Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

SIM unable to recieve traps from DMZ

tsl_2
Advisor

SIM unable to recieve traps from DMZ

Hi all,
We have a wierd problem that's been bugging us for several months now without a resolution.

We have a SIM server (v5 on 2003) on an internal lan. Traps from agents on different private lans works fine, but traps from agents on DMZ never shows in SIM. We have (for testing) enabled full IP access from one DMZ server to the SIM server to no avail. The DMZ server is discovered and registered in SIM.
An udp check from DMZ to SIM server on port 162 shows as Open.

In SIM, under Options->Events->Event Filter Settings we have set to accept unregistered events and traps from all IP ranges (*).

If I shutdown the SNMP Trap Service windows service and run the "SNMP Trap Watcher" util on the SIM server, I can see the test trap fine when sending it from the DMZ server agent.

Community is correct and I have enabled logging of autorization problems but none are shown.

I'm totally out of ideas now.
Would someone have a clue?

Many thanks
-tsl-
17 REPLIES
Rob Buxton
Honored Contributor

Re: SIM unable to recieve traps from DMZ

A guess...
Is there a mismatch between how HPSIM resolved the server name and the name of the trap.

Maybe this is a server with multiple interfaces, HPSIM has detected one but the traps are from the second. It receives it but has no device to match it up against.
tsl_2
Advisor

Re: SIM unable to recieve traps from DMZ

Thanks for replying Rob!
However I'm not sure I follow?

The particular testserver has multiple interfaces but use teaming, so only 1 IP.
Other servers on DMZ does not use teaming and only 1 interface active, but same problem.

In the eventlog on the SIM server there are no traces from the test traps sent in.

Do you have any other ideas?

cheers
-tsl-
James ~ Happy Dude
Honored Contributor

Re: SIM unable to recieve traps from DMZ

Have you registered the MIB for the server prperly ?

For authentication Failure traps :
Under SNMP trap settings
In the Mib Name field, select rfc1215.mib.
In the Trap Name field, select authenticationFailure if it is not already selected. In the Enable Trap Handling field, select Yes.

Hope this helps.

Regards,
James.
tsl_2
Advisor

Re: SIM unable to recieve traps from DMZ

Hi James,
yes I have enabled the authentication trap logging from the mib as you described.

Still nothing is logged from traps sent from DMZ's, so it seems somehow that SIM drops traps from these servers, but testing another trap listener on the SIM server do get the info??!!

thanks
-tsl-
James ~ Happy Dude
Honored Contributor

Re: SIM unable to recieve traps from DMZ

Hello TSL,

If you Create an automatic event handling task & forward it as an SNMP trap to a specified IP... will this work from the DMZ server ??

Regards,
James.
tsl_2
Advisor

Re: SIM unable to recieve traps from DMZ

James, I have this setup already, but there's no forwarding of DMZ traps to the eventmanager either. Only traps from servers on internal LANs work as expected. I'm going nuts over this...
James ~ Happy Dude
Honored Contributor

Re: SIM unable to recieve traps from DMZ

Oh man !!

Then try the Configure or Repair Agents & go thru the various settings AGAIN!(im sure u have) & see if there are different options to try.

is the secure shell (SSH) access selected ??

Regards,
James.
tsl_2
Advisor

Re: SIM unable to recieve traps from DMZ

> Oh man !!

Yes, I agree ;o)

I've tried the Configure or Repair Agents to no avail.

SSH is not selected and I cannot find anywhere why SIM is not recieving the traps.

I'm starting to think about a complete reinstall of SIM (maybe on linux instead), but alot of work to add and configure all working agents again...
James ~ Happy Dude
Honored Contributor

Re: SIM unable to recieve traps from DMZ

yea, nothing else is working.
How about the firewall settings & setting up the PORTS ??

Just guessing... what u might not have tried !


Regards,
James.
tsl_2
Advisor

Re: SIM unable to recieve traps from DMZ

Thanks James, the ports are opened fine.
We have actually full IP access right now between the servers for testing purposes...but no luck.
Wierd one indeed!
James ~ Happy Dude
Honored Contributor

Re: SIM unable to recieve traps from DMZ

Believe U me, even I am curious to whats wrong then ?!!!!!

Seems so close... yet so far from solution !

Is there any local Security policies etc that may effect traps ?

Or, just wait for a day or more, before U re-install SIM ... see if anyone else has a different view to this.

