14 Replies Latest reply on Jun 20, 2016 9:45 AM by userunnown

    Device Being Polled Via SNMP From Orion Server, But Device's IP Not Found On Orion Server Anywhere.

    wluther

      Device Being Polled Via SNMP From Orion Server, But Device's IP Not Found On Orion Server Anywhere.

       

      I am feeling a bit stumped right now. My network Engineer, and I, have been trying to track down numerous "SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community" syslog messages.

      Now, when I say track down, I mean that I know where they are coming from, but not sure how it is happening.

       

      The setup:

      • 1x Orion dev server with the following: (Dev/Lab)
        • Orion Platform 2016.1.0, VNQM 4.2.3, IPAM 4.3, SAM 6.2.3, DPA 10.0.1, NCM 7.4.1, IVIM 2.1.2, QoE 2.1.0, NetPath 1.0, NPM 12.0, NTA 4.1.2, UDT 3.2.3, WPM 2.2.0
        • IP: 1.1.1.1 (Keeping it simple for my tiny brain)
      • 1x Kiwi Syslog Server (Production)
      • 2x Juniper 5048 devices in the test lab (Dev/Lab)
        • IPs: 2.2.2.2 & 3.3.3.3

       

      So, we can see the syslog messages coming into the Kiwi server, from the 2 Juniper devices. The messages indicate SNMP authentication failures, and even show a SNMP community string, which is a match for the string we would use on/for some devices, but shouldn't be used on these devices.

       

      Now, our engineer tracks down the IP causing those Juniper devices to send those messages (1.1.1.1). The IP he found is the IP of the Orion dev server. So I go into the dev server to remove those devices, only to find those devices are not actually being monitored by that server. However, when I do a wireshark capture, I DO see the communications between the dev server and the devices, and the traffic is related to SNMP.

       

      What else should I look at that would tell me why these devices and the dev server know each other?

       

       

      Thank you,

       

      -Will