https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/432657#M40116 <P>How do I see the offending client?</P> Tue, 01 Mar 2022 20:39:32 GMT RickVR 2022-03-01T20:39:32Z https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/155819#M35150 <P>Hello,&nbsp;</P> <P>&nbsp;</P> <P>I just recently upgraded from 8.3.2 to 9.1P20 and started to see these alert messages being sent.&nbsp;</P> <P>&nbsp;</P> <P>Message: security.invalid.login: Failed to authenticate login attempt to Vserver: &lt;Name&gt;, username: admin, application: ontapi.</P> <P>&nbsp;</P> <P>Description: This message occurs when an attempt is made to access the appliance by using invalid authentication credentials.</P> <P><BR />I'm sure there was a change in the upgrade, however how do I narrow down what's causing this issue?&nbsp;</P> Wed, 04 Jun 2025 11:11:26 GMT https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/155819#M35150 sroy 2025-06-04T11:11:26Z https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/155827#M35153 <P>Hi,</P> <P>&nbsp;</P> <P>This is a very generic error which simply means 'An attempt is made to access the appliance by using invalid authentication credentials'.</P> <P>&nbsp;</P> <P>1) Could be someone is attempting to access cluster using wrong credentials.<BR />2) Could be someone changed the Cluster password, and/or someone or any NetApp/third-party Plug-in is still trying to access using old credentials. As you said, filer are upgraded (switched cluster?, is ontapi trying to access anything) so possibilities could be a lot.</P> <P>&nbsp;</P> <P>Try '-instance' switch, see if it gives any further info:<BR />::&gt; event log show -message-name *security* -instance</P> <P>Check the pattern (event time), is it doing at certain hour/minute or it's random.</P> <P><BR />If event log does not give much in-roads, then go to cluster logs:</P> <P>https:&lt;clust_mgmt_LIF&gt;/spi/&lt;node&gt;/etc/log/mlog/</P> <P>&nbsp;</P> <P>look for "mgwd" logs, open the log for the corresponding date/time since it's been generating. Go to specific date/time event and see why is it complaining. Once you get a clue, you can work accordingly.</P> <P>&nbsp;</P> <P>Thanks!</P> Thu, 30 Apr 2020 09:37:02 GMT https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/155827#M35153 Ontapforrum 2020-04-30T09:37:02Z https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/155838#M35154 <P>The output should have the source IP if I recall correctly.</P> Thu, 30 Apr 2020 14:48:02 GMT https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/155838#M35154 paul_stejskal 2020-04-30T14:48:02Z https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/155851#M35160 <P>I found the host responsible for the event alerts.&nbsp;</P> <P>&nbsp;</P> <P>Thanks for pointing me in the right direction.&nbsp;</P> Thu, 30 Apr 2020 18:38:59 GMT https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/155851#M35160 sroy 2020-04-30T18:38:59Z https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/432657#M40116 <P>How do I see the offending client?</P> Tue, 01 Mar 2022 20:39:32 GMT https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/432657#M40116 RickVR 2022-03-01T20:39:32Z https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/432660#M40117 <P>If you really need to, get a tcpdump then look to see when the issue is captured. <A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_capture_packet_traces_(tcpdump)_on_ONTAP_9.2__systems" target="_blank">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_capture_packet_traces_(tcpdump)_on_ONTAP_9.2__systems</A></P><P>&nbsp;</P> Tue, 01 Mar 2022 20:48:21 GMT https://community.netapp.com/t5/ONTAP-Discussions/VServer-security-invalid-login-ALERT/m-p/432660#M40117 paul_stejskal 2022-03-01T20:48:21Z