nv-l
[Top] [All Lists]

Re: [nv-l] authenticationFailure trap received from enterprise cisco

Subject: Re: [nv-l] authenticationFailure trap received from enterprise cisco
From: "Jeffrey G. Fitzwater" <jfitz@Princeton.EDU>
Date: Wed, 18 Sep 2002 16:52:52 -0400
Cc: nv-l@lists.tivoli.com
James Shanks wrote:

> Authentication Failures are ALWAYS about using the wrong community name.
> That is precisely what "authentication failure" means -- someone or
> something attempted to get information from an SNMP agent using an
> incorrect community name.  So if the source of this trap is a Cisco
> device, I recommend you go login to that device and look at its logs.  I
> am not certain but it ay be that someone changed the read community name
> on this box and that change has not been made yet in NetView using the
> xnmsnmpconf dialog.
>
> James Shanks
> Level 3 Support  for Tivoli NetView for UNIX and NT
> Tivoli Software / IBM Software Group
>
> john.j.mackney@accenture.com
> 09/18/2002 04:37 AM
>
>
>         To:     nv-l@lists.tivoli.com
>         cc:
>         Subject:        [nv-l] authenticationFailure trap received from 
> enterprise cisco
>
>
>
> I have NetView 7.1.2 on Solaris 8 (+All recommended SUN patches)
> Since I turned NetView on this week I keep getting loads of traps like the
> following:
>
> A authenticationFailure trap received from enterprise cisco with 1
> argument: authAddr= "my_netview_server"
> SPECIFIC    :     0 (hex: 0)
> GENERIC     :     4
> CATEGORY    :     Status Events
> ENTERPRISE  :     cisco 1.3.6.1.4.1.9.1.48
> SOURCE      :     Agent  (A)
> HOSTNAME    :     "cisco 7505's IP address"
> SEVERITY    :     Indeterminate
> LOGGEDTIME  :     09/18/02 06:25:01 AM
>
> If I click Browse MIB and follow down the tree I can get to
> .1.3.6.1.4.1.9.1...
> or
> .iso.org.dod.internet.private.enterprise.enterprises.cisco.ciscoProducts...
>
> But I cannot find the final .48 in the tree.
>
> I do not think the error is related to community names as when I click
> "Start Query" anywhere in the MIB tree, I get in the messages window if
> the
> MIB browser:
> Note using community "our_read_Community_Name" for node "cisco 7505's IP
> address"
> and it returns a value
>
> Anyone know what's happening. I get similar traps from other cisco devices
> (but obviously with either OID values - which also do not resolve the last
> value).
>
> Is this because the OS of the cisco devices do not match the MIBs I have
> installed.
> Please - any info anyone - out network managers are complaining about the
> volume of traps.
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise private information.  If you have
> received it in error, please notify the sender immediately and delete the
> original.  Any other use of the email by you is prohibited.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
> For additional commands, e-mail: nv-l-help@lists.tivoli.com
>
> *NOTE*
> This is not an Offical Tivoli Support forum. If you need immediate
> assistance from Tivoli please call the IBM Tivoli Software Group
> help line at 1-800-TIVOLI8(848-6548)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
> For additional commands, e-mail: nv-l-help@lists.tivoli.com
>
> *NOTE*
> This is not an Offical Tivoli Support forum. If you need immediate
> assistance from Tivoli please call the IBM Tivoli Software Group
> help line at 1-800-TIVOLI8(848-6548)

    I believe what you are seeing are auth traps from cisco devics that were 
generated by a
host. (our case misconfigured print tool on win for HP printers)  This tools 
will look for
any printer using SNMP with DST of broadcast.  Therefor any device on that 
subnet will see
the SNMP query with wrong (usually public) community.   The CISCO is responding 
correctly
and you should see the source of the bad device in the log.   If you have the 
routers set
up to send traps, you should see them in netview event window (if set up to 
STATUS) .  NOTE
CISCO is one of the few devices that show the source of the AUTH FAILURE so if 
you see
other devices on same subnet reporting AUTH FAILURES and the router is on the 
same sub, the
cause is usulally a single host broadcasting snmp queries.


Hope this helps.



Jeff Fitzwater
OIT Systems & Networking
Princeton University


<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web