Monitoring, Management & Location Tracking

Airwave does excessive logins to controllers which are being monitored
Problem:

Customer has a master local setup AOS controllers which are being monitored via Airwave. The telnet/ssh credentials are provided to "audit" the configuration of the controllers.

 

On controller's audit trail logs, excessive login from Airwave's IP is seen. Multiple session daily.



Diagnostics:

In the audit trail logs on controller, we would see something like below.

 

Dec  17 04:25:24  fpcli: USER: awave has logged in from a.b.c.d.
Dec  17 04:25:24  fpcli: USER:awave@a.b.c.d COMMAND:<no paging > -- command executed successfully
Dec  17 04:25:24  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:26:08  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:27:11  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:28:13  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:29:14  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:30:16  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:31:18  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:32:20  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:33:22  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:34:23  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:35:25  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:36:27  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:37:29  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:38:31  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:39:33  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:40:35  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:41:36  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:42:37  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:43:38  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:44:39  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:45:41  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:46:44  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 04:47:07  fpcli: USER: awave connected from a.b.c.d has logged out.
Dec  17 09:30:11  fpcli: USER: awave has logged in from a.b.c.d.
Dec  17 09:30:11  fpcli: USER:awave@a.b.c.d COMMAND:<no paging > -- command executed successfully
Dec  17 09:30:11  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 09:30:15  fpcli: USER: awave connected from a.b.c.d has logged out.
Dec  17 09:33:26  fpcli: USER: awave has logged in from a.b.c.d.
Dec  17 09:33:26  fpcli: USER:awave@a.b.c.d COMMAND:<no paging > -- command executed successfully
Dec  17 09:33:26  fpcli: USER:awave@a.b.c.d COMMAND:<encrypt disable > -- command executed successfully
Dec  17 09:33:29  fpcli: USER: awave connected from a.b.c.d has logged out.
 

 

We can check the telnet command logs for the specific controller on Airwave.

 

The logs rest under /var/log/system/ap/<ap-id>

The telnet command logs would also show details of what commands were run on the controller with the output.



Solution

We have a couple of things to check here.

 

1: Check the number of time "Audit" is configured. It configured under Amp Setup - General tab.

 

If the option is set to "Daily", AMP must login to controller only once daily.

 

However as per design Airwave does a forced "audit" of a device if it sees the device going down and coming back up. This is done to check the integrity of the configuration and AMP admin can set triggers to alert users if the config changes.

 

So if we have a setup with multiple APs and few of them might go up and down in a day, we expect to see increased number of logins. Lets say we see 2 APs going down, so controller will see 3 logins from AMP on the specific day.

Version history
Revision #:
2 of 2
Last update:
‎03-14-2017 08:06 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.