Microsoft KB Archive/883323

= OnePoint Operations 9200 events may be logged in the Application event log on a Microsoft Operations Manager DCAM Server =

Article ID: 883323

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Operations Manager (MOM) 2005
 * Microsoft Operations Manager 2000 Service Pack 1

-





SYMPTOMS
Assume the following: A computer with the Microsoft Operations Manager (MOM) 2005 agent installed is managed by a MOM 2000 Data Access Server/Consolidator-Agent Manager (DCAM) server that is running MOM 2000 Service Pack 1 (SP1). In this scenario, the MOM 2005 agent may send packets that are not valid to the MOM 2000 configuration group. Therefore, many OnePoint Operations 9200 events that are similar to the following may be logged in the Application event log on the MOM 2000 SP1 DCAM server: Event Type: Error

Event Source: OnePoint Operations

Event Category: None

Event ID: 9200

Date: 11/20/2003

Time: 11:54:10 AM

User:

Computer:

Description: The socket server on port 1270 received a malformed packet. This may indicate a possible hacking attempt. The binary data for this event contains the data received.

Note Although this event text indicates a possible hacking attempt, it does not indicate where the packet originated.



CAUSE
This issue may occur if the following conditions are true:
 * You have two or more configuration groups that are running MOM 2000 SP1.
 * One or more of the MOM agents are multihomed and report to two or more configuration groups.
 * You upgrade one of the MOM 2000 SP1 configuration groups to MOM 2005.

When you upgrade a MOM 2000 SP1 configuration group to MOM 2005, all MOM 2000 SP1 agents that report to the upgraded MOM 2005 configuration group are upgraded to MOM 2005. The MOM 2005 agent supports two protocol types for communication: the MOM 2000 SP1 protocol and the MOM 2005 protocol.

When the MOM 2005 service starts, it first tries to communicate with the MOM server by using the MOM 2005 protocol. If this communication attempt is unsuccessful, the MOM 2005 agent then uses the MOM 2000 SP1 protocol. Because the MOM 2000 SP1 server does not understand the MOM 2005 protocol, the MOM 2000 SP1 server generates the 9200 event that is described in the &quot;Symptoms&quot; section. However, when the MOM 2005 agent uses the MOM 2000 SP1 protocol, the MOM 2000 SP1 server accepts communication with the MOM 2005 agent.

Additionally, the MOM 2005 agent service retains the MOM protocol type only while the MOM 2005 service is running. When the MOM 2005 service restarts or encounters network problems, the MOM 2005 agent must redetermine the protocol type. Therefore, the MOM 2005 agent first tries to communicate with the MOM 2000 SP1 server by using the MOM 2005 protocol and then by using the MOM 2000 SP1 protocol. If the server has been upgraded to MOM 2005, the communication attempt is successful, and no error events are logged.



STATUS
This behavior is by design.

Keywords: kbtshoot kbprb KB883323

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.