Unknown Alert Events Generated for Mapped Traps

book

Article ID: 193457

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

 

Unknown Alert Events are generated for traps that have been correctly mapped via the AlertMap file. When looking at the
   event, it appears that Spectrum drops the last digit from the SnmpTrapOID varbind

 

 

Cause

 

The v2c trap did not conform to rfc standards and was not sending sysUptime as the first varbind. This causes problems for
   the SpectroSERVER when processing the incoming trap.

Via a wireshark/tcpdump capture, we can see there is a missing varbind for sysUptime which should be the first varbind.

Environment

Release : 10.x

Component : Spectrum Core / SpectroSERVER

Resolution


In this specific instance, the vendor Rubrik is creating a fix for the traps being sent so that they will conform to rfc standards. In other
  instances traps could be generated via script using snmptrap and in these cases, the command being run would need to be updated
  to include sysuptime.

 

When testing by recreating the trap manually using snmptrap on Linux we were able to see the trap successfully processed when
   sysUptime was included.

Ex.

snmptrap -v 2c -c TestRO  10.10.10.100:162 '' 1.3.6.1.4.1.49929.4.1 1.3.6.1.4.1.49929.8.1 s "Failed on demand backup of Microsoft SQL Server Database" 1.3.6.1.6.3.18.1.3.0 a 10.84.200.29

 

 

 

Additional Information

 

https://tools.ietf.org/html/rfc3416#page-22

The destination(s) to which an SNMPv2-Trap-PDU is sent is determined
in an implementation-dependent fashion by the SNMP entity. The first
two variable bindings in the variable binding list of an SNMPv2-Trap-PDU
are sysUpTime.0 [RFC3418] and snmpTrapOID.0 [RFC3418] respectively.
 

Attachments