SNMP Issues

I received the following email from a connected device on our network today.

Name : Name1
Location :Server Room
Contact  : Admin

http://name1.co.com
http://192.168.0.68
http://xxxx::xxx:xxxx:xxxx:xxxx
Serial Number : 12345678945613
Date : 11/03/2015
Time : 10:03:28
Code : 0x0004

Informational Events - System: Detected an unauthorized user attempting to access the SNMP interface from 192.168.0.22

When I look at the server  I see the following in the event log

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/3/2015 10:01:12 AM
Event ID:      4653
Task Category: IPsec Main Mode
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      server1
Description:
An IPsec main mode negotiation failed.
Local Endpoint:
      Local Principal Name:      -
      Network Address:      192.168.0.22
      Keying Module Port:      500
Remote Endpoint:
      Principal Name:            -
      Network Address:      192.168.0.68
      Keying Module Port:      500
Additional Information:
      Keying Module Name:      IKEv1
      Authentication Method:      Unknown authentication
      Role:                  Initiator
      Impersonation State:      Not enabled
      Main Mode Filter ID:      68215
Failure Information:
      Failure Point:            Local computer
      Failure Reason:            Negotiation timed out
      State:                  Sent first (SA) payload
      Initiator Cookie:            a+sdf654as6df4as6c
      Responder Cookie:      0000000000000000

SNMP is installed but there are no traps set and as far as I can tell it is not configured to check anything.   I do not have a lot of software installed on this server except for the Xerox XDA agent to monitor our printers.   I see no reason why it should be communicating with this IP address.

There are a lot of the 4653 events in the security log as Audit Failures to several different IP addresses.

I am running Windows 2008r2
qvfpsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian MurphyIT ArchitectCommented:
SNMP as a service has a read-only and change phrase like "public" and/or "private".

SNMP Trap Service under (services.msc) is by default there for sending traps to SNMP collectors like Tivoli or HP MOM.  

The source of that "error" above is your Audit settings under local policies or GPO.

Click Start - Run - type "gpedit.msc"
Local Computer Policy
Windows Settings
Security Settings
Local Policy
Audit Policy

The answer to your question, I think, is this has nothing to do with SNMP but instead local Windows Auditing Policies and this is more granular depending on what you have installed on 2008R2.

For example, Start - Run - "eventvwr.exe"

Applications and Services Logs (not Windows Logs)
There are 100's of logs here.
arnoldCommented:
SNMP is made up of two components. The notifier, snmptrap service, when configured will generate SNMPTRAP events. and the SNMP service that allows polling. Within the SNMP service configuration you should have manager defined meaning only the managers can query the SNMP service for data.

Along the same route, you have evntwin which is a tool to configure the event log to SNMP TRAP event.
i.e. when a specific event log entry is added, a corresponding SNMP trap is sent.

Now the issue reported to you is likely from an SNMPTRAP monitor that converts the received events and converts them into emails.

Now the error says that an SNMP poll from 192.168.0.22 was seen on the system 192.168.0.68.

Event you posted was a IKE meaning IPSEC access and not SNMP.

Check the full message headers of the email to determine the server from which this email originated, then look at the configuration to make sure the SNMP trap to email converter is configured properly to generate the correct email notice.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
qvfpsAuthor Commented:
I think I narrowed it down to the Xerox XDA service.  It started a poll from 10:02 -  10:05 and I received the messages between 10:03 and 10:04.  

The device sending the emails is not a server and only has a web interface which I was unable to connect to to verify the settings.    

The SNMP reference in the email threw me off as I have no SNMP traps configured on this server.
arnoldCommented:
The snmptrap is the recipient of events.
What generates the notice and what is its process is it akin to splunk that aggregates and processes event logs?

Do you have SNMP services installed and running?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.