HPE Community
Switches, Hubs, and Modems
1752801 Members
5556 Online
108789 Solutions
New Discussion юеВ

strange behaviour with new 2650

 
Kim Leandersson
New Member

тАО06-10-2006 02:52 AM

тАО06-10-2006 02:52 AM

strange behaviour with new 2650

Hi,

Installed a new Procure 2650 a couple of weeks ago. Works like a charm, but in our logs a strange connection occurs every now and then.

Jun 9 15:40:13 chrusjtjov mgr: SME TELNET from 156.153.78.192 - MANAGER Mode
Jun 8 00:20:09 chrusjtjov mgr: SME TELNET from 156.153.78.192 - MANAGER Mode
Jun 7 17:48:37 chrusjtjov mgr: SME TELNET from 156.153.78.192 - MANAGER Mode
Jun 5 21:45:35 chrusjtjov mgr: SME TELNET from 156.153.78.192 - MANAGER Mode



The strange thing is that the switch should be firewalled and does not have a public routeable ip. So the connection must somehow start from the switch. The ip 156.153.78.192 does indeed belong to HP so it could be some sort of check for updates or something.

I've searched the web and this forum but haven't found anything regarding this matter. Anyone knows whats happening and if I should worry or not?
1 person had this problem.
0 Kudos
12 REPLIES 12
Matt Hobbs
Honored Contributor

тАО06-10-2006 03:51 AM

тАО06-10-2006 03:51 AM

Re: strange behaviour with new 2650

I've never seen anything like this either. It does seem as though someone or something from an HP IP address is telnetting to this switch and establishing a manager session.

Do you have a manager password set? I'd recommend you set one if you don't, or change it if do have one.
0 Kudos
Kim Leandersson
New Member

тАО06-10-2006 06:52 AM

тАО06-10-2006 06:52 AM

Re: strange behaviour with new 2650

I have set a password and I have tried to change this, doesn't have any effect at all. And the strange thing is the fact that there is no possibily to telnet to the switch since it only have a 192.168.x.x number. This leads me to think that it is the switch itself that initiates the connection?
0 Kudos
Matt Hobbs
Honored Contributor

тАО06-10-2006 01:46 PM

тАО06-10-2006 01:46 PM

Re: strange behaviour with new 2650

I'm 99.9% sure it's not going to be the switch initiating the connection.

I'd recommend a few things in order of ease:

1. Update the firmare to the latest.
2. Factory reset the switch 'erase startup' and reconfigure it.

Although I don't really believe that will help, I'd do it just for that 0.1% chance.

3rd, what I would do is set a mirror/monitor port (monitor all ports) on the switch and do an Ethereal capture with a capture filter of 'tcp port 21'. Telnet to the switch a few times to test it's working and then just leave it to hopefully catch this rogue session.

Alternatively you could disable telnet altogether on the switch and use SSH instead. Or you could disable the default-gateway on the switch for now to make sure it's definitely not somehow coming from outside.

I'll be interested to find out how you go.
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО06-11-2006 07:58 PM

тАО06-11-2006 07:58 PM

Re: strange behaviour with new 2650

Hi KIM
please look at this :
http://www.experts-exchange.com/Hardware/New_Users/Q_20640877.html

Good Luck
Science for Everyone
0 Kudos
Ari Yrj├╢l├д
Advisor

тАО06-13-2006 12:51 AM

тАО06-13-2006 12:51 AM

Re: strange behaviour with new 2650

I've seen similar looking IP addresses when we used stacking feature on some Procurves. Command 'show ip route' on CLI probably shows something...
0 Kudos
Kim Leandersson
New Member

тАО06-13-2006 02:14 AM

тАО06-13-2006 02:14 AM

Re: strange behaviour with new 2650

Matt:
I'll give the new firmware a try. I have a log rule in the firewall now so I can catch any traffic to or from the IP address above. Will try ethereal in a couple of days.

Ari:
This morning I've heard a similar story from a friend using 3com switches. When stacking different models he also got some lines in his logs indicating strange manager sessions. My routing table is as follow:

show ip route

IP Route Entries

Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 192.168.111.1 6 static 0 250
127.0.0.0/8 reject static 0 250
127.0.0.1/32 lo0 connected 0 0
192.168.111.0/24 SWITCH 6 connected 0 0
0 Kudos
lrosales
Advisor

тАО06-13-2006 03:13 AM

тАО06-13-2006 03:13 AM

Re: strange behaviour with new 2650

Maybe someone else can confirm, but this looks like a display/firmware issue with the 2650. I just telnet'ed into my 2650 and the last line in the log is:

I 06/13/06 08:03:47 mgr: SME TELNET from 156.153.78.192 - MANAGER Mode

Same exact address as the OP described, but definately not my workstation IP address. I did this with my other switches 2848,2824, and 2524, and they all showed a telnet connection from my workstation IP address.
0 Kudos
lrosales
Advisor

тАО06-13-2006 03:21 AM

тАО06-13-2006 03:21 AM

Re: strange behaviour with new 2650

Correction to above reply. Some of the switches I tried were not members of the stack. I retried and found the following. Seems that when the 26xx and the 28xx switches(maybe others, but these are the only ones I tested) are members of a stack, and you connect to them via the commander as opposed to connecting directly, the telnet sesion shown in the log is reported as being initiated by the 156.153.78.192 address.
0 Kudos
Kim Leandersson
New Member

тАО06-13-2006 05:18 AM

тАО06-13-2006 05:18 AM

Re: strange behaviour with new 2650

Hmmm... yes, seems to be when I access the 2650 or the 4208 via the stack access. The switch then identify this as a telnet manager session from 156.153.78.192. Maybe it's because the 2524 that's my stack commander doesn't recognise the newer models?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.