I've just installed UDT 3.2 into my existing Orion system.  I am running NPM 11.0.1, SAM 6.1.1, NTA 3.11.  I have added my 10 Domain Controllers in UDT, but 3 of them come back with the following status, "Polling Failed, check security log access credentials"   The domain controllers are 2008R2, 2012 and 2003.  The account I am using is a member of the Domain Admins group.  I've checked every permission I can think of on the logs, but the account has all needed permissions.  I've been able to remotely access the logs with the account.  I'm not sure what else to check as I can't find any other errors.  When I tested UDT 3.1, I did not have this issue.  I am using the same account as my test.  Thanks for any pointers.

Joe Leitsch

We have a fairly large deployment of Juniper access layer switching that until about a year ago was mostly the EX2200 series. Over the last year and a half we've started using the EX2300 series and unfortunately cannot get UDT working. As we continue to lifecycle devices our population of the 2300 series switches has increased greatly and not being able to use UDT on these devices is frustrating.

Last year we contacted both Solarwinds support and Juniper about this and what we found is that Juniper changed OIDs somewhere between the EX2200 series we have running OS 12.x to the EX233 series we are now getting running OS 15.x. This is also causing issues with vlan polling.

Has anybody else ran into this issue and if so what are you doing about it? Solarwinds asked us to submit a feature request for this which we did, but that was a year ago and Juniper has also not been able to help. Within another year or two we'll have refreshed all of our devices and if this is still not working UDT will become completely useless to us.

Forgot to mention that this will not work with on any Juniper ELS devices. With everything in their product line heading this way I would hope something will change to get this working in the near future.

I've done this before, but it's quite a time since I've done it last time.

So, I'm noticing that I'm monitoring two switch ports with NPM (uplinks only) and UDT is monitoring those ports too, but not anything else on that switch. With other switches there is same situation, just some of the ports are monitored by NPM, but I still get every ports monitored with UDT.  So it obviously should be possible but I don't know how. If I open a list view of UDT nodes, I can only see those two ports, and status is "monitored" but nothing else. Other switches I see other ports too, not just the ones that are monitored with NPM.

This must be some really simple thing, that I just cannot find in settings... so can you help...?

I've had UDT for a year.  It looked quite promising, but it's turned out otherwise and I've had to shut it off due to it not providing timely and accurate information, and due to it causing so many snmp-GETs that it results in a DOS on 6509 Distribution switches.

Challenges:

• Most of my access switches were Cisco 2960S models.  Their local memory and CPU resources proved drastically underpowered to accommodate our deployment of Cisco ISE and SW UDT.  The switches were so overwhelmed with all the SNMP queries and ISE activity that I had to keep pushing my UDT polling schedule further and further away from the default--which was already a longer time than tracking wireless users and their devices needs.  After setting the polling cycles so far apart it became obvious UDT wasn't useful for tracking laptops or wireless devices.  I've spent the last year doing forklift upgrades of the 2960S models, replacing them with 8350's and 9348's.  I'm hoping to start up UDT again on those units, along with polling my 2960X's and 2960XR's and 4510's, but I'm not confident the experience will be a positive one.
• UDT isn't compatible with SNMP-v3.  All of my systems were happily running on snmp-v3 and none of them were providing UDT information because UDT can't work with encrypted v3 data.  I had to reconfigure all my access switches, distribution switches, wireless controllers, layer 3 switches, and routers to use snmp-v2.  Company security policy mandated that ACL's be applied to all of those nodes that restricted snmp-v2 access to my pollers and my team's workstations.  That was loads of work I didn't need, and wouldn't have had to go through if UDT worked with snmp-v3 community strings.
• Router or L3 node changes.  I regularly replace aging distribution switches and routers with newer ones, and that's proven an Achilles heal for UDT.  I've not yet found a place in its documentation that defines how it interacts with routers & layer three distribution switches, and I've hoped that simply monitoring those nodes with NPM would suffice to provide UDT with the ARP information it requires to track devices on the access switches below the L3 equipment.  But when I replaced a VSS pair of Cisco 6509's with a VSS pair of 6807's, ensuring that both the old AND the new equipment was monitored in NPM, I found UDT data about switches below those devices quickly became stale.  It seems that UDT lost where to look for the ARP information when the routing interfaces moved from the 6509's to the 6807's.  I'm not sure why since both sets of nodes were monitored in NPM.  Should I have also added the 6807's to UDT's monitoring?  I don't think that's necessary since no access devices are using any ports on the 6807's.  Those VSS chasses only serve as the L3 routing hardware for many L2 access switches below them.  Wouldn't UDT automatically know that the 6807's contained the data for the thousands of computers attached to the access switches that uplink to the 6807's?
• User tracking.  I've had political challenges getting UDT access into the AD world, resulting in an inability to track users by login name.  Yes, it's a local problem, not SolarWinds' issue, but it seems like it would be an intuitive step to let UDT automatically access everything it needs in the Active Directory servers without requiring large amounts of input and actions by the AD administrators.

