DX NetOps

  • Private Community

  • 1.  Trap Source is coming as

    Posted Dec 21, 2017 12:07 PM

    Hi All,

     

    We are trying to send trap from Varonis Datadvantage tool to Spectrum. When we receive trap at the Spectrum Server end, the trap looks like the below trap (highlighted the IP Address part in red) and it is considering the trap is sent to 127.0.0.1 (local IP).

     

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth8, link-type EN10MB (Ethernet), capture size 65535 bytes
    09:59:59.043017 IP 10.1.0.1.58499 > Spectrum01.abcd.com.snmptrap: Trap(99) .iso.org.dod.internet.private.59.1.1.2.1 127.0.0.1 enterpriseSpecific s=0 0 .iso.org.dod.internet.private.59.1.1.2.1="This is a test SNMP trap sent from Varonis DatAdvantage."

     

    Is there a way that I can separate the port number part from the IP Address in the trap and let the trap forwarded to correct destination IP in the Spectrum? Please suggest.

     

     

    Regards,

    Rajashekar



  • 2.  Re: Trap Source is coming as

    Broadcom Employee
    Posted Dec 28, 2017 12:09 AM

    Hi Rajashekar,

     

    Does the trap come into Spectrum as "Unknown alert..." (i.e. the trap is not certified and mapped in Spectrum) or does it appear as under the correct model and you just want to forward it on to another model with IP address specified in the trap?

     

    If so, you can map trap as per the following KB article;

     

    Customising Events and Mapping Traps 

     

    And then you can create a custom Event procedure that takes the trap and forwards it the model identified via the IP address.



  • 3.  Re: Trap Source is coming as

    Posted Dec 28, 2017 07:06 AM

    Thank you Mohammed for responding.

     

    I don't see the above mentioned trap in Spectrum at least as "Unknown alert" as the trap source IP in the trap is coming as IP.<some number>. I don't see the trap even under respective device or under VNM. Seems, it is just forwarding the trap to 127.0.0.1.

     

    Please see the highlighted text in red color in my first post. Re-posted the trap information below. Highlighted the trap source in two colors (IP-Red and unknown number - Blue) and also the trap destination in Red which is pointing to 127.0.0.1.

     

    09:59:59.043017 IP 10.1.0.1.58499 > Spectrum01.abcd.com.snmptrap: Trap(99) .iso.org.dod.internet.private.59.1.1.2.1 127.0.0.1 enterpriseSpecific s=0 0 .iso.org.dod.internet.private.59.1.1.2.1="This is a test SNMP trap sent from Varonis DatAdvantage."

     

    Is this something that we need to fix at trap source device? Please confirm.

     

    Regards,

    Rajashekar



  • 4.  Re: Trap Source is coming as
    Best Answer

    Broadcom Employee
    Posted Dec 28, 2017 09:31 AM

    I have seen a similar problem in the past when the trap was being sent from NetApp.

    Spectrum will not process a trap that is coming from 127.0.1.1 although yours is a bit different that it is 127.0.0.1.

     

    Since the problem is with the trap itself, you will need to check with the vendor as the Trap is not being sent correctly and its not a Spectrum problem.

    For the NetApp problem they posted a workaround on their webpage.

     

    https://community.netapp.com/t5/OnCommand-Storage-Management-Software-Discussions/SNMP-Alerts-sender-is-127-0-1-1/td-p/108250

     

    I hope this helps you.

     

    Best regards,

    Glenn



  • 5.  Re: Trap Source is coming as

    Posted Dec 28, 2017 09:52 AM

    Thank you Glenn. I will try to add the IP Address and FQDN of the host name in hosts file on Spectrum Server and see if it is showing the correct IP.

     

    Regards,

    Rajashekar



  • 6.  Re: Trap Source is coming as

    Broadcom Employee
    Posted Dec 28, 2017 10:38 AM

    It's not on the Spectrum server where you need to fix this.  It's on the device sending the traps.  It's filling in the loopback address in the SNMP Agent header instead of the actual IP of the device.  This would happen if the SNMP sender resolves it's own hostname to the loopback instead of a legitimate IP address.  For example, in the NetApp example that Glenn provides, one of the solutions is the following:

     

    1) Boot OCUM appliance into shell prompt. How? Login to the ESX vcentre where VM resides. Take a snapshot of the VM. Proceed to launch console from vcenter. Give admin/your_password.
    Go to option 4 ) Support/Diagnostics, type 'erds' in the section asks for 'Enter your choice:'. It will ask you to enter password. Set a password. Access will be enabled only for the first terminal session.
    2) Login to the cli by giving username as 'diag' and the password you set above.
    3) Note the IP address of the OCUM from 'sudo ifconfig'
    4) edit /etc/hosts file with vi or nano
    5) Set host file as below.
    127.0.0.1 localhost
    <ip address of the ocum> <hostname_with_fqdn> <hostname>
    ::1 localhost ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    6) Reboot the ocum server.
    7) Try sending alerts now. Try disabling ipv6 settings in /etc/hosts file if that's still not working.

     

    If you are unable to correct on the SNMP sender, you could do something like send the traps to an intermediate trap listener like TrapExploder (there are others as well) that can rewrite the SNMP Agent header to match the source IP address in the packet header. 



  • 7.  Re: Trap Source is coming as

    Posted Dec 28, 2017 11:04 AM

    Yup. Sorry Robert! I misread the Netapp community post thinking that, we need to do changes in host file on SNMP manager.

    I will ask the support team of Varonis to take care of the SNMP trap sender host files to see if the trap is coming properly.

     

    Thank you for pointing me to the right direction.