ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

VServer: security.invalid.login [ALERT]

sroy
‎2020-04-29 06:23 PM
13,130 Views

Hello, 

 

I just recently upgraded from 8.3.2 to 9.1P20 and started to see these alert messages being sent. 

 

Message: security.invalid.login: Failed to authenticate login attempt to Vserver: <Name>, username: admin, application: ontapi.

 

Description: This message occurs when an attempt is made to access the appliance by using invalid authentication credentials.


I'm sure there was a change in the upgrade, however how do I narrow down what's causing this issue? 

0 Kudos
View By:
1 ACCEPTED SOLUTION

Ontapforrum
‎2020-04-30 02:37 AM
13,098 Views

Hi,

 

This is a very generic error which simply means 'An attempt is made to access the appliance by using invalid authentication credentials'.

 

1) Could be someone is attempting to access cluster using wrong credentials.
2) Could be someone changed the Cluster password, and/or someone or any NetApp/third-party Plug-in is still trying to access using old credentials. As you said, filer are upgraded (switched cluster?, is ontapi trying to access anything) so possibilities could be a lot.

 

Try '-instance' switch, see if it gives any further info:
::> event log show -message-name *security* -instance

Check the pattern (event time), is it doing at certain hour/minute or it's random.


If event log does not give much in-roads, then go to cluster logs:

https:<clust_mgmt_LIF>/spi/<node>/etc/log/mlog/

 

look for "mgwd" logs, open the log for the corresponding date/time since it's been generating. Go to specific date/time event and see why is it complaining. Once you get a clue, you can work accordingly.

 

Thanks!

View solution in original post

5 REPLIES 5

Ontapforrum
‎2020-04-30 02:37 AM
13,099 Views

Hi,

 

This is a very generic error which simply means 'An attempt is made to access the appliance by using invalid authentication credentials'.

 

1) Could be someone is attempting to access cluster using wrong credentials.
2) Could be someone changed the Cluster password, and/or someone or any NetApp/third-party Plug-in is still trying to access using old credentials. As you said, filer are upgraded (switched cluster?, is ontapi trying to access anything) so possibilities could be a lot.

 

Try '-instance' switch, see if it gives any further info:
::> event log show -message-name *security* -instance

Check the pattern (event time), is it doing at certain hour/minute or it's random.


If event log does not give much in-roads, then go to cluster logs:

https:<clust_mgmt_LIF>/spi/<node>/etc/log/mlog/

 

look for "mgwd" logs, open the log for the corresponding date/time since it's been generating. Go to specific date/time event and see why is it complaining. Once you get a clue, you can work accordingly.

 

Thanks!

paul_stejskal
NetApp
‎2020-04-30 07:48 AM
In response to Ontapforrum
13,080 Views

The output should have the source IP if I recall correctly.

0 Kudos

sroy
‎2020-04-30 11:38 AM
In response to paul_stejskal
13,052 Views

I found the host responsible for the event alerts. 

 

Thanks for pointing me in the right direction. 

0 Kudos

RickVR
‎2022-03-01 12:39 PM
In response to paul_stejskal
9,668 Views

How do I see the offending client?

0 Kudos

paul_stejskal
NetApp
‎2022-03-01 12:48 PM
In response to RickVR
9,665 Views

If you really need to, get a tcpdump then look to see when the issue is captured. https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_capture_packet_traces_(tcpdump)_on_ONTAP_9.2__systems

 

0 Kudos
Announcements
All Community Forums
Public