cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2393
Views
0
Helpful
7
Replies

NCM Detect Network Devices fails, but New Device wizard works?

cisco4lct
Level 1
Level 1

Hi -  I'm demo the NCM and trying to add devices using the Detect Network Devices feature to add many devices.  It says success, but it marks the devices as Non Active Nodes and they don't show up anywhere in NCM (that I can see).

When I use the add New Device wizard to add a single device, it works fine though.  Anyone have an suggestions to get the Detect Network Devices working?  I'll be back in the office at 8am pacific time if you have any suggestions.  Thanks,

Larry

1 Accepted Solution

Accepted Solutions

You can set the different encyrption (priv) levels for SNMPv3 when editing a device.  If you look down in the Connection Settings you'll see this

Your problem is that you need the Encryption models to show up in the Device Password Rules, which Detect Network Devices would use.  It's not there.  You can do SNMPv3, but only DES encryption at that point...

So I see a couple options.  First we need to realize that SNMP is only used in NCM for initial device discovery to get sysObjectID.  The rest of the usage is mostly CLI (SSH/telnet) based commands like 'copy running-config tftp', etc.  You COULD fall all the way back down to SNMP-initiated TFTP, but that's a last chance option.

So options are:

1) Enable SNMPv1/2c READ-ONLY on the device for discovery.  You could put an ACL on the SNMP community and/or an SNMP view to restrict access to MIB-2 only objects.

2) Enable SNMPv3 with DES for a single user - that would be a 'discovery user'.

3) Forgo discovery and use Device Import.  Maybe you have a gold list of devices from another product and you can get by running discovery.

View solution in original post

7 Replies 7

Jason Davis
Cisco Employee
Cisco Employee

It's possible that your credentials are wrong when you're setting up your Detect Network Devices task.  NCM is seeing the device as active because it can ping it, but when it tries to manage it, the SNMP and/or telnet/SSH credentials are wrong, therefore it can't make it 'active' or managed.

When setting up Detect Network Devices are you using Network-wide password rules or Task specific?

Same question for your set up on New Device Wizard.

If everything seems in sync and you're still having problems, do the Detect Network Devices task one more time, with the following options:

Task Logging

--  Check "Store log output generated by this task "

--  Select: device/access/authentication;  device/access/authenticationrules;  device/session;

That may be enough for TAC to help - they may ask for a few more task logging types if the problem is really obscure...

Thanks JA,  I gave that a try.  Where do I view the logs?

Task history only gives the following output:

Sep-20-10 09:40:35 admin
    

The following task was started:

  5791: Task Name: Detect Network Devices
Added by: admin (NCM_admin)
Start Date: As Soon As Possible
Repeat type: Non-recurring
Status: Running
Comments:

     Sep-20-10 09:40:37 admin
    

The following task completed:

  5791: Task Name: Detect Network Devices
Added by: admin (NCM_admin)
Start Date: As Soon As Possible
Repeat type: Non-recurring
Status: Succeeded
Comments:

JA -  I believe the logging is supposed to be displayed in the Additional Infomation field.  However, even after selecting all the logging options you suggested, the Detect Network Devices task only gives me this output in the Additional Information field.

Additional Information
Result Details
Details: Task Completed
Active nodes0
Non-active nodes1
132.1.108.80
Unrecognized hosts0
Existing devices0
Total1


However, when I ran the New Device wizard, I see Additional Information that I may be able to use to figure out why the Detect Network Devices task is not working.  New Device wizard appears to have been able to connect via SSH and then use an Expect script to gather enough information to add the device.

Larry

There is some amount of logging that comes back in a completed job.  There's more if the task supports 'Store Complete Session Log'.  The Snapshot task does - you can check that out with the 'Store Complete Session Log' option enabled so you can see the final results.

Neither Detect Network Devices, nor New Device Wizard support that option.  The Task Logging that all these tasks support is separate.  The logs there typically go into /opt/CWNCM/server/log/jboss_wrapper.

An easier way to get the 'interesting' logs is to set up your Task Logging options, execute the task to capture the necessary info...  Then go to Admin -> Troubleshooting -> Send Troubleshooting Information or Download Troubleshooting Information.

You can have it email the troubleshooting info to you instead of TAC.  Then you don't have to dive around the server CLI looking for stuff.

Of course when you get to this level of troubleshooting you may require TAC assistance to interpret the logs - that's what they are there for! 

-Jason Davis

Thanks JA, I was able to figure out that the issue is SNMP authentication.  So far I'm able to Detect Network Devices if I add an SNMPv1 community string with RW permissions to a switch.  However, we are using SNMPv3 with aes encryption on our test.  I don't see any way to configure the encryption algorithm in NCM.  (Like I can with LMS).  Do you know if there's a way to configure it, or does the SNMP manager attempt to negotiate that?  I going to try changing the encryption settings on a switch to see if that helps, but I may end up putting in a ticket with TAC because I need this to work with AES.

Thanks,
Larry

You can set the different encyrption (priv) levels for SNMPv3 when editing a device.  If you look down in the Connection Settings you'll see this

Your problem is that you need the Encryption models to show up in the Device Password Rules, which Detect Network Devices would use.  It's not there.  You can do SNMPv3, but only DES encryption at that point...

So I see a couple options.  First we need to realize that SNMP is only used in NCM for initial device discovery to get sysObjectID.  The rest of the usage is mostly CLI (SSH/telnet) based commands like 'copy running-config tftp', etc.  You COULD fall all the way back down to SNMP-initiated TFTP, but that's a last chance option.

So options are:

1) Enable SNMPv1/2c READ-ONLY on the device for discovery.  You could put an ACL on the SNMP community and/or an SNMP view to restrict access to MIB-2 only objects.

2) Enable SNMPv3 with DES for a single user - that would be a 'discovery user'.

3) Forgo discovery and use Device Import.  Maybe you have a gold list of devices from another product and you can get by running discovery.

Thanks JA!

   I'm using the Device Task "Import" with the provided device.csv template.

  All that seems necessary to import the devices is an IP address in the primaryIPAdress field, and it's working.

  Sounds like I don't need to set the SNMPv3 priv encryption if that's only used for discovery.  I noticed that there is a Device Template that can be used to set SNMPv3 encryption after the device has already been discovered.  Seems a little bit backwards to me, but at least we have a bulk import solution.

Thanks for all your time and help with this!

Larry

Review Cisco Networking for a $25 gift card