Does credential order or affility take presidence?

tomcollins
Tera Contributor

‎01-06-2017 10:09 AM

I have a situation where I am successfully discovering some switches and even though there is an affinity to an SNMP credential, discovery is still attempting to discover it first using my SSH credentials. I am assuming this is because SSH is turned on in the switches. My question is, why is discovery even trying to use any SSH credentials when the affinity is with a single SNMP credential? Is credential order somehow overriding the affinity?

How do I restrict discovery to using ONLY the SNMP credential and attempting the SSH credential ONLY IF the SNMP one fails?

I checked and there is no other affinity to any other credentials other than the successful SNMP credential.

This is causing a lot of unneeded alerts on the network side for unsuccessful login attempts that I would rather avoid .

Thanks,

TC

Version: Helsinki

Labels:
0 Helpfuls
  • 2,339 Views
12 REPLIES 12

robertgeen
Tera Guru
In response to doug_schulze

‎01-11-2017 10:39 AM

Doug,


I've always wondered exactly what that property meant. Is this the purpose of the IP service affinity so it will remember the last port that worked and try that first instead of going in order of priority? If so very helpful and good to know.


0 Helpfuls

tomcollins
Tera Contributor
In response to doug_schulze

‎01-11-2017 12:21 PM

I have enabled IP Service Affinity. I will test and see if that does the trick. Thanks for the response Doug!



-TC


0 Helpfuls

jeremy_perdue
Giga Contributor
In response to tomcollins

‎01-17-2017 06:15 AM

Hey Thomas,



If you don't mind, please post your results here for others and don't forget to mark correct answer


0 Helpfuls

tomcollins
Tera Contributor
In response to tomcollins

‎01-17-2017 12:05 PM

Well I enabled the IP Service Affinity function and it partially worked.



Once I discovered the device to set the affinity after I enabled the setting, here is the results:



-         Discovery initially skipped SSH and went directly to SNMP and discovered the device, I assume, because of the IP Affinity setting


-         After successfully using SNMP, it still tried SSH to discovery the device.. I have enclosed a screenshot below.



Not sure what I need to do to resolve this. I want it to not try SSH based on the service affinity setting.




IP Service Affinity Pic 1.JPG



As you can see, it still try's SSH discovery.



Thanks,


TC


Preview file
194 KB
0 Helpfuls

jeremy_perdue
Giga Contributor
In response to tomcollins

‎01-17-2017 12:19 PM

Interesting Thomas.



To Doug's point earlier ^, when you change the order of SSH and SNMP it should resolve the issue, unless the SNMP permission fails. If SNMP fails to authenticate, as expected, it begins trying SSH credentials.



Unfortunately, the screenshot above has all of the valuable data blocked out. I would be happy to hop on a call with you to work through this. I had the same issue in   2015 and I am working through another similar today. Take a peak at this post and see if it sheds any light. Doug answers a lot of questions. Pros and Cons of IP Service Affinity (ip_service_affinity) Please note... I have since changed my view. I always reorder SSH after SNMP due to the unwanted SSH attempts on network devices and the headaches that can cause. From a time perspective I didn't see a huge gain, but from a "not locking out" network devices, it was a huge win and accomplished what you are trying to accomplish. I am free after 530PM EST today.



Regards,


Jeremy