snmp / syslog mystery

Unanswered Question

Perplexed by something . I'm trying to clean up some 2950 L2 switch configs. On all switches, a predecessor configured snmp and syslog logging, but the configs reference a non-existent server IP address. That's fine - I can just change the address to the correct one. But what is baffling me is that syslog and snmp are already both receiving information from the switches (confirmed with Wireshark). In other words, before changing anything in the configs, I wanted to confirm the problem and looked at data on the installed Cisco Network Assistant on the correct server. And I see that syslog and snmp are both receiving info from the switches. And the logged entries are current. My question is 'How can this be?'. How can an snmp or Syslog server get information from an agent device that is incorrectly configured? Could it be that an SNMP community is all that is needed on an agent (and not snmp-server host)? (Doesn't explain the syslog).

Thank you for any help you can provide.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
David Stanford Wed, 12/03/2008 - 19:51

With the snmp-server community configured an NMS can poll a router for info and the device will respond.

What ports are you seeing the snmp traffic on? Polling data will be on a different port then traps (generated from the device and uses the host command)

Is there any logging command at all on the device related to syslog?

Very sorry for the long delay. I will not be able to revisit the issue until Monday, but you may be onto something re: the snmp. I know I saw a lot of GETs and GET responses, but can't say for sure if there were any traps. Will let you know.

The syslog, however, is truly baffling. Yes, there is a logging command on the (selected) remote device, but it points to a non-existent server. Other than that command, all logging is disabled except buffer:

no logging exception

no logging console

no logging monitor

no logging trap

logging 10.128.0.253 (non-existent IP)

And yet the NMS (Cisco Network Assistant at different address) is consistently recording Notifications Errors, and Warnings. I've looked at the logging buffer to confirm that the data is accurate. This is puzzling to me.

I will send you details on the snmp traffic.

Thank you for what looks to be a promising and informed response.

Even with a misconfigured smmp on the remote switch, snmp GET requests are unicast from the NMS to the remote switch with a dest port of udp 161; GET responses are unicast from the remote switch back to the NMS with a source port of udp 161.

Can we conclude from this that unicasts are sent from the NMS to each member of the community ('public' in this case), regardless of an incorrect 'snmp-server host' command? If so, are the addresses of all community members stored in an a database accessible to the NMS? (MIB?)

Thank you.

Actions

This Discussion