[Top] [All Lists]

RE: [nv-l] Cursed Cisco Trap Formats

To: <nv-l@lists.tivoli.com>
Subject: RE: [nv-l] Cursed Cisco Trap Formats
From: "Barr, Scott" <Scott_Barr@csgsystems.com>
Date: Thu, 3 Oct 2002 12:15:41 -0500
All three varities come in with the same enterprise ID. Not sure how this would help.
-----Original Message-----
From: Stringfellow, William [mailto:William.Stringfellow@bankofamerica.com]
Sent: Thursday, October 03, 2002 12:01 PM
To: Barr, Scott; nv-l@lists.tivoli.com
Subject: RE: [nv-l] Cursed Cisco Trap Formats

    We have seen this many times because the particular Cisco device is sending it's own version of Link UP/Down traps (there are many devices that have unique ways of sending what should be a generic trap.)   We learned about this when we first put MLMs in place and started seeing the raw trap varbinds. 
    Anyway, to fix it, figure out what the oid is for the device that is giving you the wrong number of varbinds, create a new trapd.conf entry for it in the enterprise piece, then add LinkUp and LinkDown specific traps to your menu for that enterprise.
    Under the "Event Log Message" use the generic "enterprise: $E args($#):\n$*"
    The $* part will give you each of the varbinds in an individual line in your trapd.log.  Then you can see what information is being provided and change the Event Log Message format so that it makes sense to your operators.
     I go through the log once a day looking for "no known format" or "FMT ERROR" messages and massage the trapd.conf to accomodate them.  We have found many traps where the original log entry had nothing to do with the real trap, remember that the definition of the trap stops at the last piece of the oid that NetView can interpret.  So pay attention to the first part of the trap where it says "received from enterprist AAAA" that AAAA is the name you will see in the list of enterprises when you bring up the trap definition window.
        Good luck,
 -----Original Message-----
From: Barr, Scott [mailto:Scott_Barr@csgsystems.com]
Sent: Thursday, October 03, 2002 9:27 AM
To: nv-l@lists.tivoli.com
Subject: [nv-l] Cursed Cisco Trap Formats

NetView 7.1.1 on Solaris 2.8
Okay guys, I am looking for a way to skin a Cisco cat. The problem is due to the fact that we run a wide variety of protocols and routers, we often do not run the latest Cisco IOS versions. I recently had a situation where I observed this in trapd.log:
1033361376 3 Sun Sep 29 23:49:36 2002 <routernamehere> A Cisco_Link_Down trap received from enterprise cisco with 3 arguments: ifIndex=24; ifDescr=ATM1/0.8-aal5 layer; ifType=49; locIfReason=FMT ERROR: accessing element #4, only 3 available                                                               
Notice the format error. The reason this occurs is because under most circumstances the cisco IOS is delivering only 3 elements and the trap format in trapd.conf has 4 elements defined. So I opened TAC case on this with Cisco and they told me to use the following command on the routers:
snmp-server trap link ietf
Now, the trap comes in and looks like this:
1033478849 3 Tue Oct 01 08:27:29 2002 <routernamehere> A Cisco_Link_Down trap received from enterprise cisco with 5 arguments: ifIndex=26; ifDescr=2; ifType=2;  locIfReason=ATM1/0.9-aal5 layer                  
Now we get five arguments (still only 4 defined in trapd.conf) Okay, first problem is the format is still wrong since trapd.conf is not matching up with the IETF standard (which I have not been able to find yet). But thats no big deal, since I assumed I was writing some code to catch the variables and make intelligent decisions about what to do with it.
But wait! There is more! A lot of the routers send in link up/down traps in this format:
1033480388 3 Tue Oct 01 08:53:08 2002 <routernamehere>  A Cisco_Link_Down trap received from enterprise cisco with 4 arguments: ifIndex=1; ifDescr=Serial0/0;  ifType=22;  locIfReason=administratively down
So, to sum it up, I get link up/down traps with either 3, 4, or 5 arguments depending on what router is sending it in. They all have the same cisco enterprise ID so using trapd.conf to bypass the issue is not possible. I use rulesets (not command for automatic action in trapd.conf) to suppress interface outages of less than 5 minutes. I lose this functionality if I just pass the trap via command for automatic action. So what I need is a script that I can run using an action node, that can decipher whether there are 3,4, or 5 arguments and then parse them out. I am paging/emailing in my ruleset using action nodes, I would have to move them to the parsing script (no problem - we use nvpage and mailx)
Suggestions on scripts? How to code trapd.conf? Where is Cisco headquarters and what is composition of the materials used to build it? I *am* not a script coder person, so if you send me a perl script write it the way any idiot C programmer could read it and not one of your fancy-only-takes-1-line-of-completely-unreadable code.
- Signed: stuck between a rock and  a hard place with a boulder on my head.
Scott Barr
Network Systems Engineer
CSG Systems
Phone: 402-431-7939
Fax: 402-431-7413
<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web