11-20-2009 02:54 AM
Hi,
I have a problem when arhchiving configurations from my campus devices (routers/switches/firewalls) using LMS.
I am keep getting this error messages (for all devices):
1. 172.27.1.1 PRIMARY STARTUP Nov 22 2007 12:30:05 TELNET: Failed to establish TELNET connection to 172.27.1.1 - Cause: Authentication failed on device 3 times. PRIMARY-STARTUP config Fetch Operation failed for TFTP.
I am using LMS 3.2. All devices are reachable and already in DFM (RME) repository.
I have set up all devices with correct snmp community, (using ver. 2). I have set up default credentials and I also configured devices with proper usernames and passwords. I enabled telnet on vty lines 0 - 15.
My question is simple - how come LMS cannot login to router/switch and arhives running/startup configuration? From command line (CMD) on my PC I am able to login to switch/router with username and password I have configured and I certainly can download configuration via TFTP.
What is preventing LMS to login into devices? Is there something I should know? :-)
Thank you for your help in advance!
Solved! Go to Solution.
11-26-2009 09:03 AM
You have set this device to be AUS-managed which is incorrect. Edit the DCR credentials again, and remove the auto-update server credentials. You should only have values populated under Primary Credential and possible Secondary Credential. You may need delete and re-add this device to get things to work correctly. Again, do NOT put anything under Auto Update Credential.
11-20-2009 05:25 AM
The error does point to an authentication problem, and it is usually correct, but there have been issues where some other device interaction problem led to the same error. If you are using telnet, start a sniffer trace capturing on all tcp/23 traffic between the RME server and the device, then perform a new Sync Archive operation. Be sure to check the "Fetch startup" box. The resulting trace should clearly illustrate why the archive is failing.
11-20-2009 07:03 AM
jclarke,
I tried tracking traffic from LMS server (172.29.25.45) to target device - switch (172.27.1.1).
I forced "archive synchronization". The traffic was flowing in-between nicely, but there are some errors.
172.27.1.1 ----> 172.29.25.45 (LMS)
Switch prompts for "Username:"
172.29.25.45 (LMS) ----> 172.27.1.1
RMS responds, but packet seems to be "damaged"
Header checksum: 0x0000 [incorrect, should be 0x21d4]
It seems to be bad checksum.
What does that mean exactly? This seem serious, but I dont have much experience troubleshooting with wireshark.
Also, can you be more specific about: "The error does point to an authentication problem, and it is usually correct, but there have been issues where some other device interaction problem led to the same error."
?
11-20-2009 08:57 AM
No, the wireshark error is a false positive. If you post the actual binary sniffer trace, I can analyze it. It really sounds like the DCR credentials are not correctly specified for this device, though. It sounds like you may not have a username configured in DCR.
In my statement, I meant there have been some issues where RME's interaction with the device was problematic, and RME thought there was an error in authentication.
11-20-2009 10:57 AM
jclarke,
I am pretty sure that I have correctly set usernames and passwords (default credentials).I have checked these settings three times.
But never the less maybe there is some other trick I dont know, so please can you shortly (in few steps) describe how to configure credentials (just to be sure that I have done everything correctly - you know, you can never be too sure).
:-)
p.s. I am using Cat2960 and 3750 switches and ASA5520, if that helps in any way.
Thank you for your help and effort!
11-20-2009 11:07 AM
Go to Common Servers > Device and Credentials > Device Management. Select the device in question from the tree, then click the Edit Credentials button. Fill in the appropriate username and password in the associated fields. Then click Finish. You should not get an error.
As I said, if you post the binary sniffer file, I can analyze it for you.
11-23-2009 01:20 AM
jclarke,
I have done exactly the same as you mentioned.
Do I have to restart some services in LMS in order to use new credentials, or it refreshes automaticly?
p.s. which format (for the trace file) do you need, is .pcap ok?
edit: I've uploaded trace file (when LMS is talking to devices) I hope it's relevant.
11-23-2009 07:40 AM
PCAP format is fine, but the file is still being queued for upload, and I cannot yet see it.
11-23-2009 10:55 AM
According to this, DCR does not have a valid username for this device. If you can, export the current DCR credentials for this device under Common Services > Device and Credentials > Device Management, and post the export. If you do not want to share this data, open a TAC service request, and they can analyze the export to identify the root cause.
11-26-2009 04:46 AM
jclarke,
I have exported default credentials into a file as you said. Here is what it contains:
===================================================================================
; This file is generated by DCR Export utility
Cisco Systems NM Data import, Source=DCR Export; Type=DCRCSV; Version=3.0
;
;Start of section 0 - Basic Credentials
;
;HEADER: management_ip_address,host_name,domain_name,device_identity,display_name,sysObjectID,dcr_device_type,mdf_type,snmp_v2_ro_comm_string,snmp_v2_rw_comm_string,snmp_v3_user_id,snmp_v3_password,snmp_v3_auth_algorithm,snmp_v3_priv_password,snmp_v3_priv_algorithm,snmp_v3_engine_id,rxboot_mode_username,rxboot_mode_password,primary_username,primary_password,primary_enable_password,http_username,http_password,http_mode,http_port,https_port,cert_common_name,secondary_username,secondary_password,secondary_enable_password,secondary_http_username,secondary_http_password
;
172.27.1.1,172.27.1.1,,,172.27.1.1,1.3.6.1.4.1.9.1.516,0,999990243,seng_lms,,,,,,,,,,,,testlab,,,,,,,,,,,
;
;Start of section 1 - AUS proxy
;
;HEADER: management_ip_address,host_name,domain_name,device_identity,display_name,aus_username,aus_password,aus_url,aus_port
;
172.27.1.1,172.27.1.1,,,172.27.1.1,,,,
;End of CSV file
===================================================================================
Username and password seems ok to me.
Any idea?
11-26-2009 09:03 AM
You have set this device to be AUS-managed which is incorrect. Edit the DCR credentials again, and remove the auto-update server credentials. You should only have values populated under Primary Credential and possible Secondary Credential. You may need delete and re-add this device to get things to work correctly. Again, do NOT put anything under Auto Update Credential.
11-26-2009 01:36 PM
jclarke,
I went under "server setup - default credentials sets" and I chose my default credentials (named 1) - all fields are blank under "Auto update server managed device credentials". I can even post a screenshot here.
But then I went back and created a new "default credentials set" (named 2), removed all devices from DFM and added them back. Config archiving is now working...
Hmmm, I dont know what went wrong with first credentials. I've set the new credential (named 2) exactly the same as the old one (named 1).
Anyway thanks for your help and effort!
p.s.: I see you have a lot of experience with LMS so I will post some more questions for you on this forum :-)
02-29-2012 03:39 AM
Hi Joseph/Matej,
I am facing similar problem. For your information : i am using LMS 4.1.
But i tried whatever Matej told last. Delete all the credential set. Assign new policy. Then try for new Synch. But in vain. i also auto update, didn't put anything over there.
Can you guyz help me out..
Thanks in advance
Regards
Russell
02-29-2012 02:23 PM
Russell, there was a lot more involved in determining the root cause of this issue. I recommend you start a new thread and include the sniffer trace of the config archive session as was done here.
03-01-2012 04:09 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide