Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
4
Helpful
5
Replies

Varbind authAddr

Go to solution
aryanadonis
Level 1
Level 1

‎02-17-2009 10:03 AM

Ciscoworks LMS is receiving numerous SNMP authentication failure traps from scanning

activity performed by our network security group. Although LMS reports the trap in DFM's

history, it does not provide the varbind authAddr for us to know what the source IP

address of the authentication attempt.

Old versions of Ciscworks 2000 which we still have running do show the source IP address

in DFM's alert history.

How do we get the new LMS platforms to provide authAddr in the DFM alert so that we can

determine whether it's our own security staff or an intruder generating the failed SNMP

authentications ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to aryanadonis

‎02-17-2009 09:39 PM

I am uncertain why the varbinds were taken out. You could talk to your account team, and tell them to create a Product Enhancement Request on your behalf requesting this feature be added back.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎02-17-2009 10:43 AM

This is not possible. Admittedly, DFM is not a general purpose trap receiver. You can choose to forward the traps DFM receives to another trap receiver (e.g. HPOV NNM, net-snmp's snmptrapd, etc.) by configuring trap forwarding under DFM > Configuration > Other Configurations > SNMP Trap Forwarding.

For a quick solution, you could start a sniffer trace on the LMS server, and look at the raw traps to get the varbinds. You may also be seeing syslog messages in RME's Syslog Stanard Report which will include the host doing the polling.

0 Helpful

Go to solution
aryanadonis
Level 1
Level 1
In response to Joe Clarke

‎02-17-2009 11:59 AM

Thanks for the reply.

In Ciscoworks 2000 it always told us the source that caused the trap ( I

can send you screenshots showing this).

Are you saying that this

functionality has been completely removed from the new LMS product ?

0 Helpful

Go to solution
aryanadonis
Level 1
Level 1
In response to Joe Clarke

‎02-17-2009 05:32 PM

Thanks jclarke,

Generating a minor alarm on that trap as DFM currently does is completely useless without having the authaddr varbind included in the alert. That varbind is absolutely critical to have.

Is there a way for us to request that it be put back into the product ? Why would they even take it out to begin with ?

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to aryanadonis

‎02-17-2009 09:39 PM

I am uncertain why the varbinds were taken out. You could talk to your account team, and tell them to create a Product Enhancement Request on your behalf requesting this feature be added back.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents