cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cburgamy
Contributor
Contributor

Debug Authentication failure

Jump to solution

MP
I have a couple 1544s that are creating these events in the history. How do I determine what source IP is creating these events?

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Debug Authentication failure

Jump to solution

and - Yes this would be another alternative. You can use the "debug ip packet <ACL NAME>" command to see which SNMP packets are hitting the router that are NOT from the IPs you are expecting. I do want to make a modification to the ACL. It should look something like this:

ip access-list extended debug

  deny udp host (known working access IP)  any eq snmp

  permit udp any  any eq snmp

debug ip packet debug

You can use the command 'u a' to stop the debug. The deny statement in the ACL will have the debug ignore SNMP packets that are coming from known hosts and match all other SNMP traffic.

Let us know if you have any questions.

Thanks,

Noor

View solution in original post

0 Kudos
19 Replies
Anonymous
Not applicable

Re: Debug Authentication failure

Jump to solution

- Would you be able to post the exact message you are seeing? Also, it may be helpful to see the configuration as well. Please remember to remove any sensitive information.

Thanks,

Noor

cburgamy
Contributor
Contributor

Re: Debug Authentication failure

Jump to solution

I do not believe posting a config would help in this matter. I just need to find out what IP is trying to access my community strings and creating the errors.

2013.11.30 13:46:18 SNMP_SOURCE Authentication Failure

2013.11.30 13:46:23 SNMP_SOURCE Authentication Failure

2013.11.30 13:46:33 SNMP_SOURCE Authentication Failure

2013.11.30 13:46:53 SNMP_SOURCE Authentication Failure

2013.12.01 01:46:13 SNMP_SOURCE Authentication Failure

2013.12.01 01:46:19 SNMP_SOURCE Authentication Failure

2013.12.01 01:46:29 SNMP_SOURCE Authentication Failure

2013.12.01 01:46:49 SNMP_SOURCE Authentication Failure

Chris

Anonymous
Not applicable

Re: Debug Authentication failure

Jump to solution

Chris,

Enabling "debug snmp packet" should show you what SNMP packets are being received and transmitted to the AOS device. Give that a shot. Let us know if you have any questions or issues.

Thanks,

Noor

cburgamy
Contributor
Contributor

Re: Debug Authentication failure

Jump to solution

OK, that sounds about right, is there a way to prevent a lot of chatter from applications that are setup correctly to access the community string?

chris

cburgamy
Contributor
Contributor

Re: Debug Authentication failure

Jump to solution

Noor,

I have used something like this in the past, but not sure how to implement again.

ip access-list extended debug

permit udp host (known working access IP) any eq snmp

permit udp any any eq snmp

This some how allowed the debug to ignore the snmp request from our ncommand server and only display the snmp request that were failing.

Chris

ejgarc
New Contributor

Re: Debug Authentication failure

Jump to solution

Hi, I am having the same exact and debug snmp packets have shown no error packets please see debug display below.

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58073, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.8.2

    value=1

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58080, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.9.2

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58080, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.9.2

    value=667

SNMP V2 RX: GET Request PDU from 146.170.X.X:55334 (community=340AXXX)

  request id=96408, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.1.3.0

    value=empty

    OID=1.3.6.1.2.1.2.2.1.7.12

    value=empty

    OID=1.3.6.1.2.1.2.2.1.8.12

    value=empty

SNMP V2 TX: GET Response PDU to 152.172.X.X:161 (community=340AXXX)

  request id=96408, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.1.3.0

    value=1284162866

    OID=1.3.6.1.2.1.2.2.1.7.12

    value=1

    OID=1.3.6.1.2.1.2.2.1.8.12

    value=1

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58245, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.13.5

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58245, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.13.5

    value=0

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58246, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.14.5

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58246, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.14.5

    value=0

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58247, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.19.5

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58247, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.19.5

    value=0

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58248, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.20.5

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58248, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.20.5

    value=0

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58300, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.2.12

