01-21-2013 08:23 AM
I have a customer who is monitoring several HP/Avaya switches with IMC. The switches are on remote routed subnets, some simply routed, other routed by firewalls.
In the firewall logs however, they have noticed IP spoofing from the IMC subnet.
After analysis and packet traces, it appeared that IMC itself is not only trying the send icmp echo requests with its own IP address, but also with a source IP address from the subnet of the managed devices.
For example: IMC has IP 10.1.1.101/24, the remote device has IP 10.1.2.11/24, connected by firewall/router. With a wireshark trace on the IMC, we see IMC is sending icmp echo request with source IP e.g.10.1.2.253 to the 10.1.2.11 device. We see similar behavior for devices in other subnets, e.g. for switch with IP 10.1.3.11/24, IMC would use source IP 10.1.3.254.
The trace actually shows that the source MAC address of the device is the IMC server.
We have already disabled the dismanping on the IMC configuration.
This is an IMC Enterprise installation on Windows Server on an ESX host (trial license).
Of course the firewall team does not like this, since they get plenty of log messages about ip spoofing.
Has anyone experienced this already, does anyone know why IMC would be doing this ?
01-21-2013 08:30 AM
01-21-2013 08:41 AM
Thanks for your reply (I have also posted this request on http://www.netopscommunity.net , I will sync the outcome)
Yes, only 1 IP assigned.
It really seems to be looping through all possible 10.0.0.0/8 subnets (making up /24 subnet himself) and sending with some random source subnet IP the echo requests (but always based on an IP of a managed host).
Could it be trying to discover hosts with a mismatched subnet mask ? (the remote host will be sending an arp request, so that can/could be picked up by IMC or another routing device (and then queried by IMC via snmp arp tables)) ?
It could be doing smart things, but I do not understand it, and more important, I would need to know how to turn it off ...