Skip to main content
Hatibi
Staff & Editor
Hatibi
Staff & Editor
October 14, 2024

Technical Tip: Investigate frequent/excessive SSH logins to Inventory Switches

  • October 14, 2024
  • 0 replies
  • 562 views
Description This article describes how to identify the actions and commands applied by FortiNAC when it is observed that it is frequently attempting SSH logins to network switches under its control.
Scope FortiNAC.
Solution

Depending on the device modeling, FortiNAC will apply different commands to Switches in order to Poll, read VLANs or perform other actions through SSH logins.

On some occasions, it is possible that FortiNAC will attempt multiple SSH connections within a minute. In large environments, this will raise concerns and affect network performance.

 

To identify why this is happening, enable debugging in FortiNAC and tail the messages in the output.master file as follows:

 

  • FortiNAC (CentOS):

 

logs

nacdebug -name BridgeManager true
nacdebug -name InterfacePortManager true
nacdebug -name IPAddressToMac true
nacdebug -name L2ProactivePollManager true
nacdebug -name BridgingUpdates true
Device -ip X.X.X.X -setAttr -name DEBUG -value "ForwardingInterface TelnetServer" <- Replace X.X.X.X with the switch IP.
tf output.master

 

 

  • FortiNAC-F (NACOS)  v7.4 and above:

 

diagnose network device set attribute DEBUG "ForwardingInterface TelnetServer" ip X.X.X.X <- Replace X.X.X.X with the Switch IP.

diagnose debug plugin enable BridgeManager
diagnose debug plugin enable InterfacePortManager
diagnose debug plugin enable IPAddressToMac
diagnose debug plugin enable BridgingUpdates
diagnose tail -F output.master
 
When finished with recreating the issue, stop the tail command with Ctrl+C.
 
Disable debugging:
 
  • FortiNAC (CentOS)
 
nacdebug -name BridgeManager false
nacdebug -name InterfacePortManager false
nacdebug -name IPAddressToMac false
nacdebug -name L2ProactivePollManager false
nacdebug -name BridgingUpdates false
Device -ip X.X.X.X -delAttr -name DEBUG  <- Replace X.X.X.X with the switch IP.
 
  • FortiNAC-F (NACOS) v7.4 and greater.
diagnose network device delete attribute DEBUG ip X.X.X.X <- Replace X.X.X.X with the switch IP.
diagnose debug plugin disable InterfacePortManager
diagnose debug plugin disable IPAddressToMac
diagnose debug plugin disable L2ProactivePollManager
diagnose debug plugin disable BridgingUpdates
 
To check the SSH login sessions from the Third party network device(switch), enable CLI debugs or enable a packet capture:
 
Example CLI command to monitor login attempts in Cisco Switches:
 
terminal monitor 
 
CLI output in Cisco will print the following:
 
Sep 5 12:17:55: %SYS-6-LOGOUT: User FortiNAC has exited tty session 5(192.168.20.2)
Sep 5 12:17:56: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: FortiNAC] [Source: 192.168.20.2] [localport: 22] at 12:17:56 CET Thu Sep 5 2024
Sep 5 12:17:56: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: FortiNAC] [Source: 192.168.20.2] [localport: 22] at 12:17:56 CET Thu Sep 5 2024
Sep 5 12:17:57: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: FortiNAC] [Source: 192.168.20.2] [localport: 22] at 12:17:57 CET Thu Sep 5 2024
Sep 5 12:17:58: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: FortiNAC] [Source: 192.168.20.2] [localport: 22] at 12:17:58 CET Thu Sep 5 2024
Sep 5 12:17:59: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: FortiNAC] [Source: 192.168.20.2] [localport: 22] at 12:17:59 CET Thu Sep 5 2024
Sep 5 12:18:00: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: FortiNAC] [Source: 192.168.20.2] [localport: 22] at 12:18:00 CET Thu Sep 5 2024
 
Filtered CLI output in FortiNAC will show that it is attempting to read the VLAN for each MAC address entry separately. It performs SSH login, retrieves the information, and logs out. It then performs the same action for the next MAC address.
 
