> Sent by: owner-nv-l@tkg.com
>
> To: "'IBM NetView Discussion'" <nv-l@tkg.com>
> cc:
> Subject: [NV-L] RE: IBM Authentication Failure traps in Netview on a
> Solaris plat form
>
> Les,
>
> Thank-you for the post, but we have already identified the (2) host
> machines that are generating the Authentication Failure Traps. We have
> also doubled checked that the community strings are configured correctly to
> report back to Netview, but would like to turn on a 'trace' to be able to
> view the snmp log for details like the hostname or IP address of the node
> making the request, the community name used, and the actual request itself.
> I found a similar posting on Tivoli's Knowledge base that had this exact
> same problem, but they only mentioned an AIX platform and not Solaris. I
> can't find the referenced files that they talk about in that solution with
> regards to Solaris. Has anyone else ran into this same problem on a
> Solaris platform?
>
> Regards,
>
> George
>
> -----Original Message-----
> From: Les Dickert [mailto:lesdickert@hotmail.com]
> Sent: Tuesday, February 27, 2001 9:54 AM
> To: nv-l@tkg.com
> Subject: RE: [NV-L] HP Print Servers
>
> Per my previous posting about the HP
> Print Servers and SNMP access, see
>
> http://www.pandi.hp.com/pandi/pdf/port_tech.pdf
>
> Les
>
> >From: "Les Dickert" <lesdickert@HOTMAIL.COM>
> >Reply-To: IBM NetView Discussion <nv-l@tkg.com>
> >To: nv-l@tkg.com
> >Subject: RE: [NV-L] How to determine source of IBM Authentication Failure
> >Traps in Netview for Solaris Platform ?
> >Date: Tue, 27 Feb 2001 15:16:33
> >
> >One thing you may want to look for is
> >an HP Jet Direct print spooler, probably
> >running on an NT server. This spooler
> >likes to issue SNMP queries to everything
> >on it's IP subnet to find HP printers, and
> >will bang away at routers, switches, other
> >workstations, everything. I think there is
> >a configuration setting to tell it to quit
> >doing that, but out of the box it does it.
> >
> >We have to go chasing after these things all
> >the time.
> >
> >Les
> >
> >
> >
> >
> >>From: "Beeler, George" <GBeeler@us.britannica.com>
> >>Reply-To: IBM NetView Discussion <nv-l@tkg.com>
> >>To: "'IBM NetView Discussion'" <nv-l@tkg.com>
> >>Subject: RE: [NV-L] How to determine source of IBM Authentication Failure
> >>Traps in Netview for Solaris Platform ?
> >>Date: Tue, 27 Feb 2001 08:54:21 -0600
> >>
> >>Jim,
> >>
> >>Thanks for your reply. We'll give it a try.
> >>
> >>Regards,
> >>
> >>George
> >>
> >>-----Original Message-----
> >>From: Jim Kellock [mailto:jkellock@nc.rr.com]
> >>Sent: Tuesday, February 27, 2001 5:58 AM
> >>To: IBM NetView Discussion
> >>Subject: Re: [NV-L] How to determine source of IBM Authentication
> >>Failure Traps in Netview for Solaris Platform ?
> >>
> >>
> >>NetView only knows what the agent on the machine getting the SNMP poll
> >>will tell him. You have to deal with the source device for the trap
> >>you're getting.
> >>
> >>Two ways you can do this:
> >>1. You can set the logging level up for SNMPD on the machine that's
> >>getting polled with an incorrect community name (if it's a workstation).
> >>Then, as long as that agent is able to determine and capture the info,
> >>he'll log the poller info for you, and may or may not include this info
> >>in his trap to NetView- depends on the agent.
> >>
> >>2. Put a sniffer on it.
> >>
> >>Agents on some routers, switches, etc., don't have the ability to
> >>capture the source address of the poll, even though they recognize the
> >>intrusion and will send the authentication trap.
> >>
> >> > "Beeler, George" wrote:
> >> >
> >> > All,
> >> >
> >> > I have searched through the archives on trying to determine the source
> >> > of IBM Authentication Failure traps in Netview, but we are running it
> >> > on a Solaris platform. Does anyone have any steps that we could try
> >> > and troubleshoot this problem? Mainly, we would like to turn on
> >> > 'tracing' and view the results to be able to track down which end host
> >> > is the culprit.
> >> >
> >> > Thank-you in advance,
> >> >
> >> > George
> >>_________________________________________________________________________
> >>NV-L List information and Archives: http://www.tkg.com/nv-l
> >
> >_________________________________________________________________
> >Get your FREE download of MSN Explorer at http://explorer.msn.com
> >
> >_________________________________________________________________________
> >NV-L List information and Archives: http://www.tkg.com/nv-l
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> _________________________________________________________________________
> NV-L List information and Archives: http://www.tkg.com/nv-l
>
> _________________________________________________________________________
> NV-L List information and Archives: http://www.tkg.com/nv-l
Hope this helps.
What may be the source of the auth failures is an HP printer app on a windows
box sending SNMP "broadcast" queries to find printers on that net. So now
any device on that net sees the SNMP query with the wrong community and sends
a trap back to Netview. If you have CISCO routers, it too will see the
query and if you have "auth failure" enable on the router it will tell you the
source of the SNMP request. You normally see many devices on the same net
sending auth failures if the source is using a dest of broadcast.
Jeff Fitzwater
CIT Systems & Networking
|