Duplicate PET Alerts !!!

Duplicate PET Alerts !!!

Hello everyone,I subscribed to AMT for receiving PET alerts. Verified it by enumerating AMT_SNMPEventSubscriber and also configured PET filters to send "Link up event".Triggered "Link Up event" by disconnecting & connecting LAN cable. To my surprise, i could see more than one alerts ( mostly 3 times) at the same time for the same link up event in Intel Manageability Commander tool & in other trap receiver tools also.Also, i noticed inIntel Manageability Commander tool, there is menu named "show duplicate alerts" ..So, is it a known factor, that AMT will generate more than one alert ??am i doing something wrong which makes AMT to re-send the alert again & again?any AMT configuration related to this for timelimit on re-transmission of PET alerts ?Thanks for your valuable time!!ThanksValantina

7 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.
Gael Hofemeier (Intel)'s picture

Hi -Here is an excerpt from the SDK Documentation regarding events and subscribers. If you have 3 subscribers to the Link up event, you well get 3 alerts.

The Event Manager sends the alerts caught by the event filters to designated computers, known as subscribers. The Event Manager Feature includes two types of subscribers:

SNMP Subscribers Created remotely to receive PETs.

SOAP Subscribers Created locally to receive local User Notification events. These events are seen in the Windows event viewer of the Intel AMT platform. SOAP subscribers can be used only on the local interface and can have only the local host address of the Intel AMT. Starting with Release 6.0, the SOAP subscriber option is not supported.

You determine which subscribers receive the events caught by a filter by entering the PolicyID of the event filter in the PolicyID property of the instance representing the subscriber. Several subscribers can be associated to the same event filter.

You can retrieve information only about the subscriptions you created. (A user with admin privileges may access all alert subscriptions).

The maximum number of subscribers you can create depends on the Intel AMT Release:

Prior to Intel AMT Release 2.5: 8

Intel AMT Release 2.5 and later: 16 (maximum SNMP=14, maximum SOAP=8)

Intel AMT Release 6.0 and later: 14

Follow me on Twitter: @GaelHof Facebook: https://www.facebook.com/GaelHof

Thanks Gael .

Yeah, i alsounderstood that AMT will generate alerts for all the Subscribers whom subscribed for taht event.

But, If 3 subscribers destination are different ( say system S1, S2, S3), then AMT should notsendthe sameevent three times to "each subscriber" ie. say LinkUpevent ( 3 times) to S1.

From my view , AMT is constantly generating 3 events irrespective of the number of subscribers.

Sample alerts which i received for S1( 10.0.6.33) from AMT 10.0.3.122:
Note the timings& ( 26 61 01) indicates Link Up Event.
AMT version : 6.1.1-build 1045

2010-12-29 13:10:41 amt-pc.in.megatrends.com [10.0.3.122] (via UDP: [10.0.3.122]:57422->[10.0.6.33]) TRAP, SNMP v1, community publicSNMPv2-SMI::enterprises.3183.1.1 Enterprise Specific Trap (2558467) Uptime: 0:24:29.33
SNMPv2-SMI::enterprises.3183.1.1.1 = Hex-STRING: 5E A5 98 00 20 B2 11 DF A4 41 00 27 0E 10 41 EC
00 04 18 70 56 DB FF FF 50 68 01 FF 02 26 61 01
86 80 00 00 00 00 00 FF 00 00 01 57 00 01 C1

2010-12-29 13:10:59 amt-pc.in.megatrends.com [10.0.3.122] (via UDP: [10.0.3.122]:57422->[10.0.6.33]) TRAP, SNMP v1, community publicSNMPv2-SMI::enterprises.3183.1.1 Enterprise Specific Trap (2558467) Uptime: 0:24:47.52
SNMPv2-SMI::enterprises.3183.1.1.1 = Hex-STRING: 5E A5 98 00 20 B2 11 DF A4 41 00 27 0E 10 41 EC
00 04 18 70 56 DB FF FF 50 68 01 FF 02 26 61 01
86 80 00 00 00 00 00 FF 00 00 01 57 00 01 C1

2010-12-29 13:11:17 amt-pc.in.megatrends.com [10.0.3.122] (via UDP: [10.0.3.122]:57422->[10.0.6.33]) TRAP, SNMP v1, community public
SNMPv2-SMI::enterprises.3183.1.1 Enterprise Specific Trap (2558467) Uptime: 0:25:05.55
SNMPv2-SMI::enterprises.3183.1.1.1 = Hex-STRING: 5E A5 98 00 20 B2 11 DF A4 41 00 27 0E 10 41 EC00 04 18 70 56 DB FF FF 50 68 01 FF 02 26 61 01
86 80 00 00 00 00 00 FF 00 00 01 57 00 01 C1

( i captured the samecase in Intel Manageability Commander tool. But couldn't able to insert the picture here :( )

Regards
Valantina

Lance Atencio (Intel)'s picture

I have come across this before for the Link Up event andwas told that it is known behaviour possibly due tothe network device. I will try to find more information on this.

Are you seeing multiple events for anything other than Link Up?

For "Password attack event" ( specifictrap value is 421637), i had received duplicate alerts. Meanwhile, i will check for other events & get back here.

2010-11-12 13:24:52 amt-hx.in.megatrends.com [10.0.3.122] (via UDP: [10.0.3.122]:37545->[10.0.6.33]) TRAP, SNMP v1, community public
SNMPv2-SMI::enterprises.3183.1.1 Enterprise Specific Trap (421637) Uptime: 0:47:23.28
SNMPv2-SMI::enterprises.3183.1.1.1 = Hex-STRING: 5E A5 98 00 20 B2 11 DF A4 41 00 27 0E 10 41 EC
00 5D 18 32 63 D4 FF FF 50 68 10 FF FF 26 61 AA
05 00 00 00 00 00 00 FF 00 00 01 57 00 01 C1

2010-11-12 13:25:10 amt-hx.in.megatrends.com [10.0.3.122] (via UDP: [10.0.3.122]:37545->[10.0.6.33]) TRAP, SNMP v1, community public
SNMPv2-SMI::enterprises.3183.1.1 Enterprise Specific Trap (421637) Uptime: 0:47:41.28
SNMPv2-SMI::enterprises.3183.1.1.1 = Hex-STRING: 5E A5 98 00 20 B2 11 DF A4 41 00 27 0E 10 41 EC
00 5D 18 32 63 D4 FF FF 50 68 10 FF FF 26 61 AA
05 00 00 00 00 00 00 FF 00 00 01 57 00 01 C1

2010-11-12 13:25:28 amt-hx.in.megatrends.com [10.0.3.122] (via UDP: [10.0.3.122]:37545->[10.0.6.33]) TRAP, SNMP v1, community public
SNMPv2-SMI::enterprises.3183.1.1 Enterprise Specific Trap (421637) Uptime: 0:47:59.30
SNMPv2-SMI::enterprises.3183.1.1.1 = Hex-STRING: 5E A5 98 00 20 B2 11 DF A4 41 00 27 0E 10 41 EC
00 5D 18 32 63 D4 FF FF 50 68 10 FF FF 26 61 AA
05 00 00 00 00 00 00 FF 00 00 01 57 00 01 C1

Lance Atencio (Intel)'s picture

Thanks for the update.

I have passed on the info to see if others have ideas on the cause of this behaviour.

Best Reply

Valantina,

I received the following response from one of our engineers regarding your query:

PET alerts are being retransmitted per specification. If I remember correctly, alerts are transmitted 3 times, 3 seconds apart, and I think this is not configurable.

There is a sequence number field that allows you to tell different alerts apart.

Paul

Login to leave a comment.