Since my initial deployment of UDT over a year ago I've replaced my SolarWinds server and database infrastructure by moving all to 2016 versions.  I've also upgraded to the latest Solarwinds Orion Platform 2018.4 and NAM 2018.4 and i look forward to turning UDT back on with better results due to the upgrades.  But I'm not certain this will be the case.

So let's get back to my original question about routers, which also pertains to L3 switches that do routing or function as distribution switches to the VLANs on the switches below them.

1. Does UDT require a router be defined for every VLAN?
   1. If so, where does one tell UDT about the routers serving each switch?
   2. If UDT doesn't require a specifically defined router or L3 switch for the VLAN's on access switches, how does UDT know which nodes hold the ARP info for every VLAN on every switch?
   3. Where does UDT go to understand which L3 node should be queried for any PC or workstation being routed by that L3 node?
2. SNMP-v2 or v3 for routers and L3 Distribution switches:
   1. Does UDT require snmp-v2 access to every router?
   2. Can UDT get its device and user tracking jobs done via snmp-v3 community strings for routers & L3 switches?
3. What can be done to reduce the strain UDT puts on switches or routers with CPU and/or memory resources that should be sufficient to UDT's needs--but that aren't?
   1. I discovered my 6509 Distribution Switches acting like they were experiencing an snmp-get DOS attack from all the queries they received from UDT and other network node discovery tools (e.g.: like Printuition, which polls all IP addresses on the network to discover printers.  We have ~8,000 network printers, and keeping up with their paper and toner and service needs requires an automated tool like Printuition).  When I replaced the 6509's with 6807's I saw the newer L3 distribution switches could handle the snmp query onslaught better than the 6509's.
   2. How does one ensure that any L3 switch or router isn't overwhelmed with snmp-get requests from UDT while simultaneously ensuring a current and valid UDT database remains available for my staff to query and watch and manage?
4. What are the results of enabling UDT to manage ports on a switch for which UDT is not specifically set to monitor the upstream router or L3 switch?
   1. Will UDT simply understand the next upstream router from an access switch will hold the ARP info for PC's & printers, and query that upstream router via the snmp-v3 strings used by NPM to monitor that router?
5. More and more of my remote sites rely on non-traditional routers for WAN connectivity.  In some cases they use Cisco 5506's for BGP WAN routing, and those same ASA's provide local routing for computers at the side.  In other cases 8350 or 9348 switches have L3 services enabled and are functioning as the routers for nodes below them.
   1. Will UDT accurately discover nodes beneath an ASA 5506 that's working as a router?
   2. Will UDT accurately discover nodes below a 3850 or 9348 switch with L3 services enabled to make it a router for the switches and computers below it?
6. A number of sites rely on L3 routing & distribution to come from Cisco Nexus 5548 switches.  I've had challenges with Nexus playing well with Solarwinds.  Will UDT be able to properly function if routing has to come via Nexus 5548's?

I need to get my investment back from purchasing UDT, but my team is moving to other best of breed solutions that don't stress our network switches or routers, and that do what we expected UDT to do--at a lower price point.

All honest and helpful attempts to assist will be appreciated. I'm betting that if marcoswithanoh can't help me, he knows who can, and he'll draw their attention to this query.

Sincerely,

Rick Schroeder

We have a bunch of switches added in NPM and whomever added them previously did not scan for UDT ports when adding the nodes.  Now, I'd like to have those switches scanning with UDT ports and I can't seem to find a way to additionally add that on the existing node.  The only way I've seemed to find was to delete the node, re-add it, and then click "scan for UDT" while finalizing the addition of the node.  Is this this only way, or am I simply missing something?

Hi there,

Does anyone know of a way that I can export port details of a switch into excel? There's isnt on UI so wondering if anyone know a way trough SQL or database manager?

PS: I have already raised it with Support and they will request it to their developers to add an export button on the switch port deatils.

