CE6800 Switch SNMP Failure

Abstract
After migration from Cisco switch to Huawei CE6800 switch, the network management system could not monitor the network due to NMS failure.

 

Issue Description

CISCO core switch has been replaced by a HUAWEI CE1 Switch.

The network is monitored by a NMS through SNMP v2c.

 

d5f83b9d03984cce9b2acdad4b2b03ee

Issues:

After migration, the network management system could not monitor the network.

The configuration of SNMP V2c configured on CE1 is a standard one:

Snmp-agent

Snmp-agent sys-info version v2c v3

Snmp-agent community read cipher “test” acl SNMP

Snmp-agent trap enable

The NMS in configured to perform an SNMP GET using “test” community, but there is no answer from CE1.

Here are the checks performed on the CE1:

1.       The SNMP version has been checked in order to be the same on the NMS and CE1.

2.       The SNMP community has been checked in order to be the same on the NMS and CE1.

3.       The ACL SNMP has been checked: only the IP address of NMS is permitted.

In the CE1 logbuffer we can see that authentication failed due to incorrect community.

Source IP = NMS IP_address

IP= CE1 IP_address

a27c1507e19c47a69ab9a2b93fdc6929

We double check the community name configured and it was the same as the NMS.

The customer decided stop the NMS application. We started a debug on the CE1.: the switch still receive packets from the NMS server IP address, even the NMS is shutdown.

8052b336814c48a18677cc1befd344e9

After checking the server, another application on the server is using SNMP ( with other community configured on it) , so for this reason CE1 is receiving a lot of packets from Server IP address(the same as NMS)  and CE1 LOCKs the IP address(login failure).

 

Solution
1. Change the community of the NMS to be the same with the community configured on the other application and on the CE1.        
2. Use this command “snmp-agent blacklist ip-block disable” to disable the IP address blacklist.
END
Tags