cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6211
Views
0
Helpful
6
Replies

Login on-failure not generating traps

kDonovan9_2
Level 1
Level 1

I Currently have a 4507 switch running 122-25.EWA4.  I have enabled the login on-failure command for syslog and traps.  When a failed login occurs I see it in the syslog just fine but I never see a trap generated.  I know traps are working for other commands on the switch (ie running config viewed).

login on-failure

login on-success log

switch#show login 

     A default login delay of 1 seconds is applied.

     Quiet-Mode access list 25 is applied.

     All successful login is logged.

     All failed login is logged and generate SNMP traps.

     Router enabled to watch for login Attacks.

     If more than 5 login failures occur in 30 seconds or less,

     logins will be disabled for 120 seconds.

     Router presently in Normal-Mode.

     Current Watch Window remaining time 21 seconds.

     Present login failure count 0.

278250: May 14 16:33:15.602: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: JoeUser] [Source: 192.168.1.1] [localport: 22] [Reason: Login Authentication Failed] at 16:33:15 East_US Mon May

snmp-server community <snip> RW 10

snmp-server community <snip> RO 11

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps port-security

snmp-server enable traps config

snmp-server enable traps syslog

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps vlan-membership

snmp-server host <snip>

6 Replies 6

Vinod Arya
Cisco Employee
Cisco Employee

Seems the Traps are never generated on login on-sucess and login on-failure. I have seen this issue many times and the only workaround seems to be available is to use Syslog and than use the syslog trap to forward it as snmp trap.

You may want to see the old thread by Joeseph:

https://supportforums.cisco.com/message/678852#678852

-Thanks

-Thanks Vinod **Rating Encourages contributors, and its really free. **

Vinod Arya
Cisco Employee
Cisco Employee

I checked some more details on this, it seems this issue was raised with some of the bugs being filed  #

CSCsa67252    No trap generated when ssh/telnet login fails

CSCtg26052    secure login "login on-failure trap" fails to generate SNMP traps

Seems, currently, SNMP traps are not supported by IOS, for which the above enhancement defect had been raised.

The login on-failure command you are trying to use is for logging to syslog and is not supported for SNMP traps. As a possible workaround, you can use that and then enable syslog traps to be notified of when login failure occurs.

Also, the correct syntax is "login on-failure log" and must be preceded by a login block-for command to enable login functionality. Please see the following document for more details and for instructions on syslog logging on failed logins:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_login.htm#wp1048295

As a final confirmation from enhancement team, on this feature with SNMP traps for login failures, is not available in the IOS and the command which indicates the functionality will be removed in all future releases. The documentation will also be corrected appropriately.

-thanks

Vinod

-Thanks Vinod **Rating Encourages contributors, and its really free. **

For clarity, I thought the OP is saying the syslog-to-snmptrap part (ala the "snmp-server enable traps syslog" line) does not appear to generate traps concerning SEC_LOGIN-4-LOGIN_FAILED. That syslog-to-snmptrap part should work in IOS though, since another user had gotten it working before (https://supportforums.cisco.com/thread/2062890).

yjdabear
VIP Alumni
VIP Alumni

Do you have "logging history #" configured? Given https://supportforums.cisco.com/thread/2062890, I figure you would not get snmp traps about SEC_LOGIN-4-LOGIN_FAILED if you have "logging history [1/2/3]" configured. However, the default "logging history 4" should be fine.

Hi yjdabear,  Thank you for your replies. I do have logging history set to level 4.  I am still not seeing traps generated even using the 'syslog method' for the login failures.  here is a snipit of my logging

Syslog logging: enabled (0 messages dropped, 1102 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

Console logging: level debugging, 277317 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 139 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 278418 messages logged, xml disabled,

filtering disabled

Exception Logging: size (8192 bytes)

Count and timestamp logging messages: disabled

Trap logging: level debugging, 278388 message lines logged

Logging to , 278388 message lines logged, xml disabled,

filtering disabled

switch#show logging history

Syslog History Table:1 maximum table entries,

saving level warnings or higher

4417 messages ignored, 0 dropped, 0 recursion drops

273892 table entries flushed

SNMP notifications enabled, 52 notifications sent

entry number 273893 : LINK-3-UPDOWN

Interface GigabitEthernet7/19, changed state to up

timestamp: 883868674

login on-success log

loing on-failure log

enable the logging and use the logging buffered comand.

regards.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco