In Spectrum, why do some "AUTHENTICATION FAILURE TRAP RECEIVED" alarms display a Source System in the event and some do not?

Document ID : KB000036061
Last Modified Date : 29/11/2018
Show Technical Document Details
Question:

In Spectrum, why do some "AUTHENTICATION FAILURE TRAP RECEIVED" alarms display a Source System in the event and some do not?

Answer:

There are actually two different traps that are sent for the "AUTHENTICATION FAILURE TRAP RECEIVED" alarms.

One is the standard Authentication Failure trap that is part of the MIB 2 standards traps like link up, link down etc. This trap is defined in the $SPECROOT/SS/CsVendor/IETF/AlertMap and EventDisp files and asserts the 0x0001030a event with 0x0001030a probable cause. The standard Authentication Failure trap DOES NOT send a trap variable with the Source System ip address. 

The following is the AlertMap configuration for the standard Authentication Failure trap as defined in the $SPECROOT/SS/CsVendor/IETF/AlertMap file:

4.0                   0x0001030a

Notice there are no trap variables configured.

 

Some Cisco devices send their own Enterprise specific trap that is defined in several different AlertMap files:

$SPECROOT/SS/CsVendor/Ctron_CAT/HubCat29xx/AlertMap

$SPECROOT/SS/CsVendor/Ctron_CAT/SwCat35xx/AlertMap

$SPECROOT/SS/CsVendor/Ctron_CAT/SwCat85xx/AlertMap

$SPECROOT/SS/CsVendor/Ctron_CAT/SwCat45xx/AlertMap

$SPECROOT/SS/CsVendor/Cisco_Router/Rtr_Cisco/AlertMap

$SPECROOT/SS/CsVendor/Cisco_Router/Cisco6400_DSL/AlertMap

$SPECROOT/SS/CsVendor/Cisco_Router/UBR72xxCMTS/AlertMap

$SPECROOT/SS/CsVendor/Cisco_Router/Cisco_12000/AlertMap

$SPECROOT/SS/CsVendor/Cisco_Router/SwCiscoIOS/AlertMap

$SPECROOT/SS/CsVendor/Cisco_MC3810/Cisco_MC3810/AlertMap

$SPECROOT/SS/CsVendor/CiscoPIX/CisPIXDev/AlertMap

$SPECROOT/SS/CsVendor/Cisco_AS5X/AS5x00/AlertMap

The following is the AlertMap configuration for the Cisco Authentication Failure trap as defined in the above listed AlertMap files:

4.0               0x00010017 1.3.6.1.4.1.9.2.1.5(1,0)

Notice there is a trap variable configured. OID 1.3.6.1.4.1.9.2.1.5 is the authAddr attribute defined in the Cisco enterprises mib as follows:

authAddr OBJECT-TYPE

SYNTAX IpAddress

ACCESS read-only

STATUS mandatory

DESCRIPTION

"This variable contains the last SNMP authorization failure IP address."

::= { lsystem 5 }