James.
Rob Buxton
Honored Contributor

Re: SIM unable to recieve traps from DMZ

OK, this is happening on all servers in the DMZ?
In HPSIM how does the server show up, just as an IP address or as a resolved name?
Also does it show up as a Server type or is it "Unknown" / "Unmanaged"?

I'm really just guessing more around DNS as the issue.
I'm not too sure of how it would happen, but if the trap is apprearing to come from a name or IP address HPSIM knows nothing about there may be an error.

Have you looked at just the "Events" view itself to make sure an event isn't being misreported against another device?
You could event try extracting the data directly from the HPSIM database to see if anything is there.

With the trap watcher utility you use, does that contain details of the Traps suspected origin? Again does that match what HPSIm has recognised as the server?
tsl_2
Advisor

Re: SIM unable to recieve traps from DMZ

Hi Rob, yes it's the same issue with all DMZ servers as far as I know. In the beginning I thought it was only because we hadn't opened up 162/udp, but as said it's not the case anymore.

All servers/agents are registered in DNS. At discovery we use the FQDN. The SIM server has all the different domain names in it's search order so it's able to lookup host23 -> host23.somedomain.tld

In SIM it's discovered with FQDN and has the correct hardware (server/model) listed along with the IP.

Yesterday I installed NET-SNMP as the trap listener (instead of Microsofts version) and in the snmptrapd.log I can see the test trap from a DMZ server registered fine (but not in SIM event view). In the log it's registered with only the hostname and not the FQDN (i.e ...[IP Address]...SNMPv2-MIB::sysname.0 = STRING: HOST23 SNMPv2-SMI...). Maybe this is causing problems? We use NAT for DMZ servers so they have an internal IP but SIM server needs to access it on it's external IP. The FQDNs all points to the DMZ servers external IPs.
In the trap, both IPs are listed (internal/external). But if this was a problem, wouldn't the event still show in the all events view?

I have checked the local security policies on the SIM server and they are no different from i.e the eventmanager server. I tried to redirect the snmp trap directly from the DMZ server to the eventmanager (not to SIM server first) and it worked fine. The eventmanager is on the same subnet as the SIM server.

pew, as a workaround I guess I could have all DMZ agents using NAT to trap directly to the eventmanager?! Still, it would be nice to have the SIM do all the trap forwarding to be consistent.
Wilbert Chin
Occasional Advisor

Re: SIM unable to recieve traps from DMZ

You've eliminated the firewall as an issue. It looks like you're onto something with the NAT issue. Since you are NATing, all DMZ servers are sending traps with the same IP and a short name instead of FQDN. DNS won't be able to match up the single IP to each DMZ server. DNS can expand on the short name but you end up with an IP that doesn't match the NAT IP.

It sounds like the traps from the DMZ servers are not sending back the matching information for a server in the SIM database. Therefore, SIM does nothing with the trap that it receives. Have you tried deleting the server record and done a manual discovery of one of the DMZ servers?

You might also try a manual discovery by the NAT IP address and then test the traps again. These steps should eliminate or confirm a NAT / DNS issue.
tsl_2
Advisor

Re: SIM unable to recieve traps from DMZ

Yes, the NAT/PAT seems to be the issue. I found a DMZ server that used it's actual external IP and not a private one, this trap worked!

It's not possible for the SIM server to reach the DMZ servers using NAT/PAT on their internal IPs, only their respecive external IPs.

It's unfortunate that SIM is having a hard time to cope with this setup. I have therefore decided to let all agents trap directly to the eventmanager instead, but to have SIM for configuration and hardware problem management.

Thanks all for your input, it's much appreciated.
Rob Buxton
Honored Contributor

Re: SIM unable to recieve traps from DMZ

The issue does seem to be that the trap appears to originate from a server HPSIM knows nothing about.

In the Event Filter settings you can Accept Unregistered Events. But looking at the screen further and it seems to be about accepting traps from discovered devices. In effect HPSIM is getting traps from undiscovered devices.

Is the subnet range for the internal Nat'd addresses in the Discovery range? Maybe the fix is to try and get HPSIM to discover these devices on the same address range as the traps are appearing to originate.
tsl_2
Advisor

Re: SIM unable to recieve traps from DMZ

hmm, I think your are right about the "Unregistered events" setting. The DMZ servers are registered fine but when the traps come in, SIM cannot match the IP to a discovered device (though both IPs (internal/external) are in the trap).

I'm not able to discover the Nat'd addresses from the SIM server. We have to use their external IPs in current setup.

Thanks
-tsl-