Recently I came accross an issue where the team mailbox was being flooded by alerts from SSMC concerning authentication failures. Authentication failures are Security events of the HPE Primera / 3PAR / Alletra array that are triggered when a authentication failure occurrs.
These authentication failures may occur due to different reasons:
- An (LDAP) account being locked
- An (LDAP) account missing permissions
- An open session where the password is no longer correct
- Different sessions hanging in CLI / SSMC or the old 3PAR Management Console
The alert in SSMC looks like this:
Recommended Action Description: An instance of the CLI client unsuccessfully attempted multiple logins within a short period of time. This may be due to an application trying to access the storage system with incorrect login credentials. Resolution: Ensure that attempts to login are using the correct credentials. General System STORARRAY01 Serial number CZ10251XXX Type Authentication failure ID 497 Message code 0x0150006 Origin System Component Detected by node 3 Component CLI Spare Part Number Frequency Repeat count 3 Last time May 11, 2023 1:54:42 PM CEST First time Nov 11, 2022 3:33:28 AM CET
The easiest way to determine the culprit is by using CLI.
- Open a CLI session with your superuser
- Using the following command look up the logs for any authentication failures
showeventlog -startt "2023-05-11 13:00" -endt "2023-05-11 14:41"
- You can further adapt your search query with the following:
showeventlog -startt "2023-05-11 13:00" -endt "2023-05-11 14:41" -msg "Authentication failure"
- The command from step 2 will give you a view on what’s happening on your 3PAR / Primera array
Time : 2023-05-11 13:53:51.13 CEST
Node : 3
Seq : 247534823
Class : Notification
Severity : Minor
Type : Command error permission denied
Component : sw_cli
Tier : Security
Message : {storcom_admin super {{0 8}} -1 10.12.123.123:60083 4840} getportfcoe: Permission denied".Time : 2023-05-11 13:54:42.21 CEST
Node : 3
Seq : 247535633
Class : Alert
Severity : Major
Type : Authentication failure
Component : sw_cli
Tier : Security
Message : 12 authentication failures in 120 secs.
- The source of the issue can be traced by performing a ping to the IP address mentioned above
ping -a 10.12.123.123
will give you the alias of the source system. - From the screenshot above we see that the 12 authentication failures are coming from user storcom_admin due to a Permission denied.
In my case the user storcom_admin is an LDAP/AD user which was locked out leading to authentication errors on the Primera array.
Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.