FortiNAC IP: 192.168.20.2
Cisco Switch IP: 192.168.30.1
 
Output.messages logs:
 
yams INFO :: 2024-09-05 12:17:59:439 :: #2093 :: Thread:DevicePluginThread1, IP:192.168.30.1 - Connect time=9ms, Auth time=857ms
yams INFO :: 2024-09-05 12:17:59:439 :: #2093 :: TelnetMibObject = TelnetMibObject:
Name = GetCurrentVLAN
Attribute = GetCurrentVLAN
Group = GetCurrentVLAN
Number of Mib Elements = 2
  TelnetCommand:
    Name = show mac address-table | include {0}
    Type = SET
  TelnetCommand:
    Name = #

yams INFO :: 2024-09-05 12:17:59:698 :: #2093 :: Thread:DevicePluginThread1 - RETVAL returned = show mac address-table | include 5067.aexx.xxxx
6 5067.aexx.xxxx STATIC Gi1/0/9
CiscoSwitch#
yams INFO :: 2024-09-05 12:17:59:698 :: #2093 :: TelnetMibObject = TelnetMibObject:
Name = Logout
Attribute = Logout
Group = Logout
Number of Mib Elements = 1
  TelnetCommand:
    Name = exit
    Type = WRITE

yams INFO :: 2024-09-05 12:17:59:698 :: #2093 :: Thread:DevicePluginThread1 - Command WRITE = exit

FortiNAC then runs SSH to the Switch again in order to get the results for another MAC address.

yams INFO :: 2024-09-05 12:17:59:712 :: #2093 :: SSH2 session timeout = 63000
yams INFO :: 2024-09-05 12:17:59:712 :: #2093 :: IP=192.168.30.1, keyboard-interactive = false
yams INFO :: 2024-09-05 12:17:59:712 :: #2093 :: SSH2: Connecting to 192.168.30.1 port 22
yams INFO :: 2024-09-05 12:17:59:722 :: #2093 :: SSH2: Connection to 192.168.30.1 succeeded
yams INFO :: 2024-09-05 12:17:59:722 :: #2093 :: SSH2: Authenticating to 192.168.30.1
yams INFO :: 2024-09-05 12:17:59:848 :: #2094 :: TelnetSession.waitfor() ip = 192.168.30.1 num bytes = 35
yams INFO :: 2024-09-05 12:17:59:848 :: #2094 :: Thread:DevicePluginThread2 - CONNECT WAIT_FOR returned:
terminal length 0
CiscoSwitch#
yams INFO :: 2024-09-05 12:17:59:848 :: #2094 :: Thread:DevicePluginThread2, IP:192.168.30.1 - Connect time=23ms, Auth time=779ms
yams INFO :: 2024-09-05 12:17:59:848 :: #2094 :: TelnetMibObject = TelnetMibObject:
Name = GetCurrentVLAN
Attribute = GetCurrentVLAN
Group = GetCurrentVLAN
Number of Mib Elements = 2
  TelnetCommand:
    Name = show mac address-table | include {0}
    Type = SET
  TelnetCommand:
    Name = #
    Type = RETVAL

yams INFO :: 2024-09-05 12:17:59:848 :: #2094 :: Thread:DevicePluginThread2 - SET =show mac address-table | include 5067.aeyy.yyyy
yams INFO :: 2024-09-05 12:17:59:848 :: #2094 :: write = show mac address-table | include 5067.aeyy.yyyy
yams INFO :: 2024-09-05 12:17:59:848 :: #2094 :: Thread:DevicePluginThread2 - Command RETVAL = #
yams INFO :: 2024-09-05 12:17:59:848 :: #2094 :: TelnetServer:generateMatchingArray - #
yams INFO :: 2024-09-05 12:17:59:878 :: #2092 :: SSH2: Authentication to 192.168.30.1 succeeded
yams INFO :: 2024-09-05 12:17:59:880 :: #2092 :: Thread:DevicePluginThread0 - CONNECT WAIT_FOR = #
yams INFO :: 2024-09-05 12:17:59:880 :: #2092 :: TelnetServer:generateMatchingArray - #
yams INFO :: 2024-09-05 12:18:00:126 :: #2094 :: TelnetSession.waitfor() ip = 192.168.30.1 num bytes = 113
yams INFO :: 2024-09-05 12:18:00:126 :: #2094 :: Thread:DevicePluginThread2 - RETVAL returned = show mac address-table | include 5067.aeyy.yyyy
6 5067.aeyy.yyyy STATIC Gi1/0/8
CiscoSwitch#
yams INFO :: 2024-09-05 12:18:00:126 :: #2094 :: TelnetMibObject = TelnetMibObject:
Name = Logout
Attribute = Logout
Group = Logout
Number of Mib Elements = 1
  TelnetCommand:
    Name = exit
    Type = WRITE

This behavior was intended as part of the code for the modeled device.
The issue depicted in this example is fixed in FortiNAC releases 7.4.1, 7.2.6, 9.4.7, 7.6.0 and greater.
 
When identifying these issues, open a technical support ticket and provide the following files:
 
  1. FortiNAC system logs as noted here.
  2. Event logs from FortiNAC exported in excel format (covering time of issue):
  3. FortiNAC CLI output saved in a text file.
  4. CLI output from third party device that shows the Timestamp and SSH login attempts.

 

Related documents:

Technical Tip: FortiNAC general troubleshooting guide
      Terms & ConditionsAccessibility statement