• October 20, 2020, 01:44:25 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: A lot of logs "ACLI WARNING Code=0x1ff0009 Blocked unauthorized ACLI access"  (Read 5767 times)

0 Members and 1 Guest are viewing this topic.

Offline gus

  • Rookie
  • **
  • Posts: 24
Hi!
I am getting logs at one 8600 in IST/SMLT topology with v7.1.3.0
This started 11 hours ago and do not plan to stop
do you know what could cause this log output?

Tranks in advance.

This is a sample...

CPU5 [02/11/14 10:11:08] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:11:08] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:11:08] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:11:03] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:11:03] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:11:03] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:11:00] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:11:00] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:11:00] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:59] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:59] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:59] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:57] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:57] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:57] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:56] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:56] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:56] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:53] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:53] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:53] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:52] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:52] The previous message repeated 2 time(s).

CPU5 [02/11/14 10:10:52] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:48] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:48] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:48] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:45] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:45] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:45] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:44] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:44] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:44] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:42] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:42] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:42] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:41] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:41] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:41] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:38] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:38] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:38] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:37] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
[02/11/14 10:10:37] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:37] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:33] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access

[02/11/14 10:10:33] The previous message repeated 2 time(s).
CPU5 [02/11/14 10:10:33] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 10:10:32] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access



Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 961
Hi Gus,

It looks like your 8600 can no longer authenticate with TACACs.  Is the TACACs password you are using correct?

CheerZ

Offline gus

  • Rookie
  • **
  • Posts: 24
Hi Flintstone,
when someone makes a bad login, these data are shown in the logs
in other logs, there is no information.

NEWS
after 12 hours of continuous logs (thousands), the 8600 froze and I had to reset it.

BAD LOGIN
CPU5 [02/11/14 12:25:37] SW INFO User xxxxxx tried to connect through blocked access level from x.x.x.x via SSH
[02/11/14 12:25:37] The previous message repeated 2 time(s).
CPU5 [02/11/14 12:25:37] TACACS+ ERROR TACACS+ authentication failed
CPU5 [02/11/14 12:25:36] SNMP INFO SSH new session login
CPU5 [02/11/14 12:25:36] SSH INFO SSH: User xxxxx login /pty/sshd1. from x.x.x.x
CPU5 [02/11/14 12:25:36] SSH INFO Accepted password for ROOT from x.x.x.x port 1567 ssh2
CPU5 [02/11/14 12:25:33] SSH INFO kex:chosen algorithms for server->client: encryption:aes256-cbc mac:hmac-sha1 compression:none
CPU5 [02/11/14 12:25:33] SSH INFO kex:chosen algorithms for client->server: encryption:aes256-cbc mac:hmac-sha1 compression:none
CPU5 [02/11/14 12:25:33] SSH INFO New connection from ip x.x.x.x port 1567

Offline TankII

  • Hero Member
  • *****
  • Posts: 556
Did someone deploy WhatsUP Gold or Solarwinds (or another NMS)?  If they detect SSH, they will check it's availability by opening a connection  but not authenticating against it, unless SSH credentials are added to the system's credentials list.
TankII

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 961
Hi Gus,

If not SNMP management, is there anyone running "pen testing scripts"?  Who owns the source IP address?

CheerZ

Offline gus

  • Rookie
  • **
  • Posts: 24
Hi, as you can see there is not source IP address.
appear to be attempts from console, but obviously no one is conected on this equipment.

particularly this line:
SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.


Today we have had to reset this switch twice because of this issue.

CPU5 [02/11/14 15:13:57] TACACS+ ERROR TACACS+ authentication failed
[02/11/14 15:13:57] The previous message repeated 2 time(s).         
CPU5 [02/11/14 15:13:57] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/11/14 15:13:58] TACACS+ ERROR TACACS+ authentication failed
The previous message repeated 2 time(s).         
CPU5 [02/11/14 15:13:58] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/11/14 15:13:58] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.


CPU5 [02/11/14 15:15:05] TACACS+ ERROR TACACS+ authentication failed
[02/11/14 15:15:05] The previous message repeated 2 time(s).         
CPU5 [02/11/14 15:15:05] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/11/14 15:15:15] TACACS+ ERROR TACACS+ authentication failed
[02/11/14 15:15:15] The previous message repeated 2 time(s).         
CPU5 [02/11/14 15:15:15] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/11/14 15:15:16] TACACS+ ERROR TACACS+ authentication failed
The previous message repeated 2 time(s).

