SNMP traps sent from ArcSight Express appliance are dropped (1834 Views)
Reply
Valued Contributor
Ionut Mosoiu
Posts: 89
Registered: ‎02-10-2010
Message 1 of 6 (1,834 Views)

SNMP traps sent from ArcSight Express appliance are dropped

[ Edited ]

Hi team,

 

i need to understand SNMP TRAP mechanism for NNMi 9.2x because i have the following issue:

I have an equipment ( an ArcSight equipment )  and am receiving traps from it. I can see the trap running from cmd nnmtrapdump.ovpl command but they are not displayed into NNMi -> Incident Browsing -> SNMP Traps.

So I checked to see if :

-          The trap it's enable and configured, and it is (on Configuration -> Incidents -> SNMP Trap Configurations).

-          The Discard Unresolved SNMP Traps and Syslog Messages it's unchecked, it is unchecked.

Because on the equipment I don’t have SNMP agent I added the nod as non-snmp thinking that cannot receive SNMP Traps from an equipment that NNMi does not discovered it. No result.

More of that i try to send my one traps from nnmi using an nttrapgen.exe directly from NNMi. I am able to see the traps using nnmtrapdump but they are displayed.

 

Example:

F:\Nttrapgen>nnmtrapdump.ovpl -last 5
Trap ArcSightEvent (.1.3.6.1.4.1.11937.0.1) at January 17, 2013 4:08:55 PM EET from 192.168.99.94
Version: SNMPv2c
Varbinds:
state=HAS_VALUE type=TimeTicks oid=.1.3.6.1.2.1.1.3.0 value=8710055
state=HAS_VALUE type=OBJECT IDENTIFIER oid=.1.3.6.1.6.3.1.1.4.1.0 value=.1.3.6.1.4.1.11937.0.1
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.1 value=37987738
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.3 value=Firewall - Repetitive Block - In Progress
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.147.2 value=/Informational
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.147.3 value=/Access
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.147.4 value=/Brute Force
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.147.5 value=/Security Information Manager
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.147.6 value=/Failure
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.147.7 value=/Network
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.148.2 value=5
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.10 value=
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.153.2 value=92.87.163.22
state=HAS_VALUE type=OCTET STRING oid=.1.3.6.1.4.1.11937.1.154.2 value=

 

 

Best Regards,

 

Daniel

Honored Contributor
AndyKemp
Posts: 770
Registered: ‎05-17-2010
Message 2 of 6 (1,822 Views)

Re: NNMi 9.22 (patch 2) Question on SNMP Traps?

As long as the node originating the trap is in the system (originating IP address has to match) inventory, the traps if enabled will be accepted and tagged to that node.   I've got a very similar situation with the HP ILO management modules whcih have the ability to send traps, but no SNMP agent engine on the device.

Have a nice day :)

Andy Kemp,  CISSP
HP Expert
SergeyPankratov
Posts: 61
Registered: ‎03-30-2004
Message 3 of 6 (1,816 Views)

Re: NNMi 9.22 (patch 2) Question on SNMP Traps?

[ Edited ]

It may get on the List of disallowed/disabled trap OIDs or Blocking Caches long time ago.

Verify this with

nnmtrapconfig.ovpl -dumpBlockList

  

To clear blocking cache

nnmtrapconfig.ovpl -resetBlockCache

 

To unblock traps

nnmtrapconfig.ovpl -setProp unblockTraps

 

If you still see some traps on disabled list but they are enabled, try to restart trap service


nnmtrapconfig.ovpl -stop

nnmtrapconfig.ovpl -start

 

To turn blocking back

nnmtrapconfig.ovpl -setProp blockTraps

 

I hope this may help

Sergey Pankratov
HP Support

The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of HP
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember
to give them a KUDOS and show your appreciation
Valued Contributor
Ionut Mosoiu
Posts: 89
Registered: ‎02-10-2010
Message 4 of 6 (1,799 Views)

Re: NNMi 9.22 (patch 2) Question on SNMP Traps?

Hi Andy hi Serghey

 

Thank for the output but still is not solving my problem. So for that I took the hard way on the NNMi server (windows server) I put sniffer on it to see what kind of snmp traps packets are coming for all the equipment’s that are sending traps.

Here is the output:

For a Cisco equipment that send snmp trap (link Down).

