Port-Security Email Notifications LMS 4.0? - Page 2

jsconners72 · ‎03-21-2012

I have been reading as much as I can get my hands on regarding setup of LMS 4.0 to get SNMP Traps or Syslog messages to my LAN admins via email...I am still stumped!

All I want is a clear email notification that device X Port XX was tripped.

I'm confused about just how LMS handles SNMP traps or Syslog messages sent from a client switch (for instance a 2960/48 runnning 12.2(25)SED)

Here is what I have done on the switch based on Cisco LMS documentation found here:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guide/admin/useNotif.html#wp1073644

I setup port security successfully on a test switch and confirmed it works. At first I just put "snmp-server enable traps" and this populated my switch config with all of the default traps which was not what I was after, but I configured the email notification on the LMS server and succesfully generated 2 cryptic trap messages from the switch which apparently had nothing to do with port-security directly....but at least it proved that the switch was sending traps to the server and the server was sending emails to me. I then tried to tune it to only send port-security traps using the below commands (ip address obscured):

snmp-server enable traps port-security

snmp-server community ****** RW

snmp-server community ****** RO

snmp-server host X.X.X.X ******

I researched the "port-security" part of this snmp-server command and some some discussion that it had been rescinded??? I also checked the Cisco Command Lookup for this option and it didn't appear valid????:

https://tools.cisco.com/Support/CLILookup/cltSearchAction.do

That didn't generate anything when we reset the port and tripped it again. I then saw some advice saying that the syslog server in the switch should generate a message specific to port security and tried changing to this command (see below).

snmp-server enable traps syslog

Again...that didn't generate anything when we reset the port and tripped it again. I really don't get how Syslog is handled in LMS anyway...I see the parts about receiving SNMP messages from client switches and sending emails but not syslog...it appears to only work if you setup syslog "polling" which is pull and not push (what we need to be proactive).

I have seen several post asking the same questions, most are abandoned or get back answers like "go to this link and read this 1000 page manual to learn about protocol x"

Does someone have a simplified method to accomplish port-security to email notification in LMS 4.0?

neil.deane · ‎03-27-2012

Hi, I've had some experience with this and I think you're nearly there.

Firstly, SNMP traps and syslog messages are configured differently on Cisco devices.

"snmp-server enable traps" will enable traps to be generated, then you need to specify the snmp traps receiver :

"snmp-server host 1.1.1.1 version 2c password"

For SNMP polls you need to specify communiity strings and optionally access lists

snmp-server community RWPASSWORD RW ACL_in

snmp-server community ROPASSWORD RO ACL_in

For syslogs from IOS, just specify a logging server:

"logging 1.1.1.1"

You can also set a severity level

"logging trap debugging"

And a source trap tag

"logging facility local4"

For port security violations, first check the local log on the device to see if you're generating the correct messages locally:

"sh log"

SHould look like this:

Mar 27 15:26:13.935: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000a.aaaa.bbbb on port FastEthernet0/3.

Once you know your catching the message locally, and the logging server is set, then the same message above should be appearing in the syslog.log file on the CW server.

After this you need to you need to use a Syslog Automated Action to grab the message and do something with it (like send a mail). This is in Monitor->Syslog->Automated Actions.

The message type that works for me is :

Facility:
Sub-facility:
Severity:
Mnemonic:
Description:

The downside of all of this is that Port Security violations, once they trip, keep on tripping. So dont be surprised if you get a few hundres emails for each event. I gave up after I got +1000 messages one Monday morning. I just use the syslog monitoring page now.

Cisco need to introduce a throttling solution for this.

good luck.

jsconners72 · ‎03-28-2012

Thanks Neil...I noticed that your pasted values in your table didn't make it through...could you please repost these?

Michel had previously advised the following:

"The "err-disable" goes in the description, the rest is *"

Don't know if this makes a difference. I thought I saw somewhere while trying to set this up that there was a way to set the frequency of these traps.

neil.deane · ‎03-28-2012

Values I have as follows:

Facility: PORT_SECURITY

Sub-facility: *

Severity: 2

Mnemonic: PSECURE_VIOLATION

Description: *

err-disable is more generic, it will catch other states such as UDLD disables, BPDU's detected on ports where BPDUGuard is turned on etc. Then again - if the err-disable trap is sent just once (which it should be) then this may be a better mechansim to combat the email flood issue I had.

