SCSP/DCS Manager SNMP Traps not working on a dual-homed Windows server.

book

Article ID: 158065

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Advanced

Issue/Introduction

You have enabled SNMP-based alerts from an SCSP/DCS Server system, but no traps are being received by your Network Management System or SNMP Trap Receiver. The alerts are correctly configured and no host firewall process is blocking the local or remote SNMP ports 161 and 162.

Cause

The SCSP Manager process "SISManager.exe" handles SNMP Trap sending directly. When started, it will bind to the first available Network Interface. If that is interface is not connected to or routable to the subnet on which the SNMP NMS or Trap Receiver system is located, the traps will not be sent.

Setting tracing in the SCSP Alert settings will not pinpoint the cause of the issue as the logs will confirm that the traps were sent.

Resolution

The issue is related to the design of the sockets API used to transmit UDP packets; a single call to send a UDP multicast frame is limited to a single network interface on the sending machine.Symantec will investigate if this issue can be worked around in code.

In the meantime, the following workaround will resolve the problem:

  1. Right-click the My Network Places icon and choose Properties. Or Control Panel icon then choose Network Connections or “Network and Internet” for W2K8.
  2. For Windows 2003, from the menu of the Network and Dial-up Connections window, choose Advanced > Advanced Settings > Bindings.
  3. For Windows 2008, to access the above menu you need to click “View network status and tasks”, then right click “Change adapter settings”, then hold Tab and select ALT to see menu; “Advanced” > “Advanced Settings”.
  4. On the Adapter and Binding tabs, in the Connections area, ensure that the primary NIC is listed first.
  5. From a DOS prompt, issue the ipconfig /all command to verify that your selected primary NIC appears first in the list.
  6. Disable the Network Interface that is not on the same subnet as the SNMP NMS / Trap Receiver system.
  7. Restart the "Symantec SCSP Manager Service" to force the process to bind to the correct interface.
  8. Monitor the SNMP receiver system. The traps should now appear as expected.

If the issue persists even after following above steps, you may see below symptoms- 
When we ping the server by it's hostname(to self), it returns the responses from the NIC that has lowest Metric(irrespective of the order we set from the above steps). 

To address this, make additional changes as below - 
1. On the Network Connections page(Start>> RUN>> ncpa.cpl), open NIC card properties. 
2. For TCP/IPv4 Properties, go into Advanced and uncheck ‘Automatic Metric’
3. Edit the box for ‘Interface metric’ with a number which is lower than other NIC/s(i.e. for the NIC that’s in the SNMP server subnet). 

e.g. if we change ‘Interface metric’ value to '5' for the NIC that’s in the SNMP server subnet and greater value e.g. '6' for the other NIC/s, SNMP traps will be sent by the NIC that has lowest  ‘Interface metric’ value i.e. 5 in this case.

 

Applies To

 

The server is dual-homed with a Network Controller on two separate subnets.