• State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 38 subscribers
  • Views 1535 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Bad trap packet received from Node with IP X.X.X.X. Error description : No more data.

matb

As the title says, I am getting a bad trap packet alert every 3 hours. The node we are receiving the bad trap packet from is a Dell Kace 1000 management server. That server is not being monitored specifically by NPM. I have tried enabling SNMP on the NPM server with our correct strings which did not seem to help.

All of the previous responses and answers to this issue seem to stem from Error description: Unknown user or engine. So that does not apply to my current issue.

  • 0

    Sounds like it's sending traps to solarwinds, but SWinds doesn't know what to do with it because you don't have it set as a node.

    If you check your trap viewer, or trap history in the DB, you might be able to find the OID or MIB this is coming from and set up rules on how to process it. That might help(?).

  • 0

    We are getting the same error message with our Dell Sonicwall TZ-215, & 2600 series.  We are have no issues with getting the device to connect and report data to our Solarwinds Server.  However we are getting this error from all of our Sonicwalls. 

  • 0 in reply to ahutch43

    here is example of the Trap Message Error that we are recieving:

    96.83.79.60 50-193-131-253-static SONICWALL-FIREWALL-TRAP-MIB:swFwTrapEnhNetworkAccess swTrapInfoClientUserName = SN=C0EAE46​FB130;
    swTrapInfoDstResolvedHostName = SN=C0EAE46​FB130;
    swTrapInfoDstInterface = 0
    swTrapInfoDstPort = 0
    swTrapInfoDstIpAddress = 0.0.0.0
    swTrapInfoSrcResolvedHostName = SN=C0EAE46​FB130;
    swTrapInfoSrcInterface = 0
    swTrapInfoSrcPort = 0
    swTrapInfoSrcIpAddress = 0.0.0.0
    swTrapInfoTrapDescription = SN=C0EAE46​FB130;Malf​ormed or unhandled IP packet dropped0.0.0.0​0-19544629​600.0.0.00-1​954462960P​rotocol: 0 Port: 139Type: 0Code: 0
    swTrapInfoTrapType = 554
    snmpTrapOID = SONICWALL-F​IREWALL-TR​AP-MIB:swF​wTrapEnhNe​tworkAcces​s
    sysUpTime = 48 days 0 hours 10 minutes 38.28 seconds
  • 0 in reply to ahutch43

    Sorry for the late reply. The issue we were having happened to be originating from the host machine "Dell Kace 1000". It scanned subnets looking for new machines every 3 hours and it was not playing nice with solarwinds. We had to disable our Solarwinds management IP from being included in the scan.

    I am not familiar with the Sonicwall but seeing as how its a Dell box, it may have a similar discovery method being used. If you have not figured out the problem by now, check to see if it is doing any sort of host/subnet discovery.

  • 0 in reply to dhanson

    Although it is very likely you've already solved your problem, one of the other reasons SolarWinds may react this way is a conflict between configured SNMP versions.

    For instance, if the node is configured for SNMPv2 and SNMPv3, and you're only polling in SolarWinds for SNMPv2, the SNMPv3 messages will be considered a bad packet.

    HTH!

  • 0

    ahutch43​ & I work for the same company.  I have been dealing with SolarWinds and Dell SonicWALL support on the matter over the past weeks.  We have done multiple packet captures and have given the information to Dell SonicWALL Support.   Dell SonicWALL engineer is working with their escalation team.  The data stream being sent to the SonicWALL has no real data in it and it seems to be appearing about every hour.  We are not sure if something else with the SonicWALL is doing this matter or not.   It has no MIB data tied to it.

    We have found a way to stop the messages temporarily is to remove the NPM server in the Dell SonicWALL SNMP host field to get it to stop.   This is just temporary as it will not send any trap packets to NPM.

    More to come!

  • 0

    Update on this issue.  I have been working with SonicWALL engineers and development team on this matter.    I believe there is a resolution coming soon if you are running Gen6 (6.2.5) code or higher.  They are to be providing me hotfix soon to correct the problem.   It did not matter if it was SolarWinds or just sending the data raw to a IP address, it would send it randomly around an hour time interval.

  • 0

    This problem has been resolved by SonicWALL on my case.   They are putting the hot fix is 6.2.6.2 release that is coming out for new TZ units and current NSA models.   The trap messages have stopped being invalid to the SolarWinds server and we are back to normalcy now.

  • 0 in reply to kremerkm

    I'm also getting the same error and using an NSA3600, but the latest firmware version in the download center is 6.2.6.1 - was this a special hotfix by request only?  I could open a ticket, but wanted to ask.  Thanks so much for your post, this is an annoying event error

  • 0

    Have you checked the full post below ?

    When you say "That server is not being monitored specifically by NPM " do you mean the server is not been added as node in the Orion and you are still sending the Traps ?

    Bad trap packet received from Node with IP XX.XX.XX.XX. Error description : Unknown user and engine. Packet discarded

    ISSUE # 2.

    You will  noticed that the IP address in the error message was actually assigned to an interfaces on the routers and that the traps were being sent from this  interfaces.


    Since the SNMPv3 credentials are used by the router and not the interfaces you then  needed to find a way to source all traps from the router's Loopback address themselves.

    RESOLUTION

    The easiest way to do this was to enter the following line within the SNMP portion of the router configuration.

    "snmp-server trap-source Loopbackxxxx" Where xxxx is the loopback # that the router's IP address is assigned to.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.