Thanks in advance!

The User Experience (UX) team is looking for people who use UDT today in their environment to talk to us about what you use it for, how it's working for you, what's missing that you'd like to see UDT do, and most importantly, take us on a tour of how you use it.  There will be 1 hour interviews any time from Monday, July 9 to Friday, July 20, any 1 hour blocks from 8am Central Standard time to 4pm. People who participate will of course receive 3,000 THWACK points; but the big win is that you get a chance to make a difference in future versions of UDT.  Please email me directly at kellie.mecham@solarwinds.com with a date and time which work for you and we'll set something up! --Meech

I have installed UDT eval - looks VERY interesting so far; experiencing a couple of router issues and such that other folks are commenting on and have an open case.

One odd thing I have noticed that started virtually the minute UDT became active is SNMP authentication failures - we capture these in NPM via traps.  What is interesting is that they appear to be coming from my orion server and attempt to communicate via SNMP to any device in the network; whether or not they are in UDT (they are in NPM).  Even more interesting is the extra IP address contained in the trap - see bold below:

snmpTrapEnterprise = RAPID-CITY-MIB:snmpTraps 
experimental.1057.1 = [*local switch address*]
cExtSnmpTargetAuthInetAddr = 49.48.46.49 
cExtSnmpTargetAuthInetType = 1 
authAddr = [*local Orion server address*] 
snmpTrapOID = SNMPv2-MIB:authenticationFailure 
sysUpTime = 3618379348 

Has anyone else seen this or know what it could be coming from?  Again, this started immediately after UDT was installed.

Thanks,

Dave

Hi,

we have upgraded UDT to newest version, but now when I click on switch for example, and then go to port details, I can see MAC addresses of devices connected to switch, but no IP addresses.

To be exact, I can see IP addresses from devices (ports) in vlan 130, but don't see those that are in vlan 70, as you can see from the picture I am attaching.

I don't know if I was able to see those IP addresses before, customer who uses the system also does not remember, but we should still determine why we can see MAC and IP address for vlan 130, and for vlan 70 we just see MAC addresses.

Can you tell me what could be the problem with this? Is there something in Solarwinds NPM / NCM or UDT that needs to be configured, or is this something wrong with L3 devices configuration in the network?

How to solve this issue?

Best regards,

Stjepan

I have Infoblox for DHCP/IPAM/DNS services, and I see there's a new module available that can discover and auto populate information showing the switch/blade/port for every device by MAC address and IP address.  That's exactly what my organization needs for expanding our CMDB.

But I see Solarwinds UDT seems to also be able to provide switch/blade/port for every MAC/IP address.

If you've used either solution, I'd LOVE to get your input about pro's & con's you've experienced.  If you can include sanitized screen shots showing your views, what you like with the product, what you don't like, that would be SO helpful.

I'm at the point of deciding between the new Infoblox module and adding on UDT, and the ability to export the switch/blade/port/MAC/IP address information into a CMDB will make the difference for which way to go.

Lay it on me, UDT and Infoblox users!  What do you love or hate or wish-for about either option?

Hello,

Does anyone has the following issue which seems to happen on Alcatel switchsonly ?

This is an issue about the displayed VLAN numbers when I look at the UDT ports of a Alcatel switch.

Here is a real example to explain and show the issue:

First, I can check information on a connected PC:

The ipconfig shows an IP address starting by 10.20,
which means in our infra I'm clearly on VLAN 20.

Carte Ethernet Connexion au réseau local :

   Suffixe DNS propre à la connexion. . . : administration.adm
   Description. . . . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
   Adresse physique . . . . . . . . . . . : 64-00-6A-4F-AB-CD
   DHCP activé. . . . . . . . . . . . . . : Oui
   Configuration automatique activée. . . : Oui
   Adresse IPv6 de liaison locale. . . . .: fe80::91b:5520:d7dc:1c14%11(préféré)
   Adresse IPv4. . . . . . . . . . . . . .: 10.20.0.59(préféré)

I can also check on the switch (CLI) it's connected on that I see on port 27 my Mac Address on VLAN 20

JT-RDC-SW5-> showmac-address-table 1/27

Domain   Vlan/SrvcId        Mac Address            Type         Protocol     Operation          Interface

--------+--------------+---------------------+----------------+------------+--------------+------------------------

   VLAN    20             00:0c:29:cc:xx:xx     learned          ---          bridging       1/27

   VLAN    20             00:21:b7:2e:xx:xx     learned          ---          bridging       1/27

   VLAN    20             48:4d:7e:f0:xx:xx     learned          ---          bridging       1/27

  VLAN    20             64:00:6a:4f:ab:cd     learned          ---          bridging       1/27

Note: The port 27 is an access port which I see to be on VLAN 20 by the following command.

JT-RDC-SW5-> show vlan port

vlan   port     type      status

------+-------+---------+-------------

...

   20   1/27    default   forwarding

...

Everything looks consitent so far,
except, when I look at the UDT page of the switch, I see "Vlan 1" on the very right column

And the issue is that I see VLAN 1 on every ALCATEL access port (amongs hundreds switch, whatever the switch and whatever the port)

			1/27		10.20.0.x		64:00:6A:4F:AB:CD	1
					10.20.3.x		48:4D:7E:F0:xx:xx	1
					10.20.7.x		00:21:B7:2E:xx:xx	1
					10.20.0.x		EC:B1:D7:D9:xx:xx	1

Whick makes the UDT module very not usefull
What is really frustrating is that I see however "1,20" (as follow) when I move the mouse over the port number, but not 20 (or at least 1,20) at the end of the column in the UDT Table.

Solarwinds support tells me that my switchs (Alcatel 6850) might not support the OID requested... but first I don't think I have control over this OID value,

and second I can't believe that more than 100 Alcatel switchs do not follow SW MID standard...

I knew that Solarwinds was not entirely compatible Alcatel, but for such a basic function I don't believe there's no solution.

Does anyone meet the same issue ?

If anyone has their Alcatel Switch 6850 working well with UDT,
I'll be more than happy to see that's working for somebody else.

Thank you everyone for your feedback.

Jean-Thierry

I have edited a report I found here.  Simply put, it lists interfaces that are currently down on a node, but was up earlier, or so I thought.  I have stripped everything away in this report to just show interfaces Operational Status as Down.  In limited instances, Device Tracker shows that certain Operational Status for interfaces are up for example Gi1/0/3 is up.  I run the report and the report shows the "Operational Status is Down" for this interface.   I log into the switch and I see that Gi1/0/3 has been up for 4 hours.  This happens only on 1 or 2 interfaces of a node, and not always.  The report option that I am using is: Operational Status       is not equal to      UP.

I tried the other options of equal to, contains, etc, of Up and Down.  No matter what combination I try, I get the results of the report thinking that the Operational Status is Down.  It seems that Operational Status is not real time?  Is this correct?  If it's not real time, how would I "refresh" this variable?

Does anybody know how this works?

First of, I am pretty new to these products.

I have an issues in our organization.  No MAC addresses or IP addresses appear on ports for cisco devices entered into our NMS.  We are using UDT 3.0.2, NCM 7.2.2.  Other regions in our organization are not having the same problems with their cisco equipment.

Key differences

-We do not use vlan 1 as management Vlan

-We use snmp v3 (I reverted back to version 2, no difference)

I use a cisco 4507 as my core device.  L2 connection to all switches in my network.  All my Brocade switches do not have this problem. SNMP polling does not fail.  All other information has no problems being polled

I am sort of in a rush today, so I will add any information that is asked for, or as I remember and get a chance to.

What sort of MIB table is needed for all aspects to work correctly.  Is there a way I can get a checksheet for all components needed to get this functioning.  My Brocade switches are L3.  My cisco gear is a combo of L2 and L3, and no MAC address show up on any cisco switchports.  With the exception of thru trunk ports back to core.

I would be hugely appreciative if some one could walk me thru the process.  Ultimately, what I would love is a breakdown of how some aspects of the polling works.  I'm not sure if it's and architecture thing or not?

Please feel free to ask questions!

Hi,

I have a NPM and IPAM module.

I would like to create an event (trigger or something) which will detect a new (unknown) MAC addresses on the network and send an email to the administrator (all MAC addresses on the network are listed in IPAM module).

Could you help me, how to do this (if is it possible)?

Does it exist some module or extension of Orion, which can help me, with this "feature" ?

thanks in advance

Hello I have a question...

I am currently running an Extreme Campus Fabric network, I am utilizing mostly ERS4850 switches with 3 ERS4950. I currently can pull port information from the 4900, for example, devices plugged in MAC, IP addresses, VLAN etc etc.

However I am not getting the same information from the ERS4800 switches.