Thanks!

Offline gus

  • Rookie
  • **
  • Posts: 24
Hi guys

Update
I disable tacacs and now the logs show the following:

[02/12/14 09:29:50] The previous message repeated 66 time(s).         
CPU5 [02/12/14 09:23:40] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 09:23:38] HW INFO System activity performed
[02/12/14 09:23:36] The previous message repeated 91 time(s).         
CPU5 [02/12/14 09:15:08] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 09:10:14] KHI TEST Logging idle test message.
[02/12/14 09:00:00] The previous message repeated 68 time(s).         
CPU5 [02/12/14 08:53:38] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 08:52:33] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

[02/12/14 08:52:33] The previous message repeated 229 time(s).       
CPU5 [02/12/14 08:31:21] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 08:30:16] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

[02/12/14 08:30:16] The previous message repeated 75 time(s).         
CPU5 [02/12/14 08:23:27] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 08:23:26] HW INFO System activity performed
[02/12/14 08:23:23] The previous message repeated 53 time(s).         
CPU5 [02/12/14 08:18:26] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 08:16:21] SNMP INFO Smlt Link Up Trap(SmltId=25)
CPU5 [02/12/14 08:16:21] MLT INFO SMLT 25 UP
CPU5 [02/12/14 08:09:58] KHI TEST Logging idle test message.
[02/12/14 08:03:20] The previous message repeated 304 time(s).       
CPU5 [02/12/14 07:35:10] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 07:34:05] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

[02/12/14 07:34:05] The previous message repeated 38 time(s).         
CPU5 [02/12/14 07:30:50] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 07:29:45] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

[02/12/14 07:29:45] The previous message repeated 6 time(s).         
CPU5 [02/12/14 07:29:11] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 07:28:05] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

[02/12/14 07:28:05] The previous message repeated 3 time(s).         
CPU5 [02/12/14 07:27:58] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 07:26:54] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

[02/12/14 07:26:54] The previous message repeated 2 time(s).         
CPU5 [02/12/14 07:26:53] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 07:25:47] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

[02/12/14 07:25:47] The previous message repeated 3 time(s).         
CPU5 [02/12/14 07:25:41] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 07:24:36] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

[02/12/14 07:24:36] The previous message repeated 15 time(s).         
CPU5 [02/12/14 07:23:23] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 07:23:17] HW INFO System activity performed
[02/12/14 07:23:10] The previous message repeated 5 time(s).         
CPU5 [02/12/14 07:22:49] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 07:21:44] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

[02/12/14 07:21:44] The previous message repeated 4 time(s).         
CPU5 [02/12/14 07:21:31] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 07:20:28] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

[02/12/14 07:20:28] The previous message repeated 2 time(s).         
CPU5 [02/12/14 07:20:26] ACLI WARNING  Code=0x1ff0009 Blocked unauthorized ACLI access
CPU5 [02/12/14 07:19:20] SW WARNING Maximum number of login attempts reached for console.
Lock out for 60 seconds.

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 961
Hi Gus,

Can you setup a Sniffer to work out what is trying to access your box?

CheerZ

Offline gus

  • Rookie
  • **
  • Posts: 24
Hi Flinstone thanks for your answer
First sorry for my english.
the 8600 has 120 interfaces, so it is very difficult to perform a sniffer.
Also a few months ago, the same has happened in this 8600 but with another cpu card (same model) and with another version (5.1.3.1)
As we perform the following test: we turned on the switch without I/O modules and with only one cpu card,  after two days in this state, again the same events occur.
Avaya engineers currently are verifying this behavior

Thansk

Offline TankII

  • Hero Member
  • *****
  • Posts: 556
We went from 5.1.1.1 to 5.1.6.2 (controlled release) and avoided the versions in-between due to lots of reported bugs, and only needing OSPF bug fixes at the time.  We are now on 5.1.8.2 (GA), and things have been very stable.
I would seriously ugrade to 5.1.8.2 (5.17 minimum) and see if the issue goes away.

TankII