Why do some "AUTHENTICATION FAILURE TRAP RECEIVED" alarms display a Source System and some do not?
search cancel

Why do some "AUTHENTICATION FAILURE TRAP RECEIVED" alarms display a Source System and some do not?

book

Article ID: 36061

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

In Spectrum, why do some "AUTHENTICATION FAILURE TRAP RECEIVED" alarms display a Source System in the event and some do not?

Environment

DX NetOps Spectrum all currently supported releases

Resolution

There are actually two different traps that are sent for the "AUTHENTICATION FAILURE TRAP RECEIVED" alarms.

One is the standard Authentication Failure trap that is part of the MIB 2 standards traps like link up, link down etc. This trap is defined in the $SPECROOT/SS/CsVendor/IETF/AlertMap and EventDisp files and asserts the 0x0001030a event with 0x0001030a probable cause. The standard Authentication Failure trap DOES NOT send a trap variable with the Source System IP Address. 

The following is the AlertMap configuration for the standard Authentication Failure trap as defined in the $SPECROOT/SS/CsVendor/IETF/AlertMap file:

4.0                   0x0001030a

Notice there are no trap variables configured.

Some Cisco devices send their own Enterprise specific trap that is defined in several different AlertMap files:

$SPECROOT/SS/CsVendor/Ctron_CAT/HubCat29xx/AlertMap

$SPECROOT/SS/CsVendor/Ctron_CAT/SwCat35xx/AlertMap

$SPECROOT/SS/CsVendor/Ctron_CAT/SwCat85xx/AlertMap

$SPECROOT/SS/CsVendor/Ctron_CAT/SwCat45xx/AlertMap

$SPECROOT/SS/CsVendor/Cisco_Router/Rtr_Cisco/AlertMap

$SPECROOT/SS/CsVendor/Cisco_Router/Cisco6400_DSL/AlertMap

$SPECROOT/SS/CsVendor/Cisco_Router/UBR72xxCMTS/AlertMap

$SPECROOT/SS/CsVendor/Cisco_Router/Cisco_12000/AlertMap

$SPECROOT/SS/CsVendor/Cisco_Router/SwCiscoIOS/AlertMap

$SPECROOT/SS/CsVendor/Cisco_MC3810/Cisco_MC3810/AlertMap

$SPECROOT/SS/CsVendor/CiscoPIX/CisPIXDev/AlertMap

$SPECROOT/SS/CsVendor/Cisco_AS5X/AS5x00/AlertMap

The following is the AlertMap configuration for the Cisco Authentication Failure trap as defined in the above listed AlertMap files:

4.0               0x00010017 1.3.6.1.4.1.9.2.1.5(1,0)

Notice there is a trap variable configured. OID 1.3.6.1.4.1.9.2.1.5 is the authAddr attribute defined in the Cisco Enterprises MIB as follows:

authAddr OBJECT-TYPE
SYNTAX IpAddress
ACCESS read-only
STATUS mandatory
DESCRIPTION

"This variable contains the last SNMP authorization failure IP address."
::= { lsystem 5 }

So a source being identified and shown in the event is dependent on which Authentication Failure trap is received 

Powered by Wolken Software