Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Established Member.. HHirt
Established Member..
941 views

OSPF trap correlation

Jump to solution

Dear all,

We have configured one trap coming when a node is losing his adjacency to the neighbor = OSPF Nbr down.

Then another one when the Adj. is coming up again = OSPF Nbr up.

We have some false positive and we would like to avoid getting an alarm for every up/down during 30 sec.

Ideally we would like to dampen the OSPF Down during 3min and check if we receive the OSPF Up during this time. If not we can generate the event and automatic action OSPF Nbr down.

I did some testing with dampening and suppression, but doesn't work as expected...

Any help would be greatly appreciated

Thanks a lot 

0 Likes
1 Solution

Accepted Solutions
Dave Young Acclaimed Contributor.
Acclaimed Contributor.

Re: OSPF trap correlation

Jump to solution

Hi,

  You have two options here. 

1) The first is to use one of the "Open" incident views such as "Open Key Incidents" or "Custom Open incidents" as these by default have a filter that does not include closed incidents.  You could use the Open Incidents view and configure it with a filter so that Closed incidents are not displayed.  If you check the default filter you will see that "Dampened" incidents are not displayed by default - this is why you don't see them.  The drawback with this approach is that the filter does need to be configured initially, although these days its alot more "sticky" and is remembered via a cookie in the browser.

2) The other option you have is to check the box "Delete when canceled" within the pairwise configuration.   Again this does exactly what it says.  Rather than closing the two incidents it will actually delete them. 

The choice you make will depend on whether you want a record of the incidents kept for later review, or if you are happy for them to just be removed.

  Hope this helps

Dave Y

Ps.  When you are happy the thread is complete please close it by clicking on the "Accept as solution" button next to the appropriate entry.

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.

View solution in original post

0 Likes
21 Replies
Dave Young Acclaimed Contributor.
Acclaimed Contributor.

Re: OSPF trap correlation

Jump to solution

Hi,

  Without knowing the full trap details I can't be sure this will work, but the general approach to this sort of scenario would be to

1) Configure the "down" trap to be dampened for x seconds

2) Configure a Pairwise entry to pair and delete/close the down and the UP traps

  In this way if the up trap comes in while the down is dampened then the two will be paired and deleted or closed.  If it does not then the down trap will be displayedin the UI.  If you configure the pairwise with a "0" then when the UP does finally come in it should be paired with the down and then either delete or close it.

  Is this workable for you given the traps and the varbind payloads they carry?

  All the best

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
Established Member.. HHirt
Established Member..

Re: OSPF trap correlation

Jump to solution

Hi Dave,

Thanks for your prompt reply, here's the details of the config (images). Please note that the down trap and up trap is the same, only a variable is different. I assume that a payload filter can do the distinguishment here?

Trap down : ciaName = .1.3.6.1.2.1.14.10.1.6 CiaValue = 8

Trap up: ciaName = .1.3.6.1.2.1.14.10.1.6 CiaValue = 1

But should I do the dampening on the SNMP Trap configuration > Dampening tab or Node Settings tab > My node group > Open then > Dampening tab ?

Thanks a lot for your reply

 

 

Tags (3)
0 Likes
Established Member.. HHirt
Established Member..

Re: OSPF trap correlation

Jump to solution

Ok this what I did for pairwise correlation (images), not sure if this is coherent here...

Dampening was enabled on the SNMP Trap config > Node Settings > MynodeName > Dampening with 3min.

 

 

 

Tags (3)
0 Likes
Dave Young Acclaimed Contributor.
Acclaimed Contributor.

Re: OSPF trap correlation

Jump to solution

Hi there,

  Where you have set the dampening configuration is correct.  If you have configured a node group entry within the trap configuration that is process the trap then you should dampen within that area.  If there is no node group configured, or if the trap source is not in the node group then you would dampen within the default configuraiton - the top layer.

  The configs look good.   You are matching on ospfNbrState and this variable OID ends with the .6 and you should not include any instance, which you have not.    Similarly in the "Matching criteria" this further qualifies the match which by default is for the same node, and where you may need to compare more varbinds to ensure you get the right pairing  e.g for link Up/Down you need to match the ifIndex varbind.    

  Looking at the oid you have provided in the matching criteria this is wrong.  This is the trap OID, for the ospfNbrStateChange and  so is not correct.  It needs to be a varbind OID that has the same value in both the traps and is unique to the pair. 

  All the best

Dave Y

Dave Y

  All the best

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
Established Member.. HHirt
Established Member..

Re: OSPF trap correlation

Jump to solution

Thanks for your hints.

I attached here the values from the 2 traps (first is down =1 second is up = 😎

What can I use for the matching criteria first entry (OID?)? it will be always the same coming from the same node for a up/down but we can have other nodes sending similar traps.

