This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNMP AuthErrors Source

SNMP AuthErrors Source

Go to solution
Stefan_K_
Valued Contributor

‎03-11-2021 06:22 PM

Hello,

one of our switches showed a high cpu utilization and after a short look it seemed that someone sends SNMP requests without or with wrong authentication:

SNMP stats:
InPkts 10230358 OutPkts   10230357 Errors 10188902 AuthErrors 10188902
Gets   10197808 GetNexts  32068   Sets   0       Drops      0

(Errors and AuthErrors kept increasing fast)

So I just checked the logs and thought I would find the source for these requests. Well, the only logs I found were in nvram and months old:

07/08/2020 07:08:19.96 <Warn:SNMP.Master.AuthFail> Login failed through SNMPv1/v2c - bad community name (192.168.x.x)

The log configuration is default:

show configuration ems detail 
#
# Module ems configuration.
#
disable log debug-mode
configure log messages privilege admin
configure log filter DefaultFilter add events All 
enable log target memory-buffer 
configure log target memory-buffer filter DefaultFilter severity Debug-Data
configure log target memory-buffer match Any
enable log target nvram 
configure log target nvram filter DefaultFilter severity Warning
configure log target nvram match Any
configure log target nvram format timestamp hundredths date mm/dd/yyyy event-name condition severity

Any idea why these  AuthFails have been logged in the past, but now this isn’t the case anymore? Maybe changed with a newer firmware? (Switch currently runs 30.7.1.1-patch1-86) 

These logs have “Warning” as their severity, which should be included in both the memory-buffer (Debug-Data) and nvram logs (warning)  or do I miss something? 

Best regards
Stefan

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
OscarK
Extreme Employee

‎03-12-2021 08:16 AM

Hi Stefan,

 

just tested with a switch using 30.7.1.1-pacth1-86, an snmpv2 request with wrong community would be reported in the logs like that.

An snmpv3 request with wrong credentials however would not be logged by default and I cannot see a log event that you could enable.

However, I would recommend applying an access-profile to protect snmp and allow only SNMP from trusted IP addresses.

 

 

 

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
Stefan_K_
Valued Contributor

‎03-12-2021 10:15 AM

Hello Oscar,

thanks for your answer!

Yes, I could simply block those SNMP requests, but this would only cure the symptoms, not the cause. In this case we were able to find the device that sent the SNMP packets, because my customer remembered that they had an old monitoring-system. In other cases it would be nice to find the source of the SNMP packets (I mean, it  was possible for snmpv2, why not for snmpv3?) without using port-mirrors and checking tcp-dumps or something like that.

0 Kudos

Go to solution
OscarK
Extreme Employee

‎03-12-2021 08:16 AM

Hi Stefan,

 

just tested with a switch using 30.7.1.1-pacth1-86, an snmpv2 request with wrong community would be reported in the logs like that.

An snmpv3 request with wrong credentials however would not be logged by default and I cannot see a log event that you could enable.

However, I would recommend applying an access-profile to protect snmp and allow only SNMP from trusted IP addresses.

 

 

 

0 Kudos
GTM-P2G8KFN