cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4112
Views
10
Helpful
14
Replies

LMS - Config archive; Failed to establish TELNET session; correct credentials

Matej G
Level 1
Level 1

Hi,

I have a problem when arhchiving configurations from my campus devices (routers/switches/firewalls) using LMS.

I am keep getting this error messages (for all devices):

1.           172.27.1.1 PRIMARY           STARTUP           Nov 22 2007 12:30:05           TELNET: Failed to establish TELNET connection to 172.27.1.1 - Cause: Authentication failed on device 3 times.   PRIMARY-STARTUP config Fetch Operation failed for TFTP.

I am using LMS 3.2. All devices are reachable and already in DFM (RME) repository.

I have set up all devices with correct snmp community, (using ver. 2). I have set up default credentials and I also configured devices with proper usernames and passwords. I enabled telnet on vty lines 0 - 15.

My question is simple - how come LMS cannot login to router/switch and arhives running/startup configuration? From command line (CMD) on my PC I am able to login to switch/router with username and password I have configured and I certainly can download configuration via TFTP.

What is preventing LMS to login into devices? Is there something I should know? :-)

Thank you for your help in advance!

1 Accepted Solution

Accepted Solutions

You have set this device to be AUS-managed which is incorrect.  Edit the DCR credentials again, and remove the auto-update server credentials.  You should only have values populated under Primary Credential and possible Secondary Credential.  You may need delete and re-add this device to get things to work correctly.  Again, do NOT put anything under Auto Update Credential.

View solution in original post

14 Replies 14

Joe Clarke
Cisco Employee
Cisco Employee

The error does point to an authentication problem, and it is usually correct, but there have been issues where some other device interaction problem led to the same error.  If you are using telnet, start a sniffer trace capturing on all tcp/23 traffic between the RME server and the device, then perform a new Sync Archive operation.  Be sure to check the "Fetch startup" box.  The resulting trace should clearly illustrate why the archive is failing.

jclarke,

I tried tracking traffic from LMS server (172.29.25.45) to target device - switch (172.27.1.1).

I forced "archive synchronization". The traffic was flowing in-between nicely, but there are some errors.

172.27.1.1 ----> 172.29.25.45 (LMS)

Switch prompts for "Username:"

172.29.25.45 (LMS) ----> 172.27.1.1

RMS responds, but packet seems to be "damaged"

Header checksum: 0x0000 [incorrect, should be 0x21d4]

It seems to be bad checksum.

What does that mean exactly? This seem serious, but I dont have much experience troubleshooting with wireshark.

Also, can you be more specific about: "The error does point to an authentication problem, and it is usually correct, but there have been issues where some other device interaction problem led to the same error."

?

No, the wireshark error is a false positive.  If you post the actual binary sniffer trace, I can analyze it.  It really sounds like the DCR credentials are not correctly specified for this device, though.  It sounds like you may not have a username configured in DCR.

In my statement, I meant there have been some issues where RME's interaction with the device was problematic, and RME thought  there was an error in authentication.

jclarke,

I am pretty sure that I have correctly set usernames and passwords (default credentials).I have checked these settings three times.

But never the less maybe there is some other trick I dont know, so please can you shortly (in few steps) describe how to configure credentials (just to be sure that I have done everything correctly - you know, you can never be too sure).

:-)

p.s. I am using Cat2960 and 3750 switches and ASA5520, if that helps in any way.

Thank you for your help and effort!

Go to Common Servers > Device and Credentials > Device Management.  Select the device in question from the tree, then click the Edit Credentials button.  Fill in the appropriate username and password in the associated fields.  Then click Finish.  You should not get an error.

As I said, if you post the binary sniffer file, I can analyze it for you.

jclarke,

I have done exactly the same as you mentioned.

Do I have to restart some services in LMS in order to use new credentials, or it refreshes automaticly?

p.s. which format (for the trace file) do you need, is .pcap ok?

edit: I've uploaded trace file (when LMS is talking to devices) I hope it's relevant.

PCAP format is fine, but the file is still being queued for upload, and I cannot yet see it.

According to this, DCR does not have a valid username for this device.  If you can, export the current DCR credentials for this device under Common Services > Device and Credentials > Device Management, and post the export.  If you do not want to share this data, open a TAC service request, and they can analyze the export to identify the root cause.

jclarke,

I have exported default credentials into a file as you said. Here is what it contains:

===================================================================================

; This file is generated by DCR Export utility
Cisco Systems NM Data import, Source=DCR Export; Type=DCRCSV; Version=3.0

;
;Start of section 0 - Basic Credentials
;
;HEADER: management_ip_address,host_name,domain_name,device_identity,display_name,sysObjectID,dcr_device_type,mdf_type,snmp_v2_ro_comm_string,snmp_v2_rw_comm_string,snmp_v3_user_id,snmp_v3_password,snmp_v3_auth_algorithm,snmp_v3_priv_password,snmp_v3_priv_algorithm,snmp_v3_engine_id,rxboot_mode_username,rxboot_mode_password,primary_username,primary_password,primary_enable_password,http_username,http_password,http_mode,http_port,https_port,cert_common_name,secondary_username,secondary_password,secondary_enable_password,secondary_http_username,secondary_http_password
;
172.27.1.1,172.27.1.1,,,172.27.1.1,1.3.6.1.4.1.9.1.516,0,999990243,seng_lms,,,,,,,,,,,,testlab,,,,,,,,,,,


;
;Start of section 1 - AUS proxy
;
;HEADER: management_ip_address,host_name,domain_name,device_identity,display_name,aus_username,aus_password,aus_url,aus_port
;
172.27.1.1,172.27.1.1,,,172.27.1.1,,,,

;End of CSV file

===================================================================================

Username and password seems ok to me.

Any idea?

You have set this device to be AUS-managed which is incorrect.  Edit the DCR credentials again, and remove the auto-update server credentials.  You should only have values populated under Primary Credential and possible Secondary Credential.  You may need delete and re-add this device to get things to work correctly.  Again, do NOT put anything under Auto Update Credential.

jclarke,

I went under "server setup - default credentials sets" and I chose my default credentials (named 1) - all fields are blank under "Auto update server managed device credentials". I can even post a screenshot here.

But then I went back and created a new "default credentials set" (named 2), removed all devices from DFM and added them back. Config archiving is now working...

Hmmm, I dont know what went wrong with first credentials. I've set the new credential (named 2) exactly the same as the old one (named 1).

Anyway thanks for your help and effort!

p.s.: I see you have a lot of experience with LMS so I will post some more questions for you on this forum :-)

Hi Joseph/Matej,

I am facing similar problem. For your information : i am using LMS 4.1.

But i tried whatever Matej told last. Delete all the credential set. Assign new policy. Then try for new Synch. But in vain. i also auto update, didn't put anything over there.

Can you guyz help me out..

Thanks in advance

Regards

Russell

Russell, there was a lot more involved in determining the root cause of this issue.  I recommend you start a new thread and include the sniffer trace of the config archive session as was done here.

Hi

i have attach the packet capture file for your convenient.

*

Regards***

Md. Ifthekharul Alam – Russell

On Thu, Mar 1, 2012 at 4:23 AM, jclarke <

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: