and - Yes this would be another alternative. You can use the "debug ip packet <ACL NAME>" command to see which SNMP packets are hitting the router that are NOT from the IPs you are expecting. I do want to make a modification to the ACL. It should look something like this:
ip access-list extended debug
deny udp host (known working access IP) any eq snmp
permit udp any any eq snmp
debug ip packet debug
You can use the command 'u a' to stop the debug. The deny statement in the ACL will have the debug ignore SNMP packets that are coming from known hosts and match all other SNMP traffic.
Let us know if you have any questions.
Thanks,
Noor
I do not believe posting a config would help in this matter. I just need to find out what IP is trying to access my community strings and creating the errors.
2013.11.30 13:46:18 SNMP_SOURCE Authentication Failure
2013.11.30 13:46:23 SNMP_SOURCE Authentication Failure
2013.11.30 13:46:33 SNMP_SOURCE Authentication Failure
2013.11.30 13:46:53 SNMP_SOURCE Authentication Failure
2013.12.01 01:46:13 SNMP_SOURCE Authentication Failure
2013.12.01 01:46:19 SNMP_SOURCE Authentication Failure
2013.12.01 01:46:29 SNMP_SOURCE Authentication Failure
2013.12.01 01:46:49 SNMP_SOURCE Authentication Failure
Chris
Chris,
Enabling "debug snmp packet" should show you what SNMP packets are being received and transmitted to the AOS device. Give that a shot. Let us know if you have any questions or issues.
Thanks,
Noor
OK, that sounds about right, is there a way to prevent a lot of chatter from applications that are setup correctly to access the community string?
chris
Noor,
I have used something like this in the past, but not sure how to implement again.
ip access-list extended debug
permit udp host (known working access IP) any eq snmp
permit udp any any eq snmp
This some how allowed the debug to ignore the snmp request from our ncommand server and only display the snmp request that were failing.
Chris
Hi, I am having the same exact and debug snmp packets have shown no error packets please see debug display below.
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58073, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.8.2
value=1
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58080, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.9.2
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58080, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.9.2
value=667
SNMP V2 RX: GET Request PDU from 146.170.X.X:55334 (community=340AXXX)
request id=96408, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.1.3.0
value=empty
OID=1.3.6.1.2.1.2.2.1.7.12
value=empty
OID=1.3.6.1.2.1.2.2.1.8.12
value=empty
SNMP V2 TX: GET Response PDU to 152.172.X.X:161 (community=340AXXX)
request id=96408, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.1.3.0
value=1284162866
OID=1.3.6.1.2.1.2.2.1.7.12
value=1
OID=1.3.6.1.2.1.2.2.1.8.12
value=1
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58245, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.13.5
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58245, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.13.5
value=0
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58246, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.14.5
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58246, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.14.5
value=0
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58247, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.19.5
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58247, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.19.5
value=0
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58248, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.20.5
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58248, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.20.5
value=0
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58300, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.2.12
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58300, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.2.12
value=ppp 1
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58330, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.31.1.1.1.1.12
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58330, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.31.1.1.1.1.12
value=ppp 1
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58336, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.8.12
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58336, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.8.12
value=1
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58342, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.9.12
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58342, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.9.12
value=3467
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58444, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.13.7
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58444, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.13.7
value=0
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58445, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.13.8
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58445, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.13.8
value=0
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58465, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.14.7
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58465, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.14.7
value=2
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58467, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.14.8
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58467, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.14.8
value=15
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58468, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.19.7
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58468, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.19.7
value=0
SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)
request id=58470, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.19.8
value=empty
SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)
request id=58470, error status=0, error index=0
max repetitions=0, non repetitions=0
VarBinds:
OID=1.3.6.1.2.1.2.2.1.19.8
value=0
That looks about right, need to be able to weed out what is actually supposed to access the community strings as opposed to what is not suppose to.
Chris
Noor,
I have debug snmp packet and all packets are as per configuration. How would I be able to find out which one is causing the failure?
Chris,
If all snmp packets being receive are correct as per the configuration. How can I find out which one is actually causing the authentication error?
and - Yes this would be another alternative. You can use the "debug ip packet <ACL NAME>" command to see which SNMP packets are hitting the router that are NOT from the IPs you are expecting. I do want to make a modification to the ACL. It should look something like this:
ip access-list extended debug
deny udp host (known working access IP) any eq snmp
permit udp any any eq snmp
debug ip packet debug
You can use the command 'u a' to stop the debug. The deny statement in the ACL will have the debug ignore SNMP packets that are coming from known hosts and match all other SNMP traffic.
Let us know if you have any questions.
Thanks,
Noor
It might be better to keep the bad guys from knocking on the door in the first place.
Create an access-list for only the hosts that are supposed to have SNMP access (your network monitoring system, MRTG grapher, etc.)
ip access-list standard snmp-list
permit host 172.16.3.3
permit 10.1.1.0 0.0.0.255
...etc
Then include that list in your SNMP configuration.
snmp-server community itsasecret ip access-class snmp-list
I completely agree! We have this setup on a few devices already!
Can this event be forwarded to a syslog server?
How do I extend the time of my ssh connection?
conf t
line ssh 0 4
line-timeout [enter a number in minutes]
ctrl-Z
wr mem
Thank you for that simple explanation.
Chris
Noor,
Thank you very much for your help I was able to trace the faulting failure and resolved this authentication failure. Thanks!
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor