- Community Home
- >
- Storage
- >
- HPE Nimble Storage
- >
- Array Performance and Data Protection
- >
- Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2016 12:13 PM
03-17-2016 12:13 PM
We have a CS220 that has recently started firing off 15 of these emails in a row, for no apparent reason, twice daily. Nothing is connected to the console, or attempting to access. This behavior happens regardless of which controller is active.
This behavior started after a NimbleOS update. A subsequent update did not change the behavior.
Twice every day at 8:16AM (but no PM) and 4:08PM (but not AM), we get 15 of these at once. The 4pm alerts seem to correlate to the approximate time that the NimbleOS update was done.
We have no other processes/backups/discernable activity that is taking place at these times.
Any ideas out there?
Thank you.
-----Original Message-----
From: nimble@yournetwork.com
Subject: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
Time: Thu Mar 17 08:21:53 2016
Type: 14801
Id: 24817
Message: Root Login to controller B from Console failed.
Group Name: Nimble-SAN
Array name: Nimble-SAN
Serial: your SN
Version: 2.3.14.0-325711-opt
Arrays in the group:
---------------------+-----------------+-----------+----------------
Name Serial Model Version
---------------------+-----------------+-----------+----------------
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2016 01:40 AM
03-18-2016 01:40 AM
Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
Hi Daniel,
This is a security feature as part of a recent version of NimbleOS. You most likely have something on your network that is probing all devices. Give support a call and they can help.
twitter: @nick_dyer_
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2016 08:12 AM
03-18-2016 08:12 AM
Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
that's what i would have thought - except that it says it's from console. when we've had failed access attempts on the LAN int, it would say it was from a LAN int IP address. since this says console, and we have nothing connected to the console, it makes no sense.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2016 08:18 AM
03-18-2016 08:18 AM
Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
you will get these messages for three reason.
1) software upgrade - the OS does a SSH to the standby to start upgrade and we log it.
2) internal software scan by your network team to test security
3) someone is actually trying to break into the IP
For one and two - no issues. Number two is usally the case and you can call your security team. If it not the securuty team - then someone in you network is doing bad thing!
kevin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2016 08:26 AM
03-18-2016 08:26 AM
Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
OK so assuming that even though it says that it's a failed *console* login, and nothing is connected to the console, and when there are failed access attempts via the network, it says that it's a failed *network* login (it shows an IP address rather than saying console), how *would* we poll the Nimble?
the community string on the Nimble matches the read community string on the software that we use to montor all IP-connected systems internally. this same software has been monitoring the same Nimble unit without errors for about 2 years. Then suddenly after an OS upgrade, it starts giving these alerts claiming there is a failed *console* login.
Is there no other way to control management software that *is* allowed to poll the device than the SNMP read string (which, BTW, still does not support ! in the string, which is a known bug from the 1.x days, which Nimble said would be corrected, but still has not been).
that all said, it seems like your suggestion on item 1 is the more logical culprit. but what would cause it to happen 15 times, twice daily, repeatedly when the OS upgrade is a one-time event, which occurred days ago (not to mention that no previous upgrades have triggered this alert)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-21-2016 09:47 AM
03-21-2016 09:47 AM
Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
we've also confirmed that we're seeing this with customer systems now as well as our own.
assuming that polling the device via SNMP is a supported feature, why would the device claim there is a bad login of ANY type when the credentials being used are correct, and we were able to poll the system prior to v2.3 upgrade?
And even if the credentials WERE bad (which they are not), why would the system generate an error about a CONSOLE login when nothing is even connected to the console and the logins are being done via IP (which generates an alert about the IP i/f when there really is a bad access attempt)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2016 03:00 AM
03-22-2016 03:00 AM
SolutionHello,
If you raise a case with support they will be able to tell you exactly why these are being generated.
The source will be on your network, the reference to 'Console' is miss-leading it's the SSH Daemon reporting.
Common sources are HP Systems Insight Manager, Spiceworks and other network scanning / pen testing apps.
Many thanks,
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2016 12:13 PM
04-05-2016 12:13 PM
Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
Good call Chris - it was HP SIM. Likely a port 22 scan. Would be nice if Nimble made the alert clearer (ie: rather than saying CONSOLE, if it says SSH). Maybe they'll see the feature request.