04-30-2012 04:29 AM
Hi forum,
I am testing the CP LMS 4 OVA software Appliance.
I started with 4.1 and just upgraded to 4.2.
Allready in CP LMS 4.1 I saw problems with my devices in regards to LMS datacollection and when it does datacollection suddenly it fails for some SNMP packets resulting in the device promptly sending a TRAP back to my LMS with authentification failed !
I have dug into that and find that the LMS from time to time adds these values to the SNMP password/Communityname:
(Verified with Tools - packet capture, for evidence!)
@1
@10
@500
any i guess variations of that ...
so that the captured SNMP community is f.ex. public@500
this then is worng and the device traps the authn failed, which is the ncorrect behavior ...
why does LMS do this, and what can be done to stop this behavior ?
04-30-2012 04:39 AM
This is correct behaviour. BRIDGE-MIB is polled to get the cam-table or mac-address table data fromd devices. These information can only be collected on per Vlan basis and hence LMS adds
So if yourdevice has Vlan 1, 10, 50 etx, to get the mac address details it will poll each vlan like :
public@1
public@10
public@50 etx.
This is known as Community String Indexing. The error you see may appear if you have some Vlan ID still showing in snmp and not in show vlan and ciscoworks is polling that vlan as well.
Try to generate Vlan report for device and cross check if all the vlans are as per device. The extra one may come in suspended state.
-Thanks
Vinod
04-30-2012 05:05 AM
oh my !
my gray hairs are starting to show ...
I'll bet these 2800 routers with switchmodules do not support these MIBs as indexed ...
I get new gray hairs ...
why didnt LMS3.2 do the same ?
I run a LMS3.2 aswell, and I dont se authen fail here ...
could it be that CP LMS4.2 has a bug that when it comes to these modules it should nt use indexing ?
how can I verify ??
in the router under test - I have the VLANs in in router, i.e. vlan 1, 10 and 500
so it makes good sense the LMS see this, but when the use of index community is used it is clearly not understood by router, as oit prompotly responds with authen-fail trap !
04-30-2012 05:33 AM
do you know which element in LMS thats using the indexed method ?
like UserTracking would be my guess ?
I was told, and can verify that, the UT is not supported on ISR G1 routers with eth HWIC switch modules ...
04-30-2012 05:58 AM
I have seen this issue in LMS 3.2 as well. This is not from LMS side. What happens is, if any of the vlan is configured and than removed, it may still have its entry when LMS gets vlan information via SNMP.
There is a known old bug for this # CSCsl58740. For now on your LMS try this, to prevent user tracking from querying suspended vlans, changed property value for UTGetSuspendedVlans from 1 to 0 on the ut.properties file from NMSROOT\CSCOpx\campus\etc\cwsi.
UTGetSuspendedVlans=0
Restart the daemon manager after that and run full DC and UT. Apart from User Tracking Ciscoworks doesnt need BRIDGE-MIB to be polled and none of the module uses Community String indexing.
-Thanks
Vinod
05-01-2012 01:36 AM
awsome answers !
thank you very much for your time and efforts - i really appreciate this.
I understand what you are telling me, but I think still there is a bug in regards to c2801/1841 routers support and the eth modules in the HWIC.
Let me try to explain.
1. endhosts directly conencted to a c2801 in a HWIC-D-9ESW module can not be tracked in UT
2. public@1 returns authen fail trap and vlan 1 is up and running.
as per your fine posts in this thread I now understand that the indexed SNMP strings are "common".
eventhough, the exact same router that is managed by both LMS32 and CP LMS 4.2 behaves differently, i.e. the LMS3.2 does not give traps, hence does not use SNMP indexed strings.
LMS4.2 does
and this is on all the same routers (I manage alot of them, so it is not just one actually)
In LMS4.2 I tried to day to disable Topology, layer-2 and UT management, and the traps stops.
So - again - you are spot on, with your correct answers, ie it is UT that causes these traps.
I think these ISR-G1 routers are - still - not supported for UT.
Can you collaborate that ?
05-01-2012 01:50 AM
in regards to your fix:
I run OVA virtual appliance
I can not find the setting ?
I can locate the file in /opt/CSCOpx/campus/etc/cws - but the file does not contain the entry UTGetSuspendedVlans
Should I simply add the entry or is it located in some other file for a OVA ?
05-09-2012 01:28 AM
I run OVA virtual appliance
I can not find the setting ?
I can locate the file in /opt/CSCOpx/campus/etc/cws - but the file does not contain the entry UTGetSuspendedVlans
Should I simply add the entry or is it located in some other file for a OVA ?
would you please care to comment ?
05-09-2012 12:57 PM
Apologies for delay. I was busy with personal issues. If this is not in Ut.properties you can simply add it somewhere near
UTGetVlansOnDownPorts=0
UTGetSuspendedVlans=0
Make both the entries similar like above. Also, please configure similarly on aniserver.properties.
Also, User Tracking is supported in 2800 routers with the modules cevHwic4fe, cevHwic9fes,cevHwic4fes, cevHwic1fe, cevHwic2fe, cevHwic4fesC, cevHwic9fesC, cevEhwic4esg, cevEhwicD8esg, cevEhwicD8esgP, cevEhwic4esgP, cevHwic4ilp, cevHwic9ilp, cevC180x8ilp, cevHwic9ilpc
User Tracking is supported in 1800 series routers with the modules cevHwic4fe, cevHwic9fes,cevHwic4fes, cevHwic1fe, cevHwic2fe, cevHwic4fesC, cevHwic9fesC, cevEhwic4esg, cevEhwicD8esg, cevEhwicD8esgP, cevEhwic4esgP, cevHwic4ilp, cevHwic9ilp, cevC180x8ilp, cevHwic9ilpc.
Please share the Vlan report from LMS for the affected device and output of show vlan from device too.
-Thanks
05-21-2012 07:22 AM
Hi again,
I have been away for testing, and here is the results.
I run C2801 wiht 'IOS12.4.17, also I tried lastest 12.4.25f with same result.
I still get Atuh failed traps from LMS !
Even with router with only vlan1 active and configured.
show vlan-sw and VLAN report sho the same:
ru-01#sho vlan-sw
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3/1, Fa0/3/2, Fa0/3/3, Fa0/3/4, Fa0/3/5, Fa0/3/6, Fa0/3/7, Fa0/3/8
10 VOICE active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
10 enet 100010 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
******************
Technology Report
VLAN Report generated on 21 May 2012, 14:01:43 CEST
Export
Printer-friendly format
Help
Device IP:SNIP Device Name: ru-01 Domain:SNIP Device Type:2801
VLAN ID VLAN Name Status VLAN Type Associated Primary VLAN MTU Size Media Type
1 default Operational Normal N/A 1500 ethernet
10 VOICE Operational Normal N/A 1500 ethernet
1002 fddi-default Operational Normal N/A 1500 fddi
1003 token-ring-default Operational Normal N/A 1500 tokenRing
1004 fddinet-default Operational Normal N/A 1500 fddiNet
1005 trnet-default Operational Normal N/A 1500 trNet
Also I can not track users that connects into the HWIC Directly. if the are in a switch, connected I have no problem.
I run with the two extra settings in both files you mentioned and restarted LMS appliance.
doesnt change a thing in behavior.
any thoughs are greatly appreciated.
regards
Martin
05-29-2012 12:57 AM
Any comments, Vinod ?
06-06-2012 11:45 AM
Hmm
Looks like a TAC case. ...
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide