06-22-2018 04:00 AM - edited 03-01-2019 04:43 AM
Hi all,
I am having a small issue... When I try to provisioning my C3560CX model running software version
Switch Ports Model | SW Version | SW Image | ||
------ ----- ----- | ---------- | ---------- | ||
* | 1 12 | WS-C3560CX-8PC-S | 15.2(4)E4 | C3560CX-UNIVERSALK9-M |
I am getting this error:
Received response from pnp agent for message correlatorId: CiscoPnP-1.0-50-370-B44C140-47 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed
I can see when I google that some are referring to other software version, but also that I could be something with aaa methode.
Here I am using :
aaa authentication login default group TACACS-ISE local
aaa authorization config-commands
aaa authorization exec default group TACACS-ISE local
aaa authorization commands 1 default group TACACS-ISE if-authenticated
aaa authorization commands 15 default group TACACS-ISE if-authenticated
and the group is containing my TACACS servers.
Anybody that has some info on how to fix this??
I have also tried to run the aaa with a EM script like this:
! EEM SCRIPT
!
event manager applet POST_PNP
event timer countdown time 90
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 2.0 cli command "aaa authorization config-commands"
action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"
action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"
action 2.3 cli command "no event manager applet POST_PNP"
action 2.4 cli command "end"
action 2.5 cli command "wr mem"
action 3.0 cli command "end"
but that don´t change anything here.
Hope somebody might can give me some direction on this matter.
Frank
Solved! Go to Solution.
06-25-2018 11:22 PM
Ok... I think i see the problem!!
I have seen this before. Can you change the EEM timeout to 180 seconds.
You are switching over the management interface. Sometimes it takes longer than 90seconds to finish the PnP process, and the EEM script is firing too early.
Adam
06-22-2018 04:21 AM
yes, this is a know issue as when you turn on command authorisation, the PnP process no longer has permission to complete the configuration.
You need to remove the authourisation commands from the config file, and move them into the EEM script (also contained in the config file).
the EEM script will fire 90 seconds after the pnp process completes, thus allowing you to keep the command authorisation CLI.
06-22-2018 04:24 AM
aradford, so you want all aaa commands in the EEM script^??
I just noticed this for software release 15.2(6)E1 which is the latest and greatest.
So a upgrade might help here.
06-22-2018 04:26 AM
Yes, that is the other approach.
06-25-2018 01:39 AM
Alright I am getting some other issue after upgrading to 15.2.6(E1) it will not go into unclaim in my APIC, so I tried to modfiy my EEM script to this
event manager applet POST_PNP
event timer countdown time 90
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 2.0 cli command "aaa authorization config-commands"
action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"
action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"
action 2.3 cli command "aaa authentication login default group TACACS-ISE local"
action 2.4 cli command "aaa authorization exec default group TACACS-ISE local"
action 2.5 cli command "no event manager applet POST_PNP"
action 2.6 cli command "end"
action 2.7 cli command "wr mem"
action 3.0 cli command "end"
!
But this still not work for my devivices.
Stil getting this error:
2018-06-25 10:33:45 (Romance Daylight Time)Received response from pnp agent for message correlatorId: CiscoPnP-1.0-20-466-B0DE004-20 but with error code : ZTD_CMD_ERROR Response String: PERMISSION_DENIED:authorization failed
So how can I get this fixed. Is there something wrong in my EEM script or??
06-25-2018 10:37 PM
Hi,
This error is not due to your EEM script. That should fire after the PnP process completes.
Are you sure you removed all of the "aaa authorisation" commands from the initial configuration that was pushed?
06-25-2018 11:14 PM
Hi araford,
Year a 100% that there is no AAA auth in my config.
But I found out that if I leave these two commands out
aaa authorization commands 1 default group TACACS-ISE if-authenticated
aaa authorization commands 15 default group TACACS-ISE if-authenticated
I can have the rest in my "normal" configuration, then I just need to past in the 2 lines afterwords.
Here is my configuration that I normal use:
!Version 2.0
!
!
no service pad
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime localtime year
service password-encryption
!
logging buffered 100000 warnings
no logging console
no logging monitor
logging source-interface vlan 1
!
hostname ${LOCATION_ID}${SWITCH_TYPE}-${SWITCHTEXT}
!
!
errdisable recovery cause all
!
!
vlan 10
name VoIP
!
vlan 20
name PRODUCTION
!
!
ip default-gateway 10.${DG_OKTET_IP_2}.${DG_OKTET_IP_3}.1
!
lldp run
!
udld enable
!
!
ip dhcp snooping vlan 1,10,20
ip dhcp snooping information option format remote-id hostname
no ip dhcp snooping information option
ip dhcp snooping database flash:/snooping.txt
ip dhcp snooping
!
mls qos map policed-dscp 0 10 18 24 46 to 8
mls qos map cos-dscp 0 8 16 26 34 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
match ip dscp cs3
!
class-map match-all IN-VOICE-SIG
match ip dscp cs3
class-map match-all IN-MULTIMEDIA-CONFERENCING
match ip dscp cs4 af41
class-map match-all OUT-CITRIX-OUT-VOICE-SIG
match ip dscp af31
class-map match-all OUT-VOICE
match ip dscp ef
class-map match-all IN-CITRIX
match access-group name IN-CITRIX
class-map match-all IN-VOICE
match ip dscp ef
!
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
class AUTOQOS_VOIP_DATA_CLASS
set dscp ef
police 128000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VOIP_SIGNAL_CLASS
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_DEFAULT_CLASS
police 10000000 8000 exceed-action policed-dscp-transmit
trust dscp
!
policy-map IN-MARKING
class IN-VOICE
set dscp ef
class IN-MULTIMEDIA-CONFERENCING
set dscp af41
class IN-CITRIX
set dscp af31
class IN-VOICE-SIG
set dscp af31
class class-default
set dscp default
!
!
crypto key generate rsa general-keys label SSH modulus 2048
ip ssh rsa keypair-name SSH
ip ssh version 2
!
line con 0
session-timeout 10
exec-timeout 10
logging synchronous
!
line vty 0 15
session-timeout 120
access-class 12 in
exec-timeout 120 0
transport preferred none
transport input ssh
!
!
no ip http server
no ip http secure-server
!
!
access-list 10 remark # CISCO PRIME #
access-list 10 permit 10.xxx.xxx.xxx
access-list 10 remark # CISCO APIC #
access-list 10 permit 10.xxx.xxx.xxx
access-list 10 remark # SOLARWWINDS #
access-list 10 permit 10.xxx.xxx.xxx
access-list 10 remark # JUMPSTATION WINDOWS #
access-list 10 permit 10.xxx.xxx.xxx
access-list 11 remark # CISCO PRIME #
access-list 11 permit 10.xxx.xxx.xxx
access-list 11 remark # CISCO APIC #
access-list 11 permit 10.xxx.xxx.xxx
access-list 11 remark # SOLARWWINDS #
access-list 11 permit 10.xxx.xxx.xxx
access-list 11 remark # JUMPSTATION WINDOWS #
access-list 11 permit 10.xxx.xxx.xxx
!
access-list 12 remark # CISCO PRIME #
access-list 12 permit 10.xxx.xxx.xxx
access-list 12 remark # CISCO APIC #
access-list 12 permit 10.xxx.xxx.xxx
access-list 12 remark # CISCO ANYCONNECT #
access-list 12 permit 10.xxx.xxx.xxx
access-list 12 remark # SOLARWWINDS #
access-list 12 permit 10.xxx.xxx.xxx
access-list 12 remark # SOLAR OFFICE #
access-list 12 permit 10.xxx.xxx.xxx
access-list 12 remark # JUMPSTATION WINDOWS #
access-list 12 permit 10.xxx.xxx.xxx
!
ip access-list standard 13
deny any
ip access-list standard 14
permit 10.xxx.xxx.xxx
permit 10.xxx.xxx.xxx
permit 10.xxx.xxx.xxx
permit 10.xxx.xxx.xxx
!
ip access-list extended IN-CITRIX
permit tcp any any eq 1494
permit tcp any any eq 2598
!
aaa new-model
!
aaa group server tacacs+ TACACS-ISE
server name piseadms001.solar.eu
server name piseadms002.solar.eu
!
aaa authentication login default group TACACS-ISE local
aaa authorization exec default group TACACS-ISE local
!
aaa session-id common
!
!
ip domain-lookup
ip domain-name xxxxxxxx.com
ip name-server 10.xxx.xxx.xxx
ip name-server 10.xxx.xxx.xxx
ip name-server 10.xxx.xxx.xxx
!
!
vtp mode transparent
vtp domain xxxxxxxx.com
!
!
!
tacacs server piseadms001.solar.eu
address ipv4 10.xxx.xxx.xxx
key 7
tacacs server piseadms002.solar.eu
address ipv4 10.xxx.xxx.xxx
key 7
!
username xxxxxxxx privilege 15 secret
!
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
interface vlan 1
ip address 10.${VLAN_OKTET_IP_2}.${VLAN_OKTET_IP_3}.${VLAN_OKTET_IP_4} 255.255.240.0
no shutdown
!
!
snmp-server community antigoon RO 10
snmp-server community antigoon RW 11
snmp-server ifindex persist
snmp-server location ${SNMP_LOCATION_NAME}
snmp-server contact 5x5
!
ntp server 10.xxx.xxx.xxx
ntp server 10.xxx.xxx.xxx
ntp server 10.xxx.xxx.xxx
ntp server 10.xxx.xxx.xxx
!
!
ntp access-group serve 13
ntp access-group peer 14
!
!
!
interface range gig0/1-8
description OFFICE
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input IN-MARKING
!
!
interface range GigabitEthernet0/9-10
description UPLINK
logging event link-status
logging event trunk-status
logging event bundle-status
switchport mode trunk
ip dhcp snooping trust
service-policy output OUT-QUEUEING
!
