Brocade Fibre Channel Networking Community

Expand all | Collapse all

This is odd...

Jump to Best Answer
  • 1.  This is odd...

    Posted 05-10-2017 07:18 AM

    A while back I replaced some 48K's with DCX8510's.  Every Friday around 18:40 I this this message in the log on two of them:

     

    2017/05/05-18:47:44, [IPAD-1002], 33747, SLOT 7 | FID 128, INFO, PRODUCTION-DIR2, Switch name has been successfully changed to PRODUCTION-DIR2

     

    It happens at the same time on both directors, but there are no messages immediately prior to this entry or after it that would help me understand how (or who) is doing this.

     

    One Friday I had their network cable disconnected for about 20 minutes during the time when this "event" usually happens and the name change did not occur. This tells me that something on my network (outside the switch) is doing this.

     

    I previously ran an old version of Network Advisor, but the version I bought wasn't compatible with the 8510's so I have uninstalled it. Was thinking it might have been responsible, but apparently not.

     

    Anyone have any ideas what could be doing this?  Can't easily sniff the network so I need other suggestions to figure out what address is sending the commands.

     

    Thanks,

    Daryl

     


    #BrocadeFibreChannelNetworkingCommunity
    #snmp


  • 2.  Re: This is odd...

    Posted 05-10-2017 08:17 AM

    Hello,

     

    Looking like an external equipement is doing this.

    Check CLI history:

    clihistory --showall

     

    Check your SNMP acess control and change the snmp configurations from read/write (RW) to read only (RO) is some are (RW).

     

     Sample:

     

    snmpconfig --show accesscontrol

    SNMP access list configuration:
    Entry 0: No access host configured yet
    Entry 1: No access host configured yet
    Entry 2: No access host configured yet
    Entry 3: No access host configured yet
    Entry 4: No access host configured yet
    Entry 5: No access host configured yet

     

    snmpconfig --set accesscontrol

    SNMP access list configuration:
    Access host subnet area : [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [false] Access host subnet area : [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area : [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area : [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area : [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area : [0.0.0.0] Read/Write? (true, t, false, f): [true] Committing configuration.....done.
    GSC-DCX8510-8:FID128:admin> snmpconfig --show accesscontrol

    SNMP access list configuration:
    Entry 0: Access host subnet area 192.168.0.0 (ro) Entry 1: No access host configured yet Entry 2: No access host configured yet Entry 3: No access host configured yet Entry 4: No access host configured yet Entry 5: No access host configured yet

     

     

     


    #BrocadeFibreChannelNetworkingCommunity


  • 3.  Re: This is odd...

    Posted 05-10-2017 10:59 AM
    My results for 'snmpconfig --show accesscontrol' look like this:
    SNMP access list configuration:
    Entry 0: No access host configured yet
    Entry 1: No access host configured yet
    Entry 2: No access host configured yet
    Entry 3: No access host configured yet
    Entry 4: No access host configured yet
    Entry 5: No access host configured yet

    Do I still need to set access control to RO?
    Is there any way to enable more verbose logging of the system log?
    #BrocadeFibreChannelNetworkingCommunity


  • 4.  Re: This is odd...

    Posted 05-10-2017 11:09 PM

    Can you run?:

     

    snmpconfig --set accesscontrol


    #BrocadeFibreChannelNetworkingCommunity


  • 5.  Re: This is odd...

    Posted 05-11-2017 12:13 AM

    Try the following command (CLI) to check out any http request

     

    appLoginHistory --show

     

    Use this command to display the history of HTTP login sessions from external management applications such as Brocade Network Advisor or Web Tools. The command displays both current sessions and a history of past sessions. For each entry, the command output shows the following information

     


    #BrocadeFibreChannelNetworkingCommunity


  • 6.  Re: This is odd...

    Posted 05-11-2017 06:41 AM

    @Martin.Sjölin wrote:

    Try the following command (CLI) to check out any http request

     

    appLoginHistory --show

     

    Use this command to display the history of HTTP login sessions from external management applications such as Brocade Network Advisor or Web Tools. The command displays both current sessions and a history of past sessions. For each entry, the command output shows the following information

     


    Thanks for the command, unfortunately there are no commands listed for the dates/time of the name change event.


    #BrocadeFibreChannelNetworkingCommunity


  • 7.  Re: This is odd...
    Best Answer

    Posted 05-11-2017 11:01 AM

    And the following which complements the clihistory (only saves the most recent 256 entries, though)

     

    auditdump --show

     

    Option for modification is snmp; ssh; http(s); cal used by BNA

     

     


    #BrocadeFibreChannelNetworkingCommunity


  • 8.  Re: This is odd...

    Posted 05-11-2017 11:34 AM

    @Martin.Sjölin wrote:

    And the following which complements the clihistory (only saves the most recent 256 entries, though)

     

    auditdump --show

     

    Option for modification is snmp; ssh; http(s); cal used by BNA

     

     


    Bingo!  Found this entry from the auditdump -s command:

     

    69 AUDIT, 2017/05/05-18:47:44 (EDT), [IPAD-1002], INFO, CONFIGURATION, NONE/admin/x.x.x.x/snmp/snmp, ad_255/PRODUCTION-DIR2/FID 128, , Switch name has been successfully changed to PRODUCTION-DIR2.

     

    This tells me that it was coming in via SNMP and it tells me the IP where it is coming from.  Will do some digging to see who that is. 

     

    Thanks Martin and everyone else that contributed.

     


    #BrocadeFibreChannelNetworkingCommunity


  • 9.  Re: This is odd...

    Posted 05-11-2017 06:36 AM

    Thierry.Zimmermann wrote:

     

    Can you run?:

     

    snmpconfig --set accesscontrol


    I can run this command, but not sure what IP settings to use. 

     

    Also, the command 'clihistory --showall' does not show any cli commands at the time of the event.  Here is the command history from 5/4 - 5/6:

     

    Thu May  4 22:00:01 2017         backup, x.x.x.x, configupload

    Fri May  5 22:00:01 2017         backup, x.x.x.x, configupload

    Sat May  6 22:00:03 2017         backup, x.x.x.x, configupload

     

    Here are some of the entries from 'errdump' of the name change events:

     

    2017/04/07-18:40:37, [IPAD-1002], 6773, SLOT 7 | FID 128, INFO, PRODUCTION-DIR1, Switch name has been successfully changed to PRODUCTION-DIR1.
    2017/04/14-18:36:51, [IPAD-1002], 6808, SLOT 7 | FID 128, INFO, PRODUCTION-DIR1, Switch name has been successfully changed to PRODUCTION-DIR1.
    2017/04/21-18:42:37, [IPAD-1002], 6844, SLOT 7 | FID 128, INFO, PRODUCTION-DIR1, Switch name has been successfully changed to PRODUCTION-DIR1.
    2017/04/28-18:50:47, [IPAD-1002], 6886, SLOT 7 | FID 128, INFO, PRODUCTION-DIR1, Switch name has been successfully changed to PRODUCTION-DIR1.
    2017/05/05-18:47:44, [IPAD-1002], 6926, SLOT 7 | FID 128, INFO, PRODUCTION-DIR1, Switch name has been successfully changed to PRODUCTION-DIR1.

     

    Thinking event this must be happening via snmp because there is no cli command history or login.  Would that be a correct assumption??


    #BrocadeFibreChannelNetworkingCommunity