Thanks

 

0 Likes
Dave Young Acclaimed Contributor.
Acclaimed Contributor.

Re: OSPF trap correlation

Jump to solution

Hi,

  Firstly you can take as a given that the traps being evaluated will have been sent from the same device - this is done by pairwise.   All you need to do is to match the Down (1) and the Up (8) in a way that ensure the Up is referring to the Down.  So in the examples you have the OIDs

 So you coulkd use either .1 or .3  which relate to the neighbour.  If you find the same neighbour may have the same IP but a different rtrid or vice versa then you could use both in the matching criteria form so that both have to be the same.

  All the best

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
Established Member.. HHirt
Established Member..

Re: OSPF trap correlation

Jump to solution

Thanks for your reply.

So in my case the neighbor will be the same for a given down / up incident.

We have a router A wearing 10.10.10.10 and losing his neighbor router B wearing 10.10.10.11 for i.e.

My attempt here is to :

  1. Ensure if the router A loses router B NNMi wait for the up trap for 3min. After that delay (if no up even is received) the trap is handled and a automatic action is triggered, when a up trap is received for the same router A & B she is immediately handled (no 3min delay), closing the correlation.
  2. If before the 3min the same neighbor (router B) restored the link (up trap), we simply correlate and do nothing.

So in that scenario do I need to add something else in the matching criteria than 1.3.6.1.2.1.14.10.1.6 for first and second incident criteria ? (I'm not sure if we need to have several...).

Below how I configured it :

Screen Shot 11-08-16 at 04.03 PM.PNGScreen Shot 11-08-16 at 04.03 PM 001.PNG

Above here do I need also to put the pairwise to 3min like the dampening or let it as is ?

Thanks

0 Likes
Dave Young Acclaimed Contributor.
Acclaimed Contributor.

Re: OSPF trap correlation

Jump to solution

 

  Okay I think we are nearly there.

  So what you should have in the pairwise configuration is

First Incident Payload filter:    .1.3.6.1.2.1.14.10.1.6 CiaValue = 8

Second Incident Payload filter:  .1.3.6.1.2.1.14.10.1.6 CiaValue = 1

Matching Criteria:   1.3.6.1.2.1.14.10.1.1 (ospfNbrIpAddr)   and   1.3.6.1.2.1.14.10.1.3 (ospfNbrRtrId)

In the Duration field I would put a "0"  as this means "match the current parent to the last open child received.  In this way you shouldn't have any timing issues because of windows closing before the correlation occurs since you want to match the Down and the Up however long apart they are.

  Can you test this out and see if it works?

  All the best

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
Established Member.. HHirt
Established Member..

Re: OSPF trap correlation

Jump to solution

Thanks again,

For the matchin criteria it should be like the first picture or the second ? :

Screen Shot 11-09-16 at 01.41 PM.PNGScreen Shot 11-09-16 at 01.43 PM.PNG

Thanks again

0 Likes
Dave Young Acclaimed Contributor.
Acclaimed Contributor.

Re: OSPF trap correlation

Jump to solution

 

  The first one.   Each row is an entry so you want to match the value of the .1 variable with both traps and then if these match, the .3 variable needs to be matched.  In the second configuration you would be matching the value of the .1 variable in the down trap with the .3 variable of the up trap and of course they won't match - as you are matching an IP address to an ID.

  All the best

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
Established Member.. HHirt
Established Member..

Re: OSPF trap correlation

Jump to solution

Hi Dave,

I tested it and it is not working as expected.

When we have the first trap (neighbor down) with .1.3.6.1.2.1.14.10.1.6 at 1 the trap is directly visible and the action is done, no 3min delay to check if the .8 (neighbor up) is coming...

However the .8 (neighbor up) trap is therefore delayed for about 3min...

I tried to switch the rules saying first incident payload filter criteria is .1 and second ,8 but result is the same sadly for me...

Do I need to switch something on the matching criteria maybe?

Thanks again for your suggestions...

Regards

 

0 Likes
Dave Young Acclaimed Contributor.
Acclaimed Contributor.

Re: OSPF trap correlation

Jump to solution

Hi,

  Can you provide an example of an UP/Down pair of traps with all their varbinds and their values.  This will allow me to review the OIDs and their values, create the configurations you need to accomplish and test the scenario out.  If you take a screen shot of the Custom Attributes tab in the analysis pane of each trap this should be enough.

  All the best

Dave Y

MicroFocus Support
Viewed the Support tips? Search for "(NNMi) Support Tips" and order by Date to get the list
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of MicroFocus
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
Established Member.. HHirt
Established Member..

Re: OSPF trap correlation

Jump to solution

Certainly, here's an example, 1st image is when it goes down (has to be holded for 3min and if the second event nbr up doesn't come the action should be taken) :

Neighbor downNeighbor downNeighbor upNeighbor up

Thanks for your hints

0 Likes
Highlighted
Established Member.. HHirt
Established Member..

Re: OSPF trap correlation

Jump to solution

small addition, nodes sending the traps are always 10.1.0.1 and 10.1.0.2

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.