!
spanning-tree mode pvst
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
banner exec +
################################################################
* Connected to ${esc.d}(hostname).${esc.d}(domain)
* Use of this system constitutes your consent to monitoring.
################################################################
+
banner motd +
|------------------------------------------------------------------------|
| This system is for the use of authorized users only. |
| Individuals using this computer system without authority, |
| or in excess of their authority,are subject to having all |
| of their activities on this system monitored and recorded by |
| system personnel. In the course of monitoring individuals |
| improperly using this system, or in the course of system maintenance, |
| the activities of authorized users may also be monitored. |
| Anyone using this system expressly consents to such monitoring |
| and is advised that if such monitoring reveals possible evidence |
| of criminal activity, system personnel may provide the evidence of |
| such monitoring to law enforcement officials. |
|------------------------------------------------------------------------|
| | SITE: ${LOCATION_ID}
||| ||| LOCATION: ${SNMP_LOCATION_NAME}
||||| |||||| SWITCH TYPE: ${SWITCH_TYPE}
||||||||| ||||||||| NAME: $(hostname)
||||||||||||||||||||||||||| COUNTRY: ${COUNTRY}
C I S C O - S Y S T E M S
+
!
!
! EEM SCRIPT
!
event manager session cli username xxxxxxxx privilege 15
event manager applet POST_PNP
event timer countdown time 90
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 2.0 cli command "aaa authorization config-commands"
action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"
action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"
action 2.3 cli command "no event manager applet POST_PNP"
action 2.4 cli command "end"
action 2.5 cli command "wr mem"
action 3.0 cli command "end"
!
And I have tried to add this in instead :
!
! EEM SCRIPT
!
event manager session cli username xxxxxxxxx privilege 15
event manager applet POST_PNP
event timer countdown time 90
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 2.0 cli command "aaa authorization config-commands"
action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"
action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"
action 2.3 cli command "aaa authentication login default group TACACS-ISE local"
action 2.4 cli command "aaa authorization exec default group TACACS-ISE local"
action 2.5 cli command "no event manager applet POST_PNP"
action 2.6 cli command "end"
action 2.7 cli command "wr mem"
action 3.0 cli command "end"
And have the 2.3 and 2.4 line removed from the configuration, but still hitting the same error.
06-25-2018 11:22 PM
Ok... I think i see the problem!!
I have seen this before. Can you change the EEM timeout to 180 seconds.
You are switching over the management interface. Sometimes it takes longer than 90seconds to finish the PnP process, and the EEM script is firing too early.
Adam
06-25-2018 11:23 PM
Sure let me try this.
06-25-2018 11:46 PM
Ahh that fixed the issue here. Thanks for your help araford.
06-26-2018 12:13 AM
Excellent. Thanks for your patience and letting me know.
I should have thought of this earlier but did not realize you were switching interfaces ip addresses.
Sent from my iPhone
06-26-2018 12:20 AM
Hehe Point to my self, that I just need to past my configuration in here first. would save of some time on this matter
06-26-2018 06:13 AM
Ahh I can see that the problem is not solved yet.
It´s not using my EEM script, my log tells me this
Jun 26 2018 13:06:15: %DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is not running; reloaded binding lease expiration times are incorrect.
Jun 26 2018 13:06:22: %AAAA-4-NOSERVER: Warning: Server piseadms001.solar.eu is not defined.
Jun 26 2018 13:06:22: %AAAA-4-NOSERVER: Warning: Server piseadms002.solar.eu is not defined.
Jun 26 2018 15:06:27: %PARSER-4-BADCFG: Unexpected end of configuration file.
Jun 26 2018 15:08:14: %DHCP_SNOOPING-4-DHCP_SNOOPING_DATABASE_FLASH_WARNING: Saving DHCP snooping bindings to flash can fill up your device causing the writes of bindings to device, to fail.
Jun 26 2018 15:08:19: %PARSER-4-BADCFG: Unexpected end of configuration file.
My EEM Script is:
!
! EEM SCRIPT
!
event manager session cli username XXXX privilege 15
event manager applet POST_PNP
event timer countdown time 180
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 2.0 cli command "aaa authorization config-commands"
action 2.1 cli command "aaa authorization commands 1 default group TACACS-ISE if-authenticated"
action 2.2 cli command "aaa authorization commands 15 default group TACACS-ISE if-authenticated"
action 2.3 cli command "no event manager applet POST_PNP"
action 2.4 cli command "end"
action 2.5 cli command "wr mem"
action 3.0 cli command "end"
!
those two commands are not been put into the configuration.
06-26-2018 11:49 AM
you need "end" as the last statement in your configuration file, after the EEM script.
06-26-2018 11:40 PM
can you give more info here on what you mean for this matter??
So a command end without actoin 3.0 cli command or??
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
This community is intended for developer topics around Data Center technology and products. If you are looking for a non-developer topic about Data Center, you might find additional information in the Data Center and Cloud community