02-17-2009 10:03 AM
Ciscoworks LMS is receiving numerous SNMP authentication failure traps from scanning
activity performed by our network security group. Although LMS reports the trap in DFM's
history, it does not provide the varbind authAddr for us to know what the source IP
address of the authentication attempt.
Old versions of Ciscworks 2000 which we still have running do show the source IP address
in DFM's alert history.
How do we get the new LMS platforms to provide authAddr in the DFM alert so that we can
determine whether it's our own security staff or an intruder generating the failed SNMP
authentications ?
Solved! Go to Solution.
02-17-2009 09:39 PM
I am uncertain why the varbinds were taken out. You could talk to your account team, and tell them to create a Product Enhancement Request on your behalf requesting this feature be added back.
02-17-2009 10:43 AM
This is not possible. Admittedly, DFM is not a general purpose trap receiver. You can choose to forward the traps DFM receives to another trap receiver (e.g. HPOV NNM, net-snmp's snmptrapd, etc.) by configuring trap forwarding under DFM > Configuration > Other Configurations > SNMP Trap Forwarding.
For a quick solution, you could start a sniffer trace on the LMS server, and look at the raw traps to get the varbinds. You may also be seeing syslog messages in RME's Syslog Stanard Report which will include the host doing the polling.
02-17-2009 11:59 AM
Thanks for the reply.
In Ciscoworks 2000 it always told us the source that caused the trap ( I
can send you screenshots showing this).
Are you saying that this
functionality has been completely removed from the new LMS product ?
02-17-2009 12:03 PM
Yes.
02-17-2009 05:32 PM
Thanks jclarke,
Generating a minor alarm on that trap as DFM currently does is completely useless without having the authaddr varbind included in the alert. That varbind is absolutely critical to have.
Is there a way for us to request that it be put back into the product ? Why would they even take it out to begin with ?
02-17-2009 09:39 PM
I am uncertain why the varbinds were taken out. You could talk to your account team, and tell them to create a Product Enhancement Request on your behalf requesting this feature be added back.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: