James,
It turns out that the Cisco 2950 Catalyst switch IOS has a bug that causes
the unknown trap. Here is the text of the Release Notes for IOS 12.1_(9)EA1.
When enabling traps on a catalyst 2950, messages are received at the NMS
with erroneous object identifiers (.1.3.6.1.2.1.0.2 and .1.3.6.1.2.1.0.1).
The switch should just send three traps, linkdown, linkup and a syslog trap.
It actually sends 4 traps. The first one is bogus. To me it looks like the
Enterprise is missing. Here is the edited tcpdump.
09:57:19.143082625 hostname.57572 > netview.snmp-trap: C=XXXX Trap(74)
[10.26.250.135] enterpriseSpecific[specific-trap(2)!=0] 206297425
E:cisco.9.46.1.3.1.1.1.1.516=516 31.1.1.1.1.47="Fa0/47"
09:57:21.123965340 hostname.57572 > netview.snmp-trap: C=XXXX Trap(119)
E:cisco.1.429 [10.26.250.135] linkDown 206297622
interfaces.ifTable.ifEntry.ifIndex.47=47
interfaces.ifTable.ifEntry.ifDescr.47="FastEthernet0/47"
interfaces.ifTable.ifEntry.ifType.47=6 E:cisco.2.2.1.1.20.47="down"
09:57:27.794249434 hostname.57572 > netview.snmp-trap: C=XXXX Trap(117)
E:cisco.1.429 [10.26.250.135] linkUp 206298290
interfaces.ifTable.ifEntry.ifIndex.47=47
interfaces.ifTable.ifEntry.ifDescr.47="FastEthernet0/47"
interfaces.ifTable.ifEntry.ifType.47=6 E:cisco.2.2.1.1.20.47="up"
09:57:28.046060639 hostname.57572 > netview.snmp-trap: C=XXXX Trap(199)
E:cisco.9.41.2 [10.26.250.135] enterpriseSpecific[specific-trap(1)!=0]
206298290 E:cisco.9.41.1.2.3.1.2.338="LINK" E:cisco.9.41.1.2.3.1.3.338=4
E:cisco.9.41.1.2.3.1.4.338="UPDOWN" E:cisco.9.41.1.2.3.1.5.338="Interface
FastEthernet0/47, changed state to up" E:cisco.9.41.1.2.3.1.6.338=206298290
Thanks for all your help.
Ray Westphal
Enterprise Rent-A-Car
-----Original Message-----
From: James Shanks [mailto:jshanks@us.ibm.com]
Sent: Thursday, August 29, 2002 7:47 AM
To: Westphal, Raymond
Cc: nv-l@lists.tivoli.com
Subject: Re: [nv-l] Help with an unknown trap - PLEASE!
Ray -
The trace you have provided if for a different trap with the same
enterprise ID, which is 1.3.6.1.2.1. This is the OID of a standard SNMP
MIB-II element, which you can see if you use the MIB browser, xnmbrowser,
and go down the tree. Try it. Follow down to
".iso.org.dod.internet.mgmt" and with mib-2 in the window, click
"Describe". It shows that this has the OID .1.3.6.1.2.1. That's what
you have to define as an enterprise in trapd.conf, just as the "NO FMT"
message in the trapd.log said. Call it whatever you like. How about
"SNMPV1-MIB2"?
The rest of message says that this trapd is generic type 6 and specific
type 2, and that it has two variables with it. The first is variable is
vtpVlanTable.vtpVlanEntry.vtpVlanIndex.1.892 and has an integer value of "
892 ". I don't know what that means to your switch -- you'll have to
consult Cisco for that - but it looks like a port to
me. The second variable is ifMIB.ifMIBObjects.ifXTable.ifXE
ntry.ifName.48 and has a text (OctetString) value of " Fa0/48 ". That looks
like an interface name to me, but again, you'll have to
consult Cisco doc to determine what it means. In any case, the "No FMT"
message tells you everything you need to know about how to define this
trap to trapd.conf.
You don't need the trace.
The trace message you provided is for the same enterprise id, 1.3.6.1.2.1,
but for specific trap number 1, not 2. There is probably another "No FMT"
message in your trapd.log which spells this one out too. I have provided
the translation below. Since they are so similar I am not surprised your
were confused. In any case, just define the enterprise and specific traps
1 and 2 and the "No FMT" will go away. But you'll have to consult Cisco
to determine what the traps mean.
Hope this helps
30 44 02 01 00 04 0a XX XX XX XX XX XX XX XX XX 0D.....XXXXXXXXX
XX a4 33 06 05 2b 06 01 02 01 40 04 aa bb cc dd e.3..+....@.....
02 01 06 02 01 01 43 04 06 1d af 77 30 18 30 16 ......C....w0.0.
06 10 2b 06 01 04 01 09 09 2e 01 03 01 01 01 01 ..+.............
86 7c 02 02 03 7c -- -- -- -- -- -- -- -- -- -- .|...|..........
30 44 x'30' start of trap, length x'44' or 68 bytes
02 01 00 x'02' means 'integer', length = 1, x'00' = SNMP V1
format
04 0a XX XX XX XX XX XX XX XX XX XX octet string, 10 bytes, community
name
a4 x'a4' means "SNMP PDU type, a trap"
33 remaining length x'33' or 51 bytes
06 05 2b 06 01 02 01 x'06' = Enterprise ID, length =5, value =
1.3.6.1.2.1
40 04 aa bb cc dd x'40' means IP Address
02 01 06 x'02' integer, length of 1, value = 6 generic trap
type (vendor)
02 01 01 x'01' integer, length of 1, value = 1 specific
trap number
43 04 06 1d af 77 x'43' time ticks length of 4, value x'61daf77' or
102608759
30 18 x'30' start of variable section x'18' or 24 bytes
remaining
30 16 x'30' first variable x'16' or 22 bytes long
06 10 x'06' OID of variable, x'10' or 16 bytes long:
2b 06 01 04 01 09 09 2e 01 03 01 01 01 01 86 7c
1.3.6 .1 .4 .1 .9 .9.46 .1 .3 .1 .1 .1 .1.134.124
02 02 03 7c x'02' integer, length=2, value x'037c' or 892
James Shanks
Level 3 Support for Tivoli NetView for UNIX and NT
Tivoli Software / IBM Software Group
"Westphal, Raymond" <RWestphal@erac.com>
08/28/2002 04:49 PM
To: "NV List (E-mail)" <nv-l@lists.tivoli.com>
cc:
Subject: [nv-l] Help with an unknown trap - PLEASE!
Hello Everyone.
I've been receiving the following trap from several Cisco 2950 Catalyst
switches. The trap arguments provide the VLAN number and associated
physical
interface number. I cannot determine which trap definition(s) NV is
missing.
The hex trace of the trap (from trapd.trace) is listed below. The
Enterprise
OID provided is only 1.3.6.1.2.1. I crossed out the comm. name and the IP
address in the packet for security. I did confirm that aa.bb.cc.dd is the
IP
listed at the bottom of the trace.
Has anyone else encountered this trap or does anyone have a suggestion?
TRAP
****************************************************************************
********************************
1030558010 2 Wed Aug 28 13:06:50 2002 hostname ? NO FMT IN TRAPD.CONF:
mib-2 (1.3.6.1.2
.1) generic:6 specific:2 args(2): [1]
vtpVlanTable.vtpVlanEntry.vtpVlanIndex.1.892 (Integer): 892
1030558010 2 Wed Aug 28 13:06:50 2002 hostname ? [2]
ifMIB.ifMIBObjects.ifXTable.ifXE
ntry.ifName.48 (OctetString): Fa0/48
****************************************************************************
********************************
TRACE
Wed Aug 28 09:55:42 2002 send_to_appl: [12] [72000] sent packet 94 bytes
Wed Aug 28 09:55:42 2002 del_first_event: [12] [72000] all events sent
Wed Aug 28 09:55:42 2002 trapd: [15] [112752] ready for writing
Wed Aug 28 09:55:42 2002 send_to_appl: [15] [112752] sending event len 94
Wed Aug 28 09:55:42 2002 send_to_all_appls: [112752] appl queue size 1 of
maximum 30000 events
Wed Aug 28 09:55:42 2002 send_to_appl: [15] [112752] sent packet 94 bytes
Wed Aug 28 09:55:42 2002 del_first_event: [15] [112752] all events sent
30 44 02 01 00 04 0a XX XX XX XX XX XX XX XX XX 0D.....XXXXXXXXX
XX a4 33 06 05 2b 06 01 02 01 40 04 aa bb cc dd e.3..+....@.....
02 01 06 02 01 01 43 04 06 1d af 77 30 18 30 16 ......C....w0.0.
06 10 2b 06 01 04 01 09 09 2e 01 03 01 01 01 01 ..+.............
86 7c 02 02 03 7c -- -- -- -- -- -- -- -- -- -- .|...|..........
Wed Aug 28 09:55:42 2002 queue_event: queued 70 bytes.
Wed Aug 28 09:55:42 2002 process_event: de-queued 70 bytes.
Wed Aug 28 09:55:42 2002 process_event: received UDP trap from aa.bb.cc.dd
****************************************************************************
********************************
Thanks in advance.
Ray Westphal
Enterprise Rent-A-Car
---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com
*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)
|