Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Varbind authAddr

Ciscoworks LMS is receiving numerous SNMP authentication failure traps from scanning

activity performed by our network security group. Although LMS reports the trap in DFM's

history, it does not provide the varbind authAddr for us to know what the source IP

address of the authentication attempt.

Old versions of Ciscworks 2000 which we still have running do show the source IP address

in DFM's alert history.

How do we get the new LMS platforms to provide authAddr in the DFM alert so that we can

determine whether it's our own security staff or an intruder generating the failed SNMP

authentications ?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Varbind authAddr

I am uncertain why the varbinds were taken out. You could talk to your account team, and tell them to create a Product Enhancement Request on your behalf requesting this feature be added back.

5 REPLIES
Cisco Employee

Re: Varbind authAddr

This is not possible. Admittedly, DFM is not a general purpose trap receiver. You can choose to forward the traps DFM receives to another trap receiver (e.g. HPOV NNM, net-snmp's snmptrapd, etc.) by configuring trap forwarding under DFM > Configuration > Other Configurations > SNMP Trap Forwarding.

For a quick solution, you could start a sniffer trace on the LMS server, and look at the raw traps to get the varbinds. You may also be seeing syslog messages in RME's Syslog Stanard Report which will include the host doing the polling.

Community Member

Re: Varbind authAddr

Thanks for the reply.

In Ciscoworks 2000 it always told us the source that caused the trap ( I

can send you screenshots showing this).

Are you saying that this

functionality has been completely removed from the new LMS product ?

Cisco Employee

Re: Varbind authAddr

Yes.

Community Member

Re: Varbind authAddr

Thanks jclarke,

Generating a minor alarm on that trap as DFM currently does is completely useless without having the authaddr varbind included in the alert. That varbind is absolutely critical to have.

Is there a way for us to request that it be put back into the product ? Why would they even take it out to begin with ?

Cisco Employee

Re: Varbind authAddr

I am uncertain why the varbinds were taken out. You could talk to your account team, and tell them to create a Product Enhancement Request on your behalf requesting this feature be added back.

217
Views
4
Helpful
5
Replies
CreatePlease to create content