Running NPM 9.5.0. I just added a couple of APC 6kVA UPSs and started monitoring them with NPM via their web managment cards. About every 4 hours I get a series of errors emailed to me from both UPSs:
-------------------------------------------------------------------------------------------
Subj: System: Detected an unauthorized user attempting to access the SNMP interfac...
Name : APC-R6-6K-B
Location : Rack6 Bottom
Contact : Net Admins
http://APC-R6-6K-B.vvh.org
http://172.17.100.231
Serial # : BA0937003624
Device Ser #: NS0939003045
Date: 02/09/2010
Time: 08:46:49
Code: 0x0004
Informational - System: Detected an unauthorized user attempting to access the SNMP interface from 172.17.12.221.
-------------------------------------------------------------------------------------------
x.x.x.221 is my Orion NPM. The UPSs are configured in Orion with the correct read and write communities, and I am successfully collecting stats from both UPSs. I WireSharked the comms between NPM and one of the UPSs and I see NPM sending both the community "public" and a blank community. Wireshark packet export below:
Frame 13511 (83 bytes on wire, 83 bytes captured)
Ethernet II, Src: vvh-orion.vvhosp.vvh.org (00:0c:29:d5:fc:92), Dst: APC-R6-6K-B.vvhosp.vvh.org (00:c0:b7:4e:2a:c5)
Internet Protocol, Src: 172.17.12.221 (172.17.12.221), Dst: 172.17.100.231 (172.17.100.231)
[snip]
Source: 172.17.12.221 (172.17.12.221)
Destination: 172.17.100.231 (172.17.100.231)
User Datagram Protocol, Src Port: lam (2040), Dst Port: snmp (161)
Simple Network Management Protocol
version: version-1 (0)
community: public
data: get-request (0)
get-request
request-id: 18123
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
SNMPv2-MIB::sysObjectID.0 (1.3.6.1.2.1.1.2.0): unSpecified
Object Name: 1.3.6.1.2.1.1.2.0 (SNMPv2-MIB::sysObjectID.0)
Scalar Instance Index: 0
unSpecified
And then the APC responds with a failed authentication and e-mails me about the failure:
Frame 13512 (136 bytes on wire, 136 bytes captured)
Ethernet II, Src: APC-R6-6K-B.vvhosp.vvh.org (00:c0:b7:4e:2a:c5), Dst: vvh-orion.vvhosp.vvh.org (00:0c:29:d5:fc:92)
Internet Protocol, Src: 172.17.100.231 (172.17.100.231), Dst: 172.17.12.221 (172.17.12.221)
[snip]
Source: 172.17.100.231 (172.17.100.231)
Destination: 172.17.12.221 (172.17.12.221)
User Datagram Protocol, Src Port: 50937 (50937), Dst Port: snmptrap (162)
Simple Network Management Protocol
version: version-1 (0)
community: <True community reported here. Removed for this post>
data: trap (4)
trap
enterprise: 1.3.6.1.4.1.318 (SNMPv2-SMI::enterprises.318)
agent-addr: 172.17.100.231 (172.17.100.231)
generic-trap: authenticationFailure (4)
specific-trap: 0
time-stamp: 51205315
variable-bindings: 2 items
SNMPv2-MIB::sysUpTime.0 (1.3.6.1.2.1.1.3.0): 51205310
Object Name: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
Scalar Instance Index: 0
SNMPv2-MIB::sysUpTime: 51205310
SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.6.3.1.1.5.5.0 (SNMPv2-MIB::authenticationFailure.0)
Object Name: 1.3.6.1.6.3.1.1.4.1.0 (SNMPv2-MIB::snmpTrapOID.0)
Scalar Instance Index: 0
SNMPv2-MIB::snmpTrapOID: 1.3.6.1.6.3.1.1.5.5.0 (SNMPv2-MIB::authenticationFailure.0)
I also see the communication exchange where NPM sends the correct community string.
This happens about 20 times per UPS per cycle (once per OID?), so I'm getting a few hundred e-mails every day. Why is NPM ever sending the bogus community strings of "public" and <null>?
Tim
