Junos OS

Hi,

I have an  issue with SNMP polling that is :

SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 10.10.59.157 to 5.5.5.2 (read)

when looking at the server(10.10.59.157) there is no any snmp or snmp trap functionality is working on it. There is also no any configuration relating to IP address 10.10.59.157 on SRX device.

1-Why does the SRX device gives this error?

2-How to stop communicating SRX(5.5.5.2) by this server?

Any idea please? How to fix this SNMPD_AUTH_FAILURE issue?

SRX> show configuration snmp

description SRX;
location "xxxxx";
view jweb-view-all {
oid .1 include;
}
community public {
view jweb-view-all;
authorization read-write;
}
community opus1 {
authorization read-only;
clients {
10.12.12.26/32;
}
}
trap-group Public {
categories {
authentication;
chassis;
link;
remote-operations;
routing;
startup;
rmon-alarm;
vrrp-events;
configuration;
}
targets {
10.10.10.147;
10.10.10.128;
}
}

{primary:node0}

Thanks

Erdal

What release is this?

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

JUNOS Software Release [12.1X44-D35.5]

You can enable the SNMP traceoptions and see if you are being polled by that host.

Also, if this message is re-occuring very often, then you could start a tcpdump matching this specific host and see if you are getting anything from the host when the message is recorded.

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Hi Parau,

After SNMP traceoptions, it is revealed that host has "Get-Request".

May 14 10:59:20 SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 10.10.49.154 to 10.12.5.2 (read)
May 14 10:59:20 snmpd[59ba] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
May 14 10:59:20 snmpd[59ba] >>> Get-Request
May 14 10:59:20 snmpd[59ba] >>> Source: 10.10.49.54
May 14 10:59:20 snmpd[59ba] >>> Destination: 10.12.5.2
May 14 10:59:20 snmpd[59ba] >>> Version: SNMPv1
May 14 10:59:20 snmpd[59ba] >>> Request_id: 0x59ba
May 14 10:59:20 snmpd[59ba] >>> Community: read
May 14 10:59:20 snmpd[59ba] >>> Error: status=0 / vb_index=0
May 14 10:59:20 snmpd[59ba] >>> OID : sysObjectID.0
May 14 10:59:20 snmpd[59ba] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Although this Server(10.10.49.54) is not part of the snmp configuration on SRX, but the SRX is being very often disturbed/ennoyed by this server. On this server side, quickly I had looked at it that there was no any snmp service was enabled or working but I will deeply delve into it with nmap scanning. Apart from this work, how to ignore this snmp "get-request" on SRX side? Or why is the SRX listening this snmp request as there is no any configuration based on this IP address-10.10.49.54 relating to current snmp configuration?

Thanks

Erdal

Any device can attempt to get SNMP information.

By using this, you only allow 10.12.12.26 to use opus1 community to get the SNMP information:

community opus1 {
authorization read-only;
clients {
10.12.12.26/32;

But any other device can attempt to use this community or any other device can use another community to get the information. These requests will reach the SNMP daemon and they need to be processed and eventually discarded.

If you want to drop these requests before they are processed, you can create a filter and apply on the loopback interface and discard the SNMP requests that are coming from anywhere else except your SNMP manager station.

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Hi Parau,

1-) In your previous post you are refering to creating a filter and applying to loopback interface etc.Can I get your point on why lookback interfaces should be for discarding request as snmp traffic is flowing on its management interface.

2-)As there is no any V1 trap and V2 trap within snmp configuration on SRX, why they are located on snmp traceoptions?

