SCOM randomly sends snmp packets thru wrong interface
^Hello, My SCOM environment is composed by 1 RMS, 2 MS monitoring 870 network devices (SNMP), and 1 MS monitoring 40 windows servers (Agent). I configured a rule to process the cisco trap Authentication, that is send by the switches when, for example, an unauthorized device tries to read snmp counters data. All SCOM servers are multinic with a configuration similar to: Interface 1 (VLAN 10) IP: 10.10.10.10 Mask: 255.255.224.0 DNS: 10.10.10.100 Interface 2 (VLAN 5) IP: 10.5.0.5 Mask: 255.255.0.0 Recently I had do add a new interface to monitor some snmp devices connected to a different network: Interface 3 (VLAN 100) IP: 193.138.100.150 Mask: 255.255.255.128 Gateway: 193.138.100.254 Since I enabled interface 3, the switches connected to VLAN 5 started to randomly generate authentication traps saying that the VLAN 100 IP address of the management server that manages them is trying to communicate but is not authorized But even more strange, while we were trying to find the cause of the problem we notice that some of the traps are caused by the VLAN 100 IP address of a management server that do not manage the switches. My two questions are: 1- If the system has one interface connected directly to a network, why some times the snmp packets are sent thru other interface. 2- If a management server do not manage a switch, why the switch receives snmp packets from it, where the header source ip is the ip of that MS. This is a critical problem for the network team because it causes a lot of false “network device is down ” alerts and the alert generation is often suspended because it exceeds 50 alerts. I tried strong host configuration, flush dns, interface binding, and static routes, without success… the problem remains. Any help is appreciated
June 17th, 2011 12:10pm

Hello Dan, Thank you for the suggestion. I tried to set up persistent static routes but windows dont let me to, because gateways are on-link! All i want is: all the snmp packets sent to devices conected to network 10.5.0.0/16, are forwarded by interface 1 (10.5.0.5).
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2011 8:01pm

i think you need to go to the windows forums. it's not a scom issue, but just how the OS below SCOM handles this. Btw why don't u just use 1 interface and use a router. That's what they are for and will give loads more security (1 device between the networks instead of X servers). Rob Korving http://jama00.wordpress.com/
June 22nd, 2011 6:07am

Hello Rob, Thanks for the suggestion. I believe it's not a SCOM issue, but i cant find a explanation for: if MS1 manages a switch, why were observed snmp packets coming from MS2 to that switch? The compromisse between security, performance and availability must be balanced. So we decided to connect our monitoring systems directly to the networks, to avoid that eventual problems of routing and firewall cause the unavailability of monitoring, like we did in the past with our old linux based monitoring systems.
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2011 7:21am

I would like to make a question to Mr. Yog Li: Is there any information published somewhere on the compatibility and scalability of SCOM, in multinic environments? Kind Regards.
July 1st, 2011 10:43am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics