Fault Symptom
After a carrier replaces old routers with NE5000Es and NE80Es, the new devices send alarms to the NMS continuously, which affects monitoring services. Log information is as follows:
Nov 24 2011 08:45:09 Router %SHELL/4/TELNETFAILED(l)0]:Failed to login through telnet. (Ip=x.x.x.x, Times=3)
Nov 24 2011 08:45:09 Router %SHELL/4/TELNETFAILED(l)1]:Failed to login through telnet. (Ip=x.x.x.x, Times=3)
Nov 24 2011 08:45:08 Router %SHELL/4/TELNETFAILED(l)2]:Failed to login through telnet. (Ip=x.x.x.x, Times=2)
Nov 24 2011 08:45:08 Router %SHELL/4/TELNETFAILED(l)3]:Failed to login through telnet. (Ip=x.x.x.x, Times=2)
Nov 24 2011 08:45:06 Router %SHELL/4/TELNETFAILED(l)4]:Failed to login through telnet. (Ip=x.x.x.x, Times=1)
Fault Analysis
1. The preceding log information indicates that the login through Telnet fails. If the log information is continuously generated on all devices, a fault occurs.
Devices receive Telnet request packets continuously but the user fails to log in to the devices through Telnet. The possible causes are as follows:
a. Devices are attacked. Illegitimate users crack passwords to obtain the access rights to devices.
b. The login user name and password are not correctly configured on the devices or the AAA server.
c. The NMS accesses the devices regularly to detect the device connectivity. The user fails to log in to devices because the user name and password are configured incorrectly.
Analyzing procedure:
d. Since device management is implemented in a closed network, and the IP address in the log information is that of the NMS, devices are not attacked.
e. The authentication mode configured for devices is the local authentication first and the TACACS authentication second. The user name and password are configured on the AAA server.
f. The NMS accesses all devices through Telnet regularly to detect the device connectivity, and the user name and password configured on the NMS are tested correct.
Check the authentication mode of the devices and find that the authentication mode before the replacement is TACACS authentication first and Local authentication second. However, the authentication mode of the new devices is Local authentication first and TACACS authentication second, and the sequence cannot be changed.
authentication-scheme default
authentication-mode local hwtacacs
2. Using this authentication mode, an alarm is generated only when all authentication modes fail. Therefore, no matter the user is a local user or AAA server user, no alarm is generated if the user name and password are correct. If a user logs in to a device through Telnet but inputs no user name or password, alarms are generated continuously.
The analysis shows that one of the NMS software packages is not updated, causing the NMS to initiate two Telnet connections each time. However, one of the two connections is in suspension state.
Procedure
1. The carrier upgrades the software package.
After the preceding operations, all new devices generate no alarms and the fault is rectified.
Summary
None.
