7 Replies Latest reply: Apr 5, 2016 12:13 PM by Daniel Duffy RSS

    Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

    Daniel Duffy Adventurer

      We have a CS220 that has recently started firing off 15 of these emails in a row, for no apparent reason, twice daily.  Nothing is connected to the console, or attempting to access.  This behavior happens regardless of which controller is active. 

       

      This behavior started after a NimbleOS update.  A subsequent update did not change the behavior.

       

      Twice every day at 8:16AM (but no PM) and 4:08PM (but not AM), we get 15 of these at once.  The 4pm alerts seem to correlate to the approximate time that the NimbleOS update was done.

       

      We have no other processes/backups/discernable activity that is taking place at these times.


      Any ideas out there?

       

      Thank you.

       

      -----Original Message-----
      From: nimble@yournetwork.com
      Subject: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.

       

      Time: Thu Mar 17 08:21:53 2016

       

      Type: 14801

      Id: 24817

      Message: Root Login to controller B from Console failed.

       

      Group Name: Nimble-SAN

      Array name: Nimble-SAN

      Serial: your SN

      Version: 2.3.14.0-325711-opt

       

      Arrays in the group:

      ---------------------+-----------------+-----------+----------------

      Name                  Serial            Model       Version        

      ---------------------+-----------------+-----------+----------------

        • Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
          Nick Dyer Navigator

          Hi Daniel,

           

          This is a security feature as part of a recent version of NimbleOS. You most likely have something on your network that is probing all devices. Give support a call and they can help.

            • Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
              Daniel Duffy Adventurer

              that's what i would have thought - except that it says it's from console.  when we've had failed access attempts on the LAN int, it would say it was from a LAN int IP address.  since this says console, and we have nothing connected to the console, it makes no sense.

                • Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
                  Scout

                  you will get these messages for three reason.

                  1) software upgrade - the OS does a SSH to the standby to start upgrade and we log it.

                  2) internal software scan by your network  team to test security

                  3) someone is actually trying to break into the IP

                   

                  For one and two - no issues. Number two is usally the case and you can call your security team. If it not the securuty team - then someone in you network is doing bad thing!

                   

                  kevin

                    • Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
                      Daniel Duffy Adventurer

                      OK so assuming that even though it says that it's a failed *console* login, and nothing is connected to the console, and when there are failed access attempts via the network, it says that it's a failed *network* login (it shows an IP address rather than saying console), how *would* we poll the Nimble? 

                       

                      the community string on the Nimble matches the read community string on the software that we use to montor all IP-connected systems internally.  this same software has been monitoring the same Nimble unit without errors for about 2 years.  Then suddenly after an OS upgrade, it starts giving these alerts claiming there is a failed *console* login.

                       

                      Is there no other way to control management software that *is* allowed to poll the device than the SNMP read string (which, BTW, still does not support ! in the string, which is a known bug from the 1.x days, which Nimble said would be corrected, but still has not been).

                       

                      that all said, it seems like your suggestion on item 1 is the more logical culprit.  but what would cause it to happen 15 times, twice daily, repeatedly when the OS upgrade is a one-time event, which occurred days ago (not to mention that no previous upgrades have triggered this alert)?

                • Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
                  Daniel Duffy Adventurer

                  we've also confirmed that we're seeing this with customer systems now as well as our own.

                   

                  assuming that polling the device via SNMP is a supported feature, why would the device claim there is a bad login of ANY type when the credentials being used are correct, and we were able to poll the system prior to v2.3 upgrade?

                   

                  And even if the credentials WERE bad (which they are not), why would the system generate an error about a CONSOLE login when nothing is even connected to the console and the logins are being done via IP (which generates an alert about the IP i/f when there really is a bad access attempt)?

                  • Re: Nimble Alert on Nimble-SAN / Nimble-SAN - CRITICAL: Root Login failed.
                    Daniel Duffy Adventurer

                    Good call Chris - it was HP SIM.  Likely a port 22 scan.  Would be nice if Nimble made the alert clearer (ie: rather than saying CONSOLE, if it says SSH).  Maybe they'll see the feature request.