May 14 10:59:45 snmpd[0] <<< V1 Trap
May 14 10:59:45 snmpd[0] <<< Source: 192.168.0.2
May 14 10:59:45 snmpd[0] <<< Destination: 10.10.49.128
May 14 10:59:45 snmpd[0] <<< Version: SNMPv1
May 14 10:59:45 snmpd[0] <<< Community: Public
May 14 10:59:45 snmpd[0] <<< Agent addr: 10.12.5.2
May 14 10:59:45 snmpd[0] <<< sysUpTime: (6773488) 18:48:54.88
May 14 10:59:45 snmpd[0] <<< Enterprise: jnxProductNameSRX650
May 14 10:59:45 snmpd[0] <<< Trap type: authenticationFailure
May 14 10:59:45 snmpd[0] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
May 14 10:59:45 snmpd[0] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
May 14 10:59:45 snmpd[0] <<< V1 Trap
May 14 10:59:45 snmpd[0] <<< Source: 192.168.0.2
May 14 10:59:45 snmpd[0] <<< Destination: 10.10.49.147
May 14 10:59:45 snmpd[0] <<< Version: SNMPv1
May 14 10:59:45 snmpd[0] <<< Community: Public
May 14 10:59:45 snmpd[0] <<< Agent addr: 10.12.5.2
May 14 10:59:45 snmpd[0] <<< sysUpTime: (6773488) 18:48:54.88
May 14 10:59:45 snmpd[0] <<< Enterprise: jnxProductNameSRX650
May 14 10:59:45 snmpd[0] <<< Trap type: authenticationFailure
May 14 10:59:45 snmpd[0] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
May 14 10:59:45 ns_trap_internal
May 14 10:59:45 snmpd[0] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
May 14 10:59:45 snmpd[0] <<< V2 Trap
May 14 10:59:45 snmpd[0] <<< Source: 192.168.0.2
May 14 10:59:45 snmpd[0] <<< Destination: 10.10.49.128
May 14 10:59:45 snmpd[0] <<< Version: SNMPv2
May 14 10:59:45 snmpd[0] <<< Community: Public
May 14 10:59:45 snmpd[0] <<<
May 14 10:59:45 snmpd[0] <<< OID : sysUpTime.0
May 14 10:59:45 snmpd[0] <<< type : TimeTicks
May 14 10:59:45 snmpd[0] <<< value: (6773488) 18:48:54.88
May 14 10:59:45 snmpd[0] <<<
May 14 10:59:45 snmpd[0] <<< OID : snmpTrapOID.0
May 14 10:59:45 snmpd[0] <<< type : Object
May 14 10:59:45 snmpd[0] <<< value: authenticationFailure
May 14 10:59:45 snmpd[0] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Thanks,

Erdal

If you configure the filter on the loopback interface, the filter can drop any control plande destined traffic that is coming from both management interfaces(fxp0) and data plane interfaces(ge-*).

If you apply the filter on management interface, it will drop the traffic you wish coming only from management interface and not from data plane interfaces.

It's up to you to decide where you want to apply the filter.

By default, if you don't specify the trap version, it will send traps for both version, v1 and v2(all). You can change it like this:

{master:0}[edit]
root@EX# set snmp trap-group TEST version ?
Possible completions:
  all                  Send SNMPv1 and SNMPv2 traps
  v1                   Send SNMPv1 traps
  v2                   Send SNMPv2 traps
{master:0}[edit]
root@EX#

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Hi Parau,

Thanks for making clean the points.

Is it possible to provide a working configuration for droping snmp request traffic on SRX?

Erdal

1. strange if their is nothing running on the server you are mentioning. You did not or someone else to do a snmpwalk towards the srx device ?

2. you can build a firewall filter to protect the RE and only allow specific hosts to connect to the snmp port on the SRX