Theres a rate-limiting (no of messages per second) feature for syslogs, but this is more a bandwidth saving feature for say serial lines etc. Dont think it can restrict the number of times a trap is triggered.

Theres also a sequence number (IOS feature again) that can be appended to a syslog message. I think it maybe up to the NMS to be able to "count" the messages based on the sequence number, and then somehow limit the alerts generated.

neil.deane · ‎03-28-2012

Ok - further update. The port-security violation mode will determine the type of message sent.

"switchport port-security violation restrict" will cause the message to be as I've outlined above. The mac-address of the device on the port cannot communicate, intervention is needed to enable the port unless aging is used.

"switchport port-security violation shutdown" will err-disable the port. The err-disable trap should be generated - if the port is shut then multiple PSECURE_VIOLATION should not be recieved.

"switchport port-security violation protect" apparently restricts the port but send no messages.

Michel Hegeraat · ‎03-28-2012

Thanks for these clarification Neil.

In an ideal world LMS would not sent a mail but rather add this to a fault list like you see in fault management. Preferbly with one fault entry per device and a counter for the number of time it happens on that device.

"switchport port-security violation protect" apparently restricts the port but send no messages.

This one doesn 't block the port, it just makes it drop a certain mac address so no err disabled message.

Unfortunately I think the issue jsconners72 has, is a corruption problem with the syslog databases.

https://supportforums.cisco.com/docs/DOC-8796 should help you.

You will have to stop lms and do a dbrestoreorig, but I notice te procedure doesn't mention the syslog databases

I will try to look into this on a test system here somewhere this week but I never came across this before.

Cheers,

Michel

Michel Hegeraat · ‎03-29-2012

If you restore the rme database as described in the document I mentioned earlier then also the syslog db's while be reset.

This will make you loose all archived configs, configchanges and inventory collection data of course.

But it is likely to resolve the issue I think,

Cheers,

Michel

jsconners72 · ‎04-02-2012

Thanks Michel,

In the end turns out it was an improperly created SSL certificate. Here are the steps that TAC had me go through:

Mysterious entries TAC found in NMSROOT/CSCOpx/log/SyslogCollector.log

SyslogCollector - [Thread: main] DEBUG, 28 Mar 2012 08:42:00,555, Entering getAppropriateForwarder()

SyslogCollector - [Thread: main] DEBUG, 28 Mar 2012 08:42:00,556, Datagram forwarder about to be instantiated. Port is 3333

SyslogCollector - [Thread: main] DEBUG, 28 Mar 2012 08:42:00,572, FcssLogWriter - Created successfully.

SyslogCollector - [Thread: main] DEBUG, 28 Mar 2012 08:42:00,572, Subscription id for resurrection is null

SyslogCollector - [Thread: main] WARN , 28 Mar 2012 08:42:07,024, Unable to resurrect connection to a subscriber.

SyslogCollector - [Thread: main] DEBUG, 28 Mar 2012 08:42:07,024, Exception is -

SyslogCollector - [Thread: main] DEBUG, 28 Mar 2012 08:42:07,024, java.net.ConnectException: Connection refused: connect

According to the above messages, the subscription seemed to fail, so no messages were getting forwarded correctly.

Started by trying to force the unsuscribe of the previous analyzer in order to do it again.

1)Shutdown DM (from the CLI issue the command net stop crmdmgtd)

2)Delete the Subscribers.dat file under CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data

3)Made sure the certificates were created with the DNS resolvable hostname.

4) Remove server.* under NMSROOT\MDC\Apache\conf\ssl

5) Ran the following commands:

NMSROOT\CSCOpx\bin\perl NMSROOT\MDC\Apache\ConfigSSL.pl -disable

Note:It will disable the https requirement to browse any cisco works page

NMSROOT\CSCOpx\bin\perl NMSROOT\MDC\Apache\ConfigSSL.pl -enable

Note: It will enable the https require to browse any cw page therefore the credentials need to be recreated

6) Start Daemon Manