Solved: Cisco LMS 4.0 & Cisco AP's

lmiller · ‎03-16-2011

I am investigating LMS 4, and have it configured for device discovery - no issues there, but the configuration archive is not working with any of my Cisco 12xx AP's. I get the following error message.

TELNET: Failed to establish TELNET connection to 10.41.4.15 - Cause: Authentication failed on device 3 times. PRIMARY-STARTUP config Fetch Operation failed for TFTP. SSH: Failed to establish SSH connection to 10.41.4.15 - Cause: Authentication failed on device 3 times. Failed to fetch config using RCP.Verify RCP is enabled or not.

Also on my 3750 stack i get the following error.

TELNET: Failed to establish TELNET connection to 10.41.0.179 - Cause: Authentication failed on device 3 times. PRIMARY-STARTUP config Fetch Operation failed for TFTP. Could not detect SSH protocols running on the device Failed to fetch config using RCP.Verify RCP is enabled or not.

telnet is fine on both, and the accounts are setup in the credentials manager.

What have I missed ??

Cheers

Michel Hegeraat · ‎03-17-2011

I think you best try to connect to your LMS server via RDP or on the console and try your telnet session from there. Copy putty or another telnet/ssh on the server if windows doesn't have a telnet client

If telnet works fine from another location and the credentials in LMS are OK then only an access-list on the device or a router/firewall in between device and LMS can provoke this behaviour

Cheers,

Michel

View solution in original post

Leo Laohoo · ‎03-16-2011

Is the AP running Autonomous IOS or LWAP/CAPWAP image?

lmiller · ‎03-17-2011

The AP is running:

c1240-k9w7-tar.124-10b.JDA3

12.4(10b)JDA3

Michel Hegeraat · ‎03-17-2011

Export these devices from the DCR (device management) to a csv file and see if the credentials match with what you think it is.

LMS is following some retarded internet RFC standard for not displaying credentials.

This is fine ofcourse if a test credentials button would be next to the field with the ******** but it is not

Cheers,

Michel

lmiller · ‎03-17-2011

OK - Getting there, on a 1240 AP the HTTP account is not the same as a

telnet account.

so by adding a local user account that is the same as the HTTP account we have some access.

now need to look at the 3750 stack. The telnet and enable passwords are the same as every other switch on the estate ???

*** Device Details for 10.41.0.179 ***

Protocol ==> Unknown / Not Applicable

Selected Protocols with order ==> Telnet,TFTP,SSH,RCP,HTTPS

Execution Result:

CM0062 Polling 10.41.0.179 for changes to configuration.

CM0065 No change in PRIMARY STARTUP config, config fetch not required

CM0065 No change in PRIMARY RUNNING config, config fetch not required

CM00 Polling not supported on VLAN RUNNING config, defaulting to fetch.

VLAN

CM0151 VLAN RUNNING Config fetch failed for 10.41.0.179 Cause: TELNET: Failed to establish TELNET connection to 10.41.0.179 - Cause: Authentication failed on device 3 times.

VLAN Config fetch is not supported using TFTP.

Could not detect SSH protocols running on the device

VLAN Config fetch is not supported using RCP.

Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.

Michel Hegeraat · ‎03-17-2011

I think you best try to connect to your LMS server via RDP or on the console and try your telnet session from there. Copy putty or another telnet/ssh on the server if windows doesn't have a telnet client

If telnet works fine from another location and the credentials in LMS are OK then only an access-list on the device or a router/firewall in between device and LMS can provoke this behaviour

Cheers,

Michel

lmiller · ‎03-17-2011

I can telnet from the LMS host server without any issue. There is no firewall on the server, and there are no access lists, or VLAN filters on the switch ???

Michel Hegeraat · ‎03-17-2011

If telnet from the server works and an export of the DCR for the device in question shows that LMS has the correct password then taking a trace would be best to further troubleshoot this

In CSCOpx\objects\jet\bin\ there is a winpcap.exe

Running this file will give LMS packetcapture ability

This url will take you there: http://:1741/cwhp/PacketCapture.do

Enter the IP of the device you telnet too and the ptrotocol you want to capture In this case port 23

Make sure the capture runs long enough to capture the login atempt

Best login once yourself and then run a job that would do the same.

After the capture you can download a .jet file

If you rename it to .cap you can open it in wireshark to see what goes wrong.

Since it has your password in it you may NOT want to post this here

Cheers;

Michel

Message was edited by: Michel Hegeraat

Michel Hegeraat · ‎03-17-2011

Another thing that comes to mind id that the prompts may have been altered from the default

hostname>

and

hostname#

If this is changed LMS may think it was unable to login correctly

Cheers,

Michel

Nael Mohammad · ‎03-19-2011

You can modify NMSROOT/objects/cmf/data/TacacsPrompts.ini to match the prompts on the device and rerun the job.