set interface lo0 unit 0 family inet filter input re-protect

set firewall filter RE-protect term TCP-established from protocol tcp
set firewall filter RE-protect term TCP-established from tcp-established
set firewall filter RE-protect term TCP-established then accept
set firewall filter RE-protect term SSH-allow from source-prefix-list Permit-ssh
set firewall filter RE-protect term SSH-allow from protocol udp
set firewall filter RE-protect term SSH-allow from protocol tcp
set firewall filter RE-protect term SSH-allow from port ssh
set firewall filter RE-protect term SSH-allow then accept
set firewall filter RE-protect term OSPF-allow from source-address x.x.x.x/24
set firewall filter RE-protect term OSPF-allow from protocol ospf
set firewall filter RE-protect term OSPF-allow then accept
set firewall filter RE-protect term BGP-allow from source-prefix-list Permit-bgp
set firewall filter RE-protect term BGP-allow from protocol tcp
set firewall filter RE-protect term BGP-allow from destination-port bgp
set firewall filter RE-protect term BGP-allow then accept
deactivate firewall filter RE-protect term BGP-allow
set firewall filter RE-protect term ICMP-allow from protocol icmp
set firewall filter RE-protect term ICMP-allow from icmp-type echo-reply
set firewall filter RE-protect term ICMP-allow from icmp-type echo-request
set firewall filter RE-protect term ICMP-allow from icmp-type unreachable
set firewall filter RE-protect term ICMP-allow from icmp-type time-exceeded
set firewall filter RE-protect term ICMP-allow from icmp-code fragmentation-needed
set firewall filter RE-protect term ICMP-allow from icmp-code 0
set firewall filter RE-protect term ICMP-allow then policer RATE-small
set firewall filter RE-protect term ICMP-allow then accept
set firewall filter RE-protect term TRACE-allow from protocol udp
set firewall filter RE-protect term TRACE-allow from destination-port 33434-33523
set firewall filter RE-protect term TRACE-allow then policer RATE-small
set firewall filter RE-protect term TRACE-allow then accept
set firewall filter RE-protect term SNMP-allow from source-prefix-list Permit-snmp
set firewall filter RE-protect term SNMP-allow from protocol udp
set firewall filter RE-protect term SNMP-allow from destination-port snmp
set firewall filter RE-protect term SNMP-allow then policer RATE-large
set firewall filter RE-protect term SNMP-allow then accept
set firewall filter RE-protect term XNM-allow from source-prefix-list Permit-netblock
set firewall filter RE-protect term XNM-allow from protocol tcp
set firewall filter RE-protect term XNM-allow from destination-port 3220
set firewall filter RE-protect term XNM-allow from destination-port 3221
set firewall filter RE-protect term XNM-allow then policer RATE-large
set firewall filter RE-protect term XNM-allow then accept
deactivate firewall filter RE-protect term XNM-allow
set firewall filter RE-protect term NTP-allow from source-prefix-list Permit-ntp
set firewall filter RE-protect term NTP-allow from protocol udp
set firewall filter RE-protect term NTP-allow from source-port ntp
set firewall filter RE-protect term NTP-allow then policer RATE-small
set firewall filter RE-protect term NTP-allow then accept
set firewall filter RE-protect term DOMAIN-allow from source-prefix-list Permit-dns
set firewall filter RE-protect term DOMAIN-allow from protocol udp
set firewall filter RE-protect term DOMAIN-allow from source-port domain
set firewall filter RE-protect term DOMAIN-allow then policer RATE-small
set firewall filter RE-protect term DOMAIN-allow then accept
set firewall filter RE-protect term FTP-allow from source-prefix-list Permit-ssh
set firewall filter RE-protect term FTP-allow from protocol tcp
set firewall filter RE-protect term FTP-allow from destination-port 20
set firewall filter RE-protect term FTP-allow from destination-port 21
set firewall filter RE-protect term FTP-allow then accept
set firewall filter RE-protect term LOCAL-allow from source-address 127.0.0.1/32
set firewall filter RE-protect term LOCAL-allow from source-address 172.x.x.0/29
set firewall filter RE-protect term LOCAL-allow then accept
set firewall filter RE-protect term IPSEC-allow from source-address x.x.x.x/32
set firewall filter RE-protect term IPSEC-allow from protocol esp
set firewall filter RE-protect term IPSEC-allow from protocol ah
set firewall filter RE-protect term IPSEC-allow from protocol tcp
set firewall filter RE-protect term IPSEC-allow from protocol udp
set firewall filter RE-protect term IPSEC-allow then accept
set firewall filter RE-protect term pim-allow from protocol igmp
set firewall filter RE-protect term pim-allow from protocol pim
set firewall filter RE-protect term pim-allow then accept
set firewall filter RE-protect term HTTP-allow from source-prefix-list Permit-ssh
set firewall filter RE-protect term HTTP-allow from protocol udp
set firewall filter RE-protect term HTTP-allow from protocol tcp
set firewall filter RE-protect term HTTP-allow from port http
set firewall filter RE-protect term HTTP-allow then accept
set firewall filter RE-protect term DEFAULT-deny-everything-else then discard

You can use something like this. 10.10.10.128 and 10.10.10.147 are the only hosts that should run SNMP queries:

[edit]
lab@chef# show | compare
[edit]
+  interfaces {
+      lo0 {
+          unit 0 {
+              family inet {
+                  filter {
+                      input RE-protect;
+                  }
+                  address 1.1.1.1/32;
+              }
+          }
+      }
+  }
+  policy-options {
+      prefix-list permit-snmp {
+          10.10.10.128/32;
+          10.10.10.147/32;
+      }
+  }
+  firewall {
+      filter RE-protect {
+          term SNMP-allow {
+              from {
+                  source-prefix-list {
+                      permit-snmp;
+                  }
+                  protocol udp;
+                  destination-port snmp;
+              }
+              then accept;
+          }
+          term DISCARD_ELSE {
+              then {
+                  discard;
+              }
+          }
+      }
+  }

[edit]
lab@chef#

Keep in mind that you should add terms to allow the other protocols to reach the routing-engine(ssh/bgp and so on).

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.