[c-nsp] SNMP-3-AUTHFAIL misleading?

ekagan at axsne.com ekagan at axsne.com
Thu Aug 2 07:13:24 EDT 2007 

> i have a scenario where there is an offending host which is 
> not part of our
> network turning over snmp auth fails on some routers.. snmp 
> acl's are in
> place and the host should be hitting the implicit deny any on 
> the snmp acl,
> but im getting pages of SNMP-3-AUTHFAIL messages..
> 
> the cisco info for this log message says
> 
> %SNMP-3-AUTHFAIL : Authentication failure for SNMP req from host
> [dec].[dec].[dec].[dec]
> Explanation    An SNMP request was sent by the host at the address
> [dec].[dec].[dec].[dec], but the request PDU was not properly 
> authenticated.
> Recommended Action    Make sure that the community and user 
> name that are
> used in the SNMP request from the remote host have been 
> configured on the
> router.
> 
> which seems to imply to me that the offending host is getting 
> through the
> ACL to the snmp server and turning over snmp auth failures, 
> however i have
> it on good advice that " The SNMP-3-AUTHFAIL message printed 
> if *either* the
> access-list or the community string does not match on an inbound SNMP
> operation.  There is no way to filter the messages to indicate an
> access-list fail or a community string fail.  You can either 
> receive all
> messages, or you can receive no messages depending the 
> configuration of the
> authfail logging. "
> 
> which seems to sound exactly like the issue im hitting, but 
> certainly at
> least in my mind makes the claim of "authentication failure" rather
> misleading when its actually an access-list deny that is 
> occurring. does
> anyone have any information on this issue? sure, i can turn logging
> snmp-authfail off, but to me pulling the wool over my own 
> eyes is hardly an
> ideal solution..
> 

Do you have an ACL on your snmp config line like 'snmp-server community
public RO 1' or in an access-group that literally deinies the protocol
to your router ?  In the former, you will see the request and get an
auth failure since the requesting host is not in the ACL, even if they
have the correct comm name.  If it's the latter, maybe the ACL syntax is
incorrcect.  Maybe you could post the relevant config to the list for
review.

Eric

More information about the cisco-nsp mailing list