I have confirmed SNMP settings, community etc etc, I am able to POLL the switch and receive information from the network manager. I can see on the UDT that the ports on the 4800 are being used, I can pull the IP and MAC from the IPAM.

I am ARPing to the 8404 core which I can also pull the same information with no problems. I can see on the core what MACs, IPs, and DNS are plugged into the NNI ports.

This is a Fabric Campus network so Edge to Core is L2, all routing takes placed on the edge and the core.

Just seeing if anyone has come across this on these particular switches, as I said, I can see all the information from the Core but nothing on the edge switch and it is only the 4800s not the 4900s.

I believe the issue falls on the edge switch itself.

Ok, I posted orginally in the NPM forum (Re: SNMP Events).  Since I recently installed UDT as well, we thought it best I posted here.

We have recnetly started getting a lot of %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full" errors on my big Catalyst switches. This starting happeing around the same time we installed UDT - and is still happening, btw.

I opened a support case with both Cisco and Solarwinds, and have not had much luck in determining if UDT or another Orion product is causing this. Cisco suggested I increase the queue-length on the switch (I did this 2x - first to 100, then to 250 - no change) then requested the MIBs being used by Orion, so i sent that over yetserday.  Solarwinds support, provided the mibs, and I am still looking at increasing the buffers more, but I am not sure what other impact this might have.

It just seems odd - has ANYONE see anything like this before?  My syslogs have doubled in size since this issue started, and is becomming quite worrysome for me.

Thanks.

Quick scan through the docs and the forums and do not see the answer to this question.

Adding in Juniper switches and need to know if we should add in just the port (ge-0/0/0) or the sub-interfaces too (ge-0/0/0) assuming these are just standard access ports.

Our environment is made up almost entirely of Juniper hardware.

I noticed that when I added my entire production environment into UDT that Juniper with its config of physical and logical interface that UDT counts both as individually monitored ports.  For Cisco and other vendors we use I get both Layer2 and Layer3 info on the port monitored.

What this means is if I want to monitor one port on Cisco it costs 1 UDT license..if I want to monitor 1 port on Juniper it costs 2.

This caused me to burn through all my licensing and need to know if this will be addressed in a later release to treat Juniper logical/physical as one license or should I reach out to get some additional licensing for free from my account rep?

Running UDT version 3.2.3

I had a device alert on a rogue DNS name. Afterwards I added the MAC to the DHCP deny filter and wireless controller exclusion list. Over the weekend UDT shows the same device as connected with a green color in the Rogue Devices section. Clicking on the device name to get the details I can see the IP address listed. Checking the reservation list in DHCP I can see the IP listed in UDT is being used by a different device. Hovering the mouse over the IP address shows it as connected, hovering over the MAC shows it as disconnected. I understand UDT used IP, Hostname and MAC to determine rogues, but is there a way it can see that the IP address used by a rogue device is no longer being used by that device?

For example.

Rogue DNS name alert: 7/21/2017 rogue.domain.com, IP 192.168.10.10, MAC aa:aa:aa:bb:bb:bb; added MAC to DHCP deny filter, WLC exclusion list

UDT Rogue Devices List: 7/24/2017 entry for rouge.domain.com (shows connected), IP 192.168.10.10 (shows connected) MAC aa:aa:aa:bb:bb:bb (shows disconnected); Check DHCP reservation list and MAC aa:aa:aa:bb:bb:bb is assigned to a different host.

I have seen this on three different occasions now. What i'd like to see is the device hostname listed in the rogue list as disconnected because it really is.

UDT Rogue Device detection needs some improvement. I had created a ticket and worked with support but I am not satisfied with the answers, especially since the SW site advertises the product to do this: Receive an alert when a device that’s not on the whitelist connects to the network & Define rules to determine if a network device should be ignored.

In my environment, I felt that the best way to monitor was to create a white list for all of my approved MAC addresses. This was working correctly, but I was being alerted throughout the day for devices that were connecting to our non-secured guest WiFi. Those devices are not on the MAC white list, therefore they were alerts. I tried to use the exclude rule, and also tried to white list that IP range, but it does not work.

If I understand correctly, the MAC white list and the IP white list are not queried one after another, therefore as long as it FAILS on 1 white list, you are alerted. I need it to NOT alert if it passes ANY enabled white list.

If you suffer from the poor design of UDT and Rogue Device Detection and filtering, please raise awareness to get this potentially great tool some exposure and try to get the dev team to make it awesome!