Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SS3-4400 sending flood of alert emails, "authentication failure"

Status
Not open for further replies.
bpeitzke

bpeitzke

IS-IT--Management
Jan 8, 2004
3
US
The 3Com SuperStack 3 4400 layer 2 switch in our Hong Kong office has been sending me floods of alert emails,

"From device 3Com SuperStack 3 (IP address of this switch)
Authentication Failure"

We have had a few episodes of automated attacks being logged on our Exchange FE server, but the times don't correlate with these alerts.

Also I am seeing a large number of authentication attempts and accepts on this switch. But again, these continue in periods when we are not receiving the alert emails, and being that accepts almost = attempts, these don't seem related. But this switch does show a lot more authentications than other 4400's we have.

Can anyone shed any light on these "Authentication Failure" messages?

TIA

Bob Peitzke
Colony Advisors, LLC
 
Sort by date Sort by votes
One more thought on one aspect of this problem: I read a thread somewhere commenting on the possibility of a corrupt TCP/IP stack causing repeated connect/disconnect sequences. Could this explain the high number of authentications on the switch?

Again, I don't believe these are related to my main question of what is causing the "Authentication Failure" alert emails, but I do need to be able to explain this high authentication count.

TIA

Bob
 
Upvote 0 Downvote
To clarify, in addition to my main question about these "Authentication Failure" alert emails, I am trying to learn what causes authentication attempts on this switch. For instance I see that each one of my queries on Security/Device/Authentication/Statistics generates four authentication attempts and accepts.
 
Upvote 0 Downvote
I get similiar messages but they are concerning the "snmp trap authentication" not radius/.x stuff.

If you are using a network manager (like Network Director) then you have a trap reciever IP address setup and an SNMP read and write password(community string).

Check the switch: System management snmp
check community and trap settings

If you changed the defaults (which you should) then someone may be trying to use SNMP to get to your switches via the public/private defaults.

If you have a trap reciever defined, check to make sure it is setup with the correct SNMP strings.

Just my 2cents worth. Good luck.
Rob.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

fiberonsalecom
  • Locked
  • Helpful tip
The basic characteristics of fiber optic transceivers
Replies
0
Views
93
fiberonsalecom
fiberonsalecom
NYCCGaz
  • Locked
  • Question
Pair of 3com 8810 Core Chassis Switches - FREE TO GOOD HOME
Replies
0
Views
87
NYCCGaz
NYCCGaz
m4rc00
  • Locked
  • Question
Cisco vs HP "trunk port"
Replies
4
Views
110
VinceWhirlwind
VinceWhirlwind
mlgmartin
  • Locked
  • Question
Does HP switch supports "Voice VLAN'? 1
Replies
12
Views
227
cajuntank
cajuntank
WonR
  • Locked
  • Question
3Com 4400 : Do I update firmware & DeviceManager?
Replies
0
Views
78
WonR
WonR

Part and Inventory Search

Sponsor

Back
Top