https://community.extremenetworks.com/t5/extremeswitching-exos-switch/snmp-autherrors-source/m-p/68385#M18548 <P>Hello,</P><P>one of our switches showed a high cpu utilization and after a short look it seemed that someone sends SNMP requests without or with wrong authentication:</P><PRE><CODE>SNMP stats:<BR />InPkts 10230358 OutPkts 10230357 Errors 10188902 AuthErrors 10188902<BR />Gets 10197808 GetNexts 32068 Sets 0 Drops 0</CODE></PRE><P>(Errors and AuthErrors kept increasing fast)</P><P>So I just checked the logs and thought I would find the source for these requests. Well, the only logs I found were in nvram and months old:</P><PRE><CODE>07/08/2020 07:08:19.96 &lt;Warn:SNMP.Master.AuthFail&gt; Login failed through SNMPv1/v2c - bad community name (192.168.x.x)</CODE></PRE><P>The log configuration is default:</P><PRE><CODE>show configuration ems detail <BR />#<BR /># Module ems configuration.<BR />#<BR />disable log debug-mode<BR />configure log messages privilege admin<BR />configure log filter DefaultFilter add events All <BR />enable log target memory-buffer <BR />configure log target memory-buffer filter DefaultFilter severity Debug-Data<BR />configure log target memory-buffer match Any<BR />enable log target nvram <BR />configure log target nvram filter DefaultFilter severity Warning<BR />configure log target nvram match Any<BR />configure log target nvram format timestamp hundredths date mm/dd/yyyy event-name condition severity </CODE></PRE><P>Any idea why these&nbsp; AuthFails have been logged in the past, but now this isn’t the case anymore? Maybe changed with a newer firmware? (Switch currently runs 30.7.1.1-patch1-86)&nbsp;</P><P>These logs have “Warning” as their severity, which should be included in both the memory-buffer (Debug-Data) and nvram logs (warning)&nbsp; or do I miss something?&nbsp;</P><P>Best regards<BR />Stefan</P><P>&nbsp;</P> Fri, 12 Mar 2021 02:22:43 GMT Stefan_K_ 2021-03-12T02:22:43Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/snmp-autherrors-source/m-p/68385#M18548 <P>Hello,</P><P>one of our switches showed a high cpu utilization and after a short look it seemed that someone sends SNMP requests without or with wrong authentication:</P><PRE><CODE>SNMP stats:<BR />InPkts 10230358 OutPkts 10230357 Errors 10188902 AuthErrors 10188902<BR />Gets 10197808 GetNexts 32068 Sets 0 Drops 0</CODE></PRE><P>(Errors and AuthErrors kept increasing fast)</P><P>So I just checked the logs and thought I would find the source for these requests. Well, the only logs I found were in nvram and months old:</P><PRE><CODE>07/08/2020 07:08:19.96 &lt;Warn:SNMP.Master.AuthFail&gt; Login failed through SNMPv1/v2c - bad community name (192.168.x.x)</CODE></PRE><P>The log configuration is default:</P><PRE><CODE>show configuration ems detail <BR />#<BR /># Module ems configuration.<BR />#<BR />disable log debug-mode<BR />configure log messages privilege admin<BR />configure log filter DefaultFilter add events All <BR />enable log target memory-buffer <BR />configure log target memory-buffer filter DefaultFilter severity Debug-Data<BR />configure log target memory-buffer match Any<BR />enable log target nvram <BR />configure log target nvram filter DefaultFilter severity Warning<BR />configure log target nvram match Any<BR />configure log target nvram format timestamp hundredths date mm/dd/yyyy event-name condition severity </CODE></PRE><P>Any idea why these&nbsp; AuthFails have been logged in the past, but now this isn’t the case anymore? Maybe changed with a newer firmware? (Switch currently runs 30.7.1.1-patch1-86)&nbsp;</P><P>These logs have “Warning” as their severity, which should be included in both the memory-buffer (Debug-Data) and nvram logs (warning)&nbsp; or do I miss something?&nbsp;</P><P>Best regards<BR />Stefan</P><P>&nbsp;</P> Fri, 12 Mar 2021 02:22:43 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/snmp-autherrors-source/m-p/68385#M18548 Stefan_K_ 2021-03-12T02:22:43Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/snmp-autherrors-source/m-p/68386#M18549 <P>Hi Stefan,</P><P>&nbsp;</P><P>just tested with a switch using 30.7.1.1-pacth1-86, an snmpv2 request with wrong community would be reported in the logs like that.</P><P>An snmpv3 request with wrong credentials however would not be logged by default and I cannot see a log event that you could enable.</P><P>However, I would recommend applying an access-profile to protect snmp and allow only SNMP from trusted IP addresses.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 12 Mar 2021 16:16:21 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/snmp-autherrors-source/m-p/68386#M18549 OscarK 2021-03-12T16:16:21Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/snmp-autherrors-source/m-p/68387#M18550 <P>Hello Oscar,</P><P>thanks for your answer!</P><P>Yes, I could simply block those SNMP requests, but this would only cure the symptoms, not the cause. In this case we were able to find the device that sent the SNMP packets, because my customer remembered that they had an old monitoring-system. In other cases it would be nice to find the source of the SNMP packets (I mean, it&nbsp; was possible for snmpv2, why not for snmpv3?) without using port-mirrors and checking tcp-dumps or something like that.</P> Fri, 12 Mar 2021 18:15:49 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/snmp-autherrors-source/m-p/68387#M18550 Stefan_K_ 2021-03-12T18:15:49Z