A lot of Connection from UDP

mattia.antignani · November 16, 2020, 12:45pm

Hi,
I noticed in the syslog of my server that there are many udp connections in a short time, is this normal in your opinion?

Thank you

Here the logs:

Nov 16 12:42:42 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:34391->[$IP_MONITORED_HOST]:161

Nov 16 12:42:42 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:34391->[$IP_MONITORED_HOST]:161
Nov 16 12:42:42 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:47832->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:47832->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:43374->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:43374->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:40390->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:40390->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:40416->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:40416->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:52302->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:52302->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:47390->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:47390->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:39327->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:39327->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:57981->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:57981->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:39053->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:39053->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:55160->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:55160->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:39570->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:39570->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:51014->[$IP_MONITORED_HOST]:161
Nov 16 12:42:43 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:51014->[$IP_MONITORED_HOST]:161
Nov 16 12:42:44 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:52538->[$IP_MONITORED_HOST]:161
Nov 16 12:42:44 $Host snmpd[17513]: Connection from UDP: [$IP_CHECKMK_SERVER]:52538->[$IP_MONITORED_HOST]:161
Nov 16 12:42:51 $Host snmpd[17513]: error on subcontainer ‘ia_addr’ insert (-1)

r.sander · November 16, 2020, 1:09pm

Yes, this is normal. Checkmk uses SNMP bulkwalk to query all known OIDs at once.

mattia.antignani · November 16, 2020, 1:11pm

Thanks for your reply, but can all these requests can cause bandwidth overload?

r.sander · November 16, 2020, 1:12pm

No, SNMP is quite bandwidth efficient.

Nora · November 15, 2021, 11:21am

@r.sander : I saw this question right now after searching for this topic (have the situation). I´m wondering if it is ok to have all these request on different UDP ports. I was asked by my collegues (technicians) why Cmk sends so many requests on unwanted ports (there is a UDP rule to set it to a specific rule).
Do you have a deeper insight to that, maybe?

andreas-doehler · November 15, 2021, 11:45am

All the UDP requests are going to the same target port (161). The source port is every time a random high port. This is very normal. Where should be the problem?

Nora · November 15, 2021, 12:09pm

oh I see now - it is obviously slightly different here than in my case.
I´ll add a screenshot …

I don´t know why these UDP request are being sent

r.sander · November 15, 2021, 12:19pm

This looks more like nmap is running on 46.189.47.158 and is scanning every UDP port on 192.168.188.2. This does not originate from checkmk AFAICT.

system · November 15, 2022, 12:20pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.