Highlighted
MLayman
1 Nickel

Thousands of SNMP 'authenticationFailure' alerts per day

Jump to solution

 Hi, I have thousands of SNMP 'authenticationFailure' alerts per day.  They are very non-descriptive, stating only what device threw the alert, at what time, and no other info besides the alert being of Category "Security" and with alert variable 'SNMP Generic Type OID' of "4".  When I look at the Event Logs for that server, I can't find any corresponding like event to match the alerts to within the Security, Application, or System Logs.  I am thinking that these may be some sort of service authentication error, such as an incorrect account name or password, but am unsure.  I would rest easier if I knew what is occurring.  The errors listed are all coming from legitimate virtual machines that are Windows 2008, 2012, and 2016 servers.  Could there be another log that these are coming from?  Is there some way to debug SNMP to find out what could be going on?  Sorry for all the open-ended questions, I'm just stumped at the moment...  Any ideas or advice would be appreciated!

0 Kudos
1 Solution

Accepted Solutions

Re: Thousands of SNMP 'authenticationFailure' alerts per day

Jump to solution

Hi, thanks for the query.

This is because SNMP connection/discovery is being attempted on those targets using a wrong community name. Maybe a range defined in OME or some other tool with such configuration. FAQ snippet below:

Q: What are SNMP “authentication traps”?
A: An authentication trap is sent when the SNMP agent is hit with an inquiry with a community name it does not recognize. These are case-sensitive also.The traps are useful to know if someone is probing your system, although its better nowadays to just sniff packets and find out the community name that way.If you use multiple community names on the network, and some management might overlap, people may want to turn these off as they become false positives (annoyances).

From MS (http://technet.microsoft.com/en-us/library/cc959663.aspx)Smiley Frustratedend Authentication Traps. When an SNMP agent receives a request that does not contain a valid community name or the host that is sending the message is not on the list of acceptable hosts, the agent can send an authentication trap message to one or more trap destinations (management systems). The trap message indicates that the SNMP request failed authentication. This is a default setting. 

Thanks,
Shivendra

2 Replies
MLayman
1 Nickel

Re: Thousands of SNMP 'authenticationFailure' alerts per day

Jump to solution

Here is an image of one of the alerts.

snmp-alert-03272018_050207.png

0 Kudos

Re: Thousands of SNMP 'authenticationFailure' alerts per day

Jump to solution

Hi, thanks for the query.

This is because SNMP connection/discovery is being attempted on those targets using a wrong community name. Maybe a range defined in OME or some other tool with such configuration. FAQ snippet below:

Q: What are SNMP “authentication traps”?
A: An authentication trap is sent when the SNMP agent is hit with an inquiry with a community name it does not recognize. These are case-sensitive also.The traps are useful to know if someone is probing your system, although its better nowadays to just sniff packets and find out the community name that way.If you use multiple community names on the network, and some management might overlap, people may want to turn these off as they become false positives (annoyances).

From MS (http://technet.microsoft.com/en-us/library/cc959663.aspx)Smiley Frustratedend Authentication Traps. When an SNMP agent receives a request that does not contain a valid community name or the host that is sending the message is not on the list of acceptable hosts, the agent can send an authentication trap message to one or more trap destinations (management systems). The trap message indicates that the SNMP request failed authentication. This is a default setting. 

Thanks,
Shivendra