Solved: Re: *** Conflicting device support info for DFM 3.2 *** - Page 3

schm196 · ‎08-26-2010

Hellows... ;-)

The helpful folks at TAC have been trying to troubleshoot one of my last and biggest pending items, which was the perceived inability of DFM to manage the devices on our network. This was a rather puzzling issue, as the other LMS components (CS, CM, RME, etc.) had no apparent issues whatsoever doing everything I asked them to do. After countless hours trying to troubleshoot DFM discovery errors ("questioned" with SNMP timeout despite the fact that all other LMS modules manage the same devices perfectly fine), an alert TAC engineer finally asked whether or not these devices were, in fact actually supported by DFM 3.2 - low and behold, a can of worms opened up!

The best current guess is rather confusing to me: There is a Cisco document out there suggesting that NONE of our devices are among those supported by DFM, while I did find another Cisco document that somewhat contradicts that notion. I’d like to think that this must be confusing (or at least very little known) to TAC as well, since nobody over there considered this a potential culprit for the first almost three weeks of troubleshooting around the globe during countless WebEx sessions. We basically went through everything imaginable (process monitoring with full debugging, complete removal and new installation of DFM only, complete clean-up and re-initialization of all module databases – and in the process tearing down most of my configurations and settings –, to a midnight conference call with developers in India).

The end result appears to be that DFM functionality will not be available to me – please confirm. What are the alternatives? Any rhyme or reason to Cisco not supporting these device types? Any plans to ever do so?

I run a variety of devices on my network, most of them being 3560G, 3560E and 6504E switches, pretty much bread-and-butter variety of basic Cisco devices. Why on earth would there even be a question that these are or are not supported by all LMS modules?

Argument AGAINST support in DFM 3.2:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.2/device_support/table/lms32sdt.html#3.2table

Argument IN FAVOR of support in DFM 3.2:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_device_fault_manager/3.2/device_support/table/dfm3_2os.html

According to that list, our 6504E with IOS is fully supported by DFM 3.2 with LMS 3.2, and so are the 3560G and 2950 series switches, the 2500 series router. However, the 3560E series switches are not listed as supported.

Are we seeing ghosts here or have other people had device support issues with DFM?

Thanks,

Matthias

schm196 · ‎09-14-2010

Hi Joseph -

Thanks for spending time trying to solve our issues. Even though we didn't find out what exactly was wrong and how to solve the problem by fixing it, TAC seems to agree with you - their course of action at this time is to completely rebuild our LMS server.

Best regards,

Matthias

jackson.ku · ‎10-25-2010

Hi,

I seems face the same problem with you, Can you please mention me how you resolve this problem?

Best Regards,

Jackson Ku

schm196 · ‎10-25-2010

There appears to be a documentation problem for LMS 3.2 - it all came down to undocumented ports not being open in the Windows firewall.

The DFM engine seems to be performing its own connectivity testing during the discovery process. It is expecting simple ICMP return packets, and while the LMS installation routine added dozens of ports to the Windows firewall configuration it did not add ports required for this type of traffic. If you completely disable the Windows firewall (not an option for us) then the discovery works fine.

Took Cisco TAC two months to figure this out.

Joe Clarke · ‎10-25-2010

Thanks for following up back to the community. I was helping your engineer identify the root cause here. Yes, ICMP was not being allowed back into the server. DFM requires ICMP connectivity between itself and the management IP of each device before it will manage the device.

jackson.ku · ‎10-25-2010

Hi,

I tried to disable windows firewall, it works... Before disable firewall, I add firewall inbound / outbound rule to allow snmp & snmp trap ( udp port 161, 162 ), but it did not work. Can you please tell me how to add inbound / outbound rule to allow the DFM work?

Best Regards,

Jackson Ku

Joe Clarke · ‎10-25-2010

You need to allow IPv4 ICMP (i.e. ping traffic) on the inbound path. That is, enable inbound ICMP echo replies.

jackson.ku · ‎10-25-2010

Hi,

The ping between ciscoworks server and network device is ok, the windows firewall outbound rule is allow all, and I have allow udp port 161 & 162 in inbound rule. but I still fail to import. I installed WireShark at Ciscoworks server, I can see several icmp request / reply packets, but I can not see the following snmp query packets send from ciscoworks server. ( if disable windows firewall, I can see snmp query packets send from ciscoworks server, and import is success )

Best Regards,

Jackson Ku

Joe Clarke · ‎10-25-2010

You must add an explicit rule allowing in ICMP. Windows ping will work, but DFM will not until you add this rule.

jackson.ku · ‎10-26-2010

Hi Joseph,

Thanks for your help. The DFM work fine.

Best Regards,

Jackson Ku