The overall status of the system network is critical after unauthorized login attempts

Hi,

We have an environment with:

- OneView 7.20.00-0467548 for monitoring.

- Several Proliant DL360/380 Gen9 with ILO4 monitored by OneView.

- OV4VC 11.0.0.

- Proactive HA enabled in vCenter (Automated, Mixed Mode, Provider: HPE OneView for vCenter)

We have a probe that periodically scans the network to look for vulnerabilities in the systems. When scanning ILOs, we see the following in the ILO event log:

4573 11/28/2022 05:43 11/28/2022 05:43 1 SSH login failure from: 192.168.1.88(DNS name not found).

4572 11/28/2022 05:43 11/28/2022 05:43 1 SSH login failure from: 192.168.1.88(DNS name not found).

4571 11/28/2022 05:42 11/28/2022 05:42 1 SSH login failure from: 192.168.1.88(DNS name not found).

4570 11/28/2022 05:42 11/28/2022 05:42 1 SSH login failure from: 192.168.1.88(DNS name not found).

4569 11/28/2022 05:41 11/28/2022 05:41 1 SSH login failure from: 192.168.1.88(DNS name not found).

This is normal because the probe is trying to access the system with unauthorized credentials.

But OneView receives the following traps:

The overall status of the system network is ok.

11/28/22 5:58:59 am

2 days ago

Cleared unassigned

The overall status of the system network is critical.

11/28/22 5:58:35 am

2 days ago

Cleared unassigned

Integrated Lights-Out detected more than 3 unauthorized login attempts.

11/28/22 5:57:22 am

2 days ago

Cleared unassigned

Integrated Lights-Out detected more than 3 unauthorized login attempts.

11/28/22 5:43:16 am

2 days ago

Cleared unassigned

Integrated Lights-Out detected more than 3 unauthorized login attempts.

11/28/22 5:42:48 am

2 days ago

Cleared unassigned

Integrated Lights-Out detected more than 3 unauthorized login attempts.

11/28/22 5:42:12 am

2 days ago

Cleared unassigned

Integrated Lights-Out detected more than 3 unauthorized login attempts.

11/28/22 5:41:49 am

2 days ago

Cleared unassigned

Integrated Lights-Out detected more than 3 unauthorized login attempts.

11/28/22 5:41:40 am

2 days ago

Cleared unassigned

The critical event causes the host to go into maintenance mode because Proactive HA detected that the server has a critical problem on the network, which is not true.

How can we avoid this behavior, without disabling network monitoring?

Thanks and regards.

3 REPLIES 3

The overall status alert there comes from OV asking the iLO for the health of all the subsystems. In theory, the iLO is denoting the network subsystem is critical, but it looks like in your info that the iLO later tells OV the status is OK. The resolution for that alert should state something like:

Resolution

If this server is powered off, booting, or shutting down, occasional networking alerts may occur as the network adapters negotiate with the switch or interconnect. These alerts can be ignored and should clear automatically. If this server is booted up and running an operating system, there may be a real networking problem. For more information, log into iLO and check the IML (Integrated Management Logs) to find out which network components are not working. Also on the iLO, check the "Network" or "NIC" tab under "System Information" for additional details.

Doesn't seem like you'd fall into the first part there but have you checked the IML to see if anything there? Or when it happens, check the Network view under System Information? This sometimes can suggest transient networking issues in the environment with the adapter and what they are connected to.

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Hi,

Thank you for your answer.

IML is not reporting any issues.

The same condition happens in others servers in the cluster aproximatelly at the same time, when the probe tests the network, IML does not show anything and after some unauthorized login attempts OneView reports "The overall status of the system network is critical". This condition is cleared after a few seconds/minutes.

I can assure you that at that time there has been no problem with the network on any of the servers. IML does not report any events on any of the servers at that time. And OV reports the critical condition on multiple servers at approximately the same time, right after unauthorized login attempts.

The servers are all running with VMware ESXi 7.0.3 OS.

I think OV should permit not considering this as a critical condition.

Regards.

Thanks for the extra input. At this point, would recommend opening a support case. In theory, there isn't any direct correlation between the unauthorized login attempt alerts and the network is critical alert. And to OV, these are separate pieces of data sent by or consumed from the iLO; investigation into what iLO is sending to OV (and then how OV is evaluating it) in this environment would be needed.

We have the same behavior (unauth alerts) and don't see the network is critical alert on our systems. One additional thought since you noted there is something probing the network: there isn't something perhaps blocking the port (i.e. temporarily) on the network in response to the unauthorized login attempts?

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]