Alive, Not classified

nk_dubey1
Kilo Contributor

‎11-23-2014 03:37 PM

Hi,

 

While Discovery bunch of my IP returning this error. I checked the log and it indicates that IP is not Active but it's Alive. I can see refusal on many ports. I have below questions in the discovery:

 

(1) What is the difference between Active and Alive. Does

(2) What Discovery use for fetching information TCP or UDP? Also in which order.

(3) Alive, Not classified (Does this means Discovery was able to ping IP, but it received negative response from port?)

 

Any easy way to solve these kind of issue.

Labels:
0 Helpfuls
  • 6,065 Views
10 REPLIES 10

tim_broberg
ServiceNow Employee
ServiceNow Employee
In response to nk_dubey1

‎11-24-2014 09:10 AM

Ok, here is a way to ping from the mid server: ECC Queue Command Line Worker - ServiceNow Wiki



The instructions describe manually creating an ECC Queue entry.



Alternately, you can create a probe and test it. In Discovery Definition / Probes, create a new probe with:


  1. Topic = Command
  2. Name = <your command>, e.g. "ping -n 4 8.8.8.8"

Save the probe, and hit "test probe," select a mid server at the prompt, ignoring the "run probe against" field.



Since we were (ok, I was) too lazy to create a sensor, it reports an error when it comes back, but you should see the ecc queue entries out and back.



The date field of the input has a link. Click it to see the inbound ecc queue entry.



In the payload, you should see your ping traffic.


<?xml version="1.0" encoding="UTF-8"?><results probe_time="5132"><result command="ping 8.8.8.8 -n 4"><stdout>



Pinging 8.8.8.8 with 32 bytes of data:



Reply from 8.8.8.8: bytes=32 time=8ms TTL=43



Reply from 8.8.8.8: bytes=32 time=8ms TTL=43



Reply from 8.8.8.8: bytes=32 time=8ms TTL=43



Reply from 8.8.8.8: bytes=32 time=8ms TTL=43









Ping statistics for 8.8.8.8:



Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),



Approximate round trip times in milli-seconds:



Minimum = 8ms, Maximum = 8ms, Average = 8ms</stdout><stderr/></result><parameters><parameter name="topic" value="Command"/...


Hope that was more helpful than it was confusing,


    - Tim.


0 Helpfuls

tim_broberg
ServiceNow Employee
ServiceNow Employee
In response to nk_dubey1

‎11-24-2014 12:04 AM

Well, it looks like some device is there, and it's pretty locked down. Perhaps another device got the address via DHCP? Maybe the device has been deconfigured, but it's still powered up?



It's fairly safe to say that it will ping and that it won't respond on whatever ports we're trying to use to discover it.



Just my opinion, but it seems like you've done sufficient due diligence on your side, and it's the client's turn to start looking into it from their side.


    - Tim.


0 Helpfuls

nk_dubey1
Kilo Contributor
In response to tim_broberg

‎11-24-2014 01:32 PM

Hi Tim/Amit,



I ran the discovery on one of the IP where I am getting this error and check the input payload below:


Payload_input.png



It says Active is true and Alive is true, but in Disovery log this give me error "Alive, not classified". Prod was able to get response on port 80, this shouldn't be giving me error I am getting.



Any idea?


Preview file
38 KB
0 Helpfuls

tim_broberg
ServiceNow Employee
ServiceNow Employee
In response to nk_dubey1

‎11-24-2014 02:14 PM

Yes, port 80 is open, but, out of the box, this provides extremely limited information - the name and version of a web server.



It's not sufficient to classify a server as Linux, Windows, AIX, HP/UX, Solaris, or even server vs printer vs switch.


    - Tim.


0 Helpfuls

nk_dubey1
Kilo Contributor
In response to tim_broberg

‎11-24-2014 02:31 PM

Hi Tim,



Thanks for update.



So in order to successfully classify a server what all port needs to be open?


0 Helpfuls