Trap caught by sniffer

 

data : trap (4)

            trap

                   enterprise: 1.3.6.1.6.3.1.1.5 (iso.3.6.1.6.3.1.1.5)

                   agent - addr : 192.168.99.98

                   generic-trap: linkDown (2)

                   specifc-trap:0

...............................................................................

.................................................................................

 

I would like to note here that data ->trap-> contains information about enterprise OID ( in this case 1.3.6.1.6.3.1.1.5).

The trap it’s present on Incident Browsing -> SNMP Traps.

 

For the ArcSight equipment that send snmp trap

Trap caught by sniffer

 

data: snmpv2-trap (7)

            snmpv2-trap

                request-id: 584

                error-status: no Error (0)

               error-index:0

            variable-bindings: 14 itends

                    1.3.6.1.2.1.1.3.0: 64275

                    1.3.6.1.6.3.1.1.4.1.0: 1.3.6.1.4.1.11937.0.1 (iso 3.6.1.4.1.11937.0.1)

                    1.3.6.1.4.1.11937.1.1: 333932338383938

                    1.3.6.1.4.1.11937.1.1:46697265777616c6.......etc

 

It can be seen how this event snmp - trap differs from the other described earlier with a different structure.

So the trap is not present into Incident Browsing -> SNMP Traps. But it’s present into traps.csv.

 

 

Looking further:

 

next ....

 

Daniel

Valued Contributor
Ionut Mosoiu
Posts: 89
Registered: ‎02-10-2010
Message 5 of 6 (1,798 Views)

Re: NNMi 9.22 (patch 2) Question on SNMP Traps?

continue ....

 

Looking furher into

  1. Incidents SNMP Trap Configurations :

 The trap it's defined.

 

 

2. Incidents -> Trap Server -> Trap Logging Configuration:

 

The trap it's defined .

 

C:\Users\Administrator>nnmtrapconfig.ovpl -dumpBlockList

Filter Configuration:

List of allowed trap OIDs:

Any trap OIDs that are not disallowed/disabled or blocked

 

List of disallowed/disabled trap OIDs:

.1.3.6.1.4.1.8083.1.1.12.3.42

.1.3.6.1.4.1.8083.1.1.12.3.41

.1.3.6.1.2.1.17.0.2

.1.3.6.1.4.1.8083.1.1.12.3.40

.1.3.6.1.2.1.14.16.2.2

.1.3.6.1.2.1.14.16.2.1

.1.3.6.1.4.1.8083.1.1.12.3.46

.1.3.6.1.4.1.8083.1.1.12.3.45

.1.3.6.1.4.1.8083.1.1.12.3.44

.1.3.6.1.4.1.8083.1.1.12.3.43

.1.3.6.1.2.1.10.166.3.0.1

.1.3.6.1.2.1.10.166.3.0.2

.1.3.6.1.4.1.8083.1.1.12.3.1

.1.3.6.1.4.1.9.9.41.2.0.1

.1.3.6.1.2.1.14.16.2.16

.1.3.6.1.4.1.9.5.11.2.0.2

.1.3.6.1.2.1.10.166.11.0.2

.1.3.6.1.2.1.10.166.11.0.1

.1.3.6.1.2.1.15.0.2

.1.3.6.1.4.1.9.9.26.2.0.3

.1.3.6.1.2.1.15.0.1

.1.3.6.1.4.1.9.9.46.2.0.7

.1.3.6.1.4.1.8083.1.1.12.3.35

.1.3.6.1.4.1.8083.1.1.12.3.37

.1.3.6.1.4.1.8083.1.1.12.3.36

.1.3.6.1.4.1.8083.1.1.12.3.39

.1.3.6.1.4.1.8083.1.1.12.3.38

.1.3.6.1.2.1.16.0.1

.1.3.6.1.2.1.16.0.2

.1.3.6.1.4.1.9.5.0.6

.1.3.6.1.2.1.17.0.1

.1.3.6.1.4.1.9.5.0.5

Blocking Caches:

 

 

C:\Users\Administrator>

 

I don’t have any idea where to looking for .

 

Best Regads,

 

Daniel

Valued Contributor
Ionut Mosoiu
Posts: 89
Registered: ‎02-10-2010
Message 6 of 6 (1,774 Views)

Re: NNMi 9.22 (patch 2) Question on SNMP Traps?

[ Edited ]

Hi all,

 

 

yes there is a issue :

 

http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_QCCR1B111671

 

on 9.10 the issue does not exisit since ArcSight Integrations has not been introduced.

 

Best Regards,

 

Daniel

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.