DX Unified Infrastructure Management

  • 1.  SNMPCOLLECTOR AND SSH

    Posted Jan 02, 2017 07:32 AM

    Hi guys.

     

    I have deployed a snmpcollector probe recently and the user is complaining about a ssh traffic from the hub where the snmpcollector probe is and the devices target to be monitored.

     

    Once they are network devices they must use only SNMP ports (161 and 162).

     

    Do you know if this is a normal behavior and how I can disable ?

     

    Thank you.

     

    Clecimar



  • 2.  Re: SNMPCOLLECTOR AND SSH

    Posted Jan 03, 2017 07:03 AM

    Hi Clecimar,

     

    I'm not sure I'm following you on this.  So, you have deployed snmpcollector and you have SSH traffic from the Hub where snmpcollector is running and you think this traffic is due to the deployment of snmpcollector?

     

    Also, what about ports 161 and 162? Do you have policies to just use these ports?

     

    Sorry, but, could you please try explaining again what your issue is?

     

    Thanks.

     

    Best regards,

     

    Balta.



  • 3.  Re: SNMPCOLLECTOR AND SSH

    Posted Jan 03, 2017 07:28 AM

    For sure!

     

     

     

    Imagine the secondary hub is working, taking data through icmp and snmp ports as expected. Sometime after, the customer complain for you: hey man, why your secondary hub is trying to access my devices using ssh ?

     

     

     

    In Portuguese:

     

     

     

    “…Se quiser pode me ligar para conversarmos, mas o fato é que o servidor do UIM está fazendo SSH, ou melhor, tentando fazer e está sendo bloqueado pelo Firewall. Das duas uma:

     

    *     Se isso for necessário, por favor, justifique a necessidade para que possamos avaliar e se for o caso liberar a regra;

    *     Se isso NÃO for necessário, favor verificar porque esta máquina está executando tais tentativas e desconfigurar.

     

    ...”

     

    So, if the ssh access is normal, I need to know what to say to the customer!

     

    Hope is clear.

     

    Thank you.

     

    Clecimar

     

     

     

    De: Baltasar_Infante 

    Enviada em: terça-feira, 3 de janeiro de 2017 10:03

    Para: Clecimar Fernandes

    Assunto: Re:  - Re: SNMPCOLLECTOR AND SSH

     

     

     

     

     

     

    <https://communities.ca.com/?et=watches.email.thread> CA Communities

     

     

     

     

     

     

    Re: SNMPCOLLECTOR AND SSH

     

     

    reply from Baltasar Infante <https://communities.ca.com/people/Baltasar_Infante?et=watches.email.thread>  in Unified Infrastructure Management - View the full discussion <https://communities.ca.com/message/241947907?commentID=241947907&et=watches.email.thread#comment-241947907>



  • 4.  Re: SNMPCOLLECTOR AND SSH

    Broadcom Employee
    Posted Jan 03, 2017 09:16 AM

    Any chance that the ssh connection attempts are actually coming from a discovery_agent installed on the same hub as the snmpcollector probe?  If a discovery_agent has been deployed to this hub, you can check from the UMP Discovery Wizard to see if a shell (SSH) profile has been defined and if so, if this profile is being used during the discovery of the SNMP device(s) being monitored by the snmpcollector probe.  You can configure the discovery_agent to only use the SNMP profile for these devices if a shell profile has been defined.  This will prevent UIM from attempting to connect to the SNMP devices using SSH.



  • 5.  Re: SNMPCOLLECTOR AND SSH

    Posted Jan 03, 2017 09:20 AM

    Hello again, Clecimar.

     

    So, snmpcollector, by the definition of the SNMP Protocol, should just use ports 161 and/or 162. We know that SSH works on 22. So, are you saying that your customer is complaining about your secondary Hub trying to query your devices on port 22?

     

    The only thing I could think of is the involvement of discovery_server, which you can use to configure the devices and its credentials and, among many of them, you can provide SSH credentials.

     

    To have a better understanding on both, you may want to check these:

     

    snmpcollector Theory of Operations - CA Unified Infrastructure Management Probes - CA Technologies Documentation 

     

    Configuring Discovery - CA Unified Infrastructure Management - 8.5 - CA Technologies Documentation 

     

    Also, I guess you have already tried that, but, just in case, you may want to check on your devices with Wireshark or a similar tool, to find out exactly what is trying to access your devices on port 22.

     

    Thanks.

     

    Best regards,

     

    Balta.



  • 6.  Re: SNMPCOLLECTOR AND SSH

    Posted Jan 03, 2017 01:06 PM

    Hi Balta.

     

     

     

    Yes, this is why I put this question here, once the probe is called snmpanything it should not use SSH!!

     

     

     

    I asked to customer that is complaining to send me the detailed origin of this packets hitting his firewall.

     

     

     

    Thank you.

     

     

     

    Clecimar

     

     

     

    De: Baltasar_Infante 

    Enviada em: terça-feira, 3 de janeiro de 2017 12:21

    Para: Clecimar Fernandes

    Assunto: Re:  - Re: SNMPCOLLECTOR AND SSH

     

     

     

     

     

     

    <https://communities.ca.com/?et=watches.email.thread> CA Communities

     

     

     

     

     

     

    Re: SNMPCOLLECTOR AND SSH

     

     

    reply from Baltasar Infante <https://communities.ca.com/people/Baltasar_Infante?et=watches.email.thread>  in Unified Infrastructure Management - View the full discussion <https://communities.ca.com/message/241947957?commentID=241947957&et=watches.email.thread#comment-241947957>



  • 7.  Re: SNMPCOLLECTOR AND SSH

    Posted Jan 04, 2017 07:04 AM

    Hi Clecimar!

     

    Need to take a look at the sniffer trace and check, because by default there is no traffic at port 22 using snmpcollector.

    You can confirm stopping the probe to see that the ssh will still be sent or not.



  • 8.  Re: SNMPCOLLECTOR AND SSH

    Posted Jan 04, 2017 07:26 AM

    Thank you team!

     

     

     

    Clecimar

     

     

     

    De: yasal01 

    Enviada em: quarta-feira, 4 de janeiro de 2017 10:06

    Para: Clecimar Fernandes

    Assunto: Re:  - Re: SNMPCOLLECTOR AND SSH

     

     

     

     

     

     

    <https://communities.ca.com/?et=watches.email.thread> CA Communities

     

     

     

     

     

     

    Re: SNMPCOLLECTOR AND SSH

     

     

    reply from Alex Yasuda <https://communities.ca.com/people/yasal01?et=watches.email.thread>  in Unified Infrastructure Management - View the full discussion <https://communities.ca.com/message/241948189?commentID=241948189&et=watches.email.thread#comment-241948189>