Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

strange behaviour with new 2650

Kim Leandersson
Occasional Visitor

strange behaviour with new 2650

Hi,

Installed a new Procure 2650 a couple of weeks ago. Works like a charm, but in our logs a strange connection occurs every now and then.

Jun 9 15:40:13 chrusjtjov mgr: SME TELNET from 156.153.78.192 - MANAGER Mode
Jun 8 00:20:09 chrusjtjov mgr: SME TELNET from 156.153.78.192 - MANAGER Mode
Jun 7 17:48:37 chrusjtjov mgr: SME TELNET from 156.153.78.192 - MANAGER Mode
Jun 5 21:45:35 chrusjtjov mgr: SME TELNET from 156.153.78.192 - MANAGER Mode



The strange thing is that the switch should be firewalled and does not have a public routeable ip. So the connection must somehow start from the switch. The ip 156.153.78.192 does indeed belong to HP so it could be some sort of check for updates or something.

I've searched the web and this forum but haven't found anything regarding this matter. Anyone knows whats happening and if I should worry or not?
11 REPLIES
Matt Hobbs
Honored Contributor

Re: strange behaviour with new 2650

I've never seen anything like this either. It does seem as though someone or something from an HP IP address is telnetting to this switch and establishing a manager session.

Do you have a manager password set? I'd recommend you set one if you don't, or change it if do have one.
Kim Leandersson
Occasional Visitor

Re: strange behaviour with new 2650

I have set a password and I have tried to change this, doesn't have any effect at all. And the strange thing is the fact that there is no possibily to telnet to the switch since it only have a 192.168.x.x number. This leads me to think that it is the switch itself that initiates the connection?
Matt Hobbs
Honored Contributor

Re: strange behaviour with new 2650

I'm 99.9% sure it's not going to be the switch initiating the connection.

I'd recommend a few things in order of ease:

1. Update the firmare to the latest.
2. Factory reset the switch 'erase startup' and reconfigure it.

Although I don't really believe that will help, I'd do it just for that 0.1% chance.

3rd, what I would do is set a mirror/monitor port (monitor all ports) on the switch and do an Ethereal capture with a capture filter of 'tcp port 21'. Telnet to the switch a few times to test it's working and then just leave it to hopefully catch this rogue session.

Alternatively you could disable telnet altogether on the switch and use SSH instead. Or you could disable the default-gateway on the switch for now to make sure it's definitely not somehow coming from outside.

I'll be interested to find out how you go.
Mohieddin Kharnoub
Honored Contributor

Re: strange behaviour with new 2650

Hi KIM
please look at this :
http://www.experts-exchange.com/Hardware/New_Users/Q_20640877.html

Good Luck
Science for Everyone
Ari Yrjölä
Advisor

Re: strange behaviour with new 2650

I've seen similar looking IP addresses when we used stacking feature on some Procurves. Command 'show ip route' on CLI probably shows something...
Kim Leandersson
Occasional Visitor

Re: strange behaviour with new 2650

Matt:
I'll give the new firmware a try. I have a log rule in the firewall now so I can catch any traffic to or from the IP address above. Will try ethereal in a couple of days.

Ari:
This morning I've heard a similar story from a friend using 3com switches. When stacking different models he also got some lines in his logs indicating strange manager sessions. My routing table is as follow:

show ip route

IP Route Entries

Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 192.168.111.1 6 static 0 250
127.0.0.0/8 reject static 0 250
127.0.0.1/32 lo0 connected 0 0
192.168.111.0/24 SWITCH 6 connected 0 0
lrosales
Advisor

Re: strange behaviour with new 2650

Maybe someone else can confirm, but this looks like a display/firmware issue with the 2650. I just telnet'ed into my 2650 and the last line in the log is:

I 06/13/06 08:03:47 mgr: SME TELNET from 156.153.78.192 - MANAGER Mode

Same exact address as the OP described, but definately not my workstation IP address. I did this with my other switches 2848,2824, and 2524, and they all showed a telnet connection from my workstation IP address.
lrosales
Advisor

Re: strange behaviour with new 2650

Correction to above reply. Some of the switches I tried were not members of the stack. I retried and found the following. Seems that when the 26xx and the 28xx switches(maybe others, but these are the only ones I tested) are members of a stack, and you connect to them via the commander as opposed to connecting directly, the telnet sesion shown in the log is reported as being initiated by the 156.153.78.192 address.
Kim Leandersson
Occasional Visitor

Re: strange behaviour with new 2650

Hmmm... yes, seems to be when I access the 2650 or the 4208 via the stack access. The switch then identify this as a telnet manager session from 156.153.78.192. Maybe it's because the 2524 that's my stack commander doesn't recognise the newer models?

Re: strange behaviour with new 2650

Hello Everybody,

I've just installed a new network with 2 5300XL "Core" Switches & 30 2626 "Edge" switches. The 5300 are L3 & the 2626 Layer2. All the switches use the last Firmware & are managed with Procurve Manager + 2.1

Everything worked fine & then I configured all the switches to use a SysLog. I've noticed that all the switches send a alert approx every 3 hours:
mgr: SME TELNET from 10.31.5.32 - MANAGER Mode
10.31.5.32 is the PCM 2.1 server address!

As a reply to another post, some switches are stacked & some other aren't, so it doesn't seem it's liked to that point! But by the way I have no messages about HP Address 156.153.78.192 !

Any Idea???
Devon Dawson
Advisor

Re: strange behaviour with new 2650

Unfortunately I don't have an explanation for the mystery "156.153.78.192" IP address but with regard to the telnet sessions that JeanLouis Caire is seeing, that would appear to be PCM's regularly scheduled discovery cycle. PCM uses SNMP as well as Telnet to access the device and retrieve the various pieces of information that it requires for updating its device configuration, status and network topology database. You can of course configure telnet passwords or SSH on the device and PCM to ensure that this communication is secured.