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58300, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.2.12

    value=ppp 1

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58330, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.31.1.1.1.1.12

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58330, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.31.1.1.1.1.12

    value=ppp 1

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58336, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.8.12

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58336, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.8.12

    value=1

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58342, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.9.12

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58342, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.9.12

    value=3467

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58444, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.13.7

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58444, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.13.7

    value=0

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58445, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.13.8

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58445, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.13.8

    value=0

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58465, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.14.7

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58465, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.14.7

    value=2

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58467, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.14.8

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58467, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.14.8

    value=15

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58468, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.19.7

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58468, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.19.7

    value=0

SNMP V2 RX: GET Request PDU from 10.2.X.X:1116 (community=strXXX)

  request id=58470, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.19.8

    value=empty

SNMP V2 TX: GET Response PDU to 10.X.X.X:161 (community=strXXX)

  request id=58470, error status=0, error index=0

  max repetitions=0, non repetitions=0

  VarBinds:

    OID=1.3.6.1.2.1.2.2.1.19.8

    value=0

cburgamy
Contributor
Contributor

Re: Debug Authentication failure

Jump to solution

That looks about right, need to be able to weed out what is actually supposed to access the community strings as opposed to what is not suppose to.

Chris

ejgarc
New Contributor

Re: Debug Authentication failure

Jump to solution

Noor,

I have debug snmp packet and all packets are as per configuration. How would I be able to find out which one is causing the failure?

ejgarc
New Contributor

Re: Debug Authentication failure

Jump to solution

Chris,

If all snmp packets being receive are correct as per the configuration. How can I find out which one is actually causing the authentication error?

Anonymous
Not applicable

Re: Debug Authentication failure

Jump to solution

and - Yes this would be another alternative. You can use the "debug ip packet <ACL NAME>" command to see which SNMP packets are hitting the router that are NOT from the IPs you are expecting. I do want to make a modification to the ACL. It should look something like this:

ip access-list extended debug

  deny udp host (known working access IP)  any eq snmp

  permit udp any  any eq snmp

debug ip packet debug

You can use the command 'u a' to stop the debug. The deny statement in the ACL will have the debug ignore SNMP packets that are coming from known hosts and match all other SNMP traffic.

Let us know if you have any questions.

Thanks,

Noor

View solution in original post

0 Kudos
jayh
Honored Contributor
Honored Contributor

Re: Debug Authentication failure

Jump to solution

It might be better to keep the bad guys from knocking on the door in the first place.

Create an access-list for only the hosts that are supposed to have SNMP access (your network monitoring system, MRTG grapher, etc.) 

ip access-list standard snmp-list

  permit host 172.16.3.3

  permit 10.1.1.0 0.0.0.255

  ...etc

Then include that list in your SNMP configuration.

snmp-server community itsasecret ip access-class snmp-list




cburgamy
Contributor
Contributor

Re: Debug Authentication failure

Jump to solution

I completely agree! We have this setup on a few devices already!

cburgamy
Contributor
Contributor

Re: Debug Authentication failure

Jump to solution

Can this event be forwarded to a syslog server?

Anonymous
Not applicable

Re: Debug Authentication failure

Jump to solution

- Unfortunately, at the time of this post, debug messages cannot be outputted to a syslog server.

Thanks,

Noor

cburgamy
Contributor
Contributor

Re: Debug Authentication failure

Jump to solution

How do I extend the time of my ssh connection?

jayh
Honored Contributor
Honored Contributor

Re: Debug Authentication failure

Jump to solution

conf t

  line ssh 0 4

  line-timeout [enter a number in minutes]

ctrl-Z

wr mem

cburgamy
Contributor
Contributor

Re: Debug Authentication failure

Jump to solution

Thank you for that simple explanation.

Chris

ejgarc
New Contributor

Re: Debug Authentication failure

Jump to solution

Noor,

Thank you very much for your help I was able to trace the faulting failure and resolved this authentication failure. Thanks!

Anonymous
Not applicable

Re: Debug Authentication failure

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor