Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SS3-4400 sending flood of alert emails, "authentication failure"

Status
Not open for further replies.

bpeitzke

IS-IT--Management
Jan 8, 2004
3
US
The 3Com SuperStack 3 4400 layer 2 switch in our Hong Kong office has been sending me floods of alert emails,

"From device 3Com SuperStack 3 (IP address of this switch)
Authentication Failure"

We have had a few episodes of automated attacks being logged on our Exchange FE server, but the times don't correlate with these alerts.

Also I am seeing a large number of authentication attempts and accepts on this switch. But again, these continue in periods when we are not receiving the alert emails, and being that accepts almost = attempts, these don't seem related. But this switch does show a lot more authentications than other 4400's we have.

Can anyone shed any light on these "Authentication Failure" messages?

TIA

Bob Peitzke
Colony Advisors, LLC
 
One more thought on one aspect of this problem: I read a thread somewhere commenting on the possibility of a corrupt TCP/IP stack causing repeated connect/disconnect sequences. Could this explain the high number of authentications on the switch?

Again, I don't believe these are related to my main question of what is causing the "Authentication Failure" alert emails, but I do need to be able to explain this high authentication count.

TIA

Bob
 
To clarify, in addition to my main question about these "Authentication Failure" alert emails, I am trying to learn what causes authentication attempts on this switch. For instance I see that each one of my queries on Security/Device/Authentication/Statistics generates four authentication attempts and accepts.
 
I get similiar messages but they are concerning the "snmp trap authentication" not radius/.x stuff.

If you are using a network manager (like Network Director) then you have a trap reciever IP address setup and an SNMP read and write password(community string).

Check the switch: System management snmp
check community and trap settings

If you changed the defaults (which you should) then someone may be trying to use SNMP to get to your switches via the public/private defaults.

If you have a trap reciever defined, check to make sure it is setup with the correct SNMP strings.

Just my 2cents worth. Good luck.
Rob.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top