This one bit me in the ass pretty good back a year or so ago, and I spent a good bit of time with support (including a one-off patch to fix a bug we uncovered related to it) figuring it out.
Basically, Spectrum was originally written a long time ago, and sometimes that gives limitations that still affect us. Internally, Spectrum only understands SNMPv1. All of its internal trap processing is built around that. So, when a SNMPv2/SNMPv3 trap comes in, the first thing Spectrum does is convert it to an SNMPv1 trap. There is an RFC documenting how to do this translation. It's also documented in the Spectrum documentation (I know, a lot of the Spectrum documentation is somewhat less than ideal), in Spectrum_Event_Configuration_User_ENU.pdf, page 111. What you see in Wireshark will be the raw, untranslated trap. The "Trap type" value listed in an Unknown alert event will be *after* Spectrum has translated the trap. The safest route, in my experience, is to use whatever shows up in the "Trap type" in your AlertMap entries. -- Christopher -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, October 06, 2011 8:43 PM To: spectrum Subject: [spectrum] Bug in Spectrum Trap OID translation? Can someone help explain what I am seeing here? Unknown alert received from device Router_X of type Rtr_Cisco. Device Time 355+08:35:50. (Trap type 1.3.6.1.4.1.9.9.187.6.1) Trap var bind data: OID: 1.3.6.1.2.1.1.3.0 Value: 3070295076 OID: 1.3.6.1.6.3.1.1.4.1.0 Value: 1.3.6.1.4.1.9.9.187.0.1 OID: 1.3.6.1.2.1.15.3.1.14.190.26.59.60 Value: 4.0 OID: 1.3.6.1.2.1.15.3.1.2.190.26.59.60 Value: 6 OID: 1.3.6.1.4.1.9.9.187.1.2.1.1.7.190.26.59.60 Value: hold time expired OID: 1.3.6.1.4.1.9.9.187.1.2.1.1.8.190.26.59.60 Value: 5 Why is Spectrum picking *187.6.1 as the trap OID when the SNMPv2 Trap OID (1.3.6.1.6.3.1.1.4.1.0) value clearly states that it is *.187.0.1? There is no .187.6.* branch anywhere in the CISCO-BGP4-MIB (I have the latest) and all of the traps in that MIB are .187.0.*. This is happening with both our 187.0.1 and 187.0.2 traps (probably others too, but this is what I saw in the event logs). Most other traps appear to be unaffected. I have viewed the raw trap packets in WireShark and they perfectly match the var bind data above. There is no mention of 187.6.1 anywhere in the packet. We are running Spectrum v9.2H03 currently and using SNMPv3 traps. Spectrum bug? Fixed in H04 or SP1? Workaround? -Ken --- To unsubscribe from spectrum, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe spectrum [email protected]<mailto:[email protected]> --- To unsubscribe from spectrum, send email to [email protected] with the body: unsubscribe spectrum [email protected]
