Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

Security access violation issue

 
smetts
Occasional Advisor

Security access violation issue

Hello there,

We have HPE Aruba 2530-24POE switches. We have random warnings sometimes that go like this:

Security access violation from [actual IP address] for the community name or user name :

What does this mean and how we can go about fixing this?

10 REPLIES 10
TerjeAFK
Respected Contributor

Re: Security access violation issue

This look like a SNMP warning that the IP address is trying to poll the switch using the wrong community name or wrong user name (if you have setup SNMP v3). You fix it by checking the SNMP community used by all your monitoring servers for these switches.

smetts
Occasional Advisor

Re: Security access violation issue

I believe the string is "public" but it's always been that way, We get these warnings all the time. What's the best way to resolve this?

TerjeAFK
Respected Contributor

Re: Security access violation issue

For security reasons I would recommend that you limit the public community to monitor-only access with config like this:

no snmp-server community "public"
snmp-server community "public" restricted
snmp-server community "OurCommunity" unrestricted manager

 

Change all your network management software to use this new community.

Then check the IP address referred to in the security warning. Is there monitoring software running there, or some kind of port scan or network discovery software?  

smetts
Occasional Advisor

Re: Security access violation issue

If I do this, will this stop me from monitoring this with SCOM (systems center operations manager)? I was wondering because we were planning on doing that.

smetts
Occasional Advisor

Re: Security access violation issue

To answer your other question, we do have Windows Defender on these workstations and we also have management agents for SCOM and SCCM on there. 

parnassus
Honored Contributor

Re: Security access violation issue

You can do two things:

  1. Harden your SNMP configuration, Switch side: to do that please refer to ArubaOS-Switch Hardening Guide for 16.04 (reference here).
  2. Troubleshoot offending host (if any), the one that is logged by your Switch(es) with regards to SNMP security access violation messages (a propely configured NMS such as HPE IMC or Aruba AirWave will not cause those messages to appear when it connects to monitored devices, a SNMP scanner or a faulty application do [*], as example).

As example I recall a printer application (probably badly configured or unconfigured at all) flooding a network with SNMP requests with usual "public" SNMP Community name, these requests generated, Switch side, a lot of informational logs as you experienced...and that was just a client host with a famous vendor software installed along with its printer driver.

smetts
Occasional Advisor

Re: Security access violation issue

Is there a way to clear out those logs out without going through all of those harden instructions? Seems intensive and time consuming.

Regarding the commands listed in one of the earlier posts, are there instructions I can follow that would allow me to put those in?

TerjeAFK
Respected Contributor

Re: Security access violation issue

To put in those commands you will have to connect to the switch either with a console cable or with telnet/ssh, put the switch in config mode with the command 'configure terminal' and then enter the commands. Don't forget to save the config afterwards (write memory).

smetts
Occasional Advisor

Re: Security access violation issue

Ah, I see. So I take it that there's no way to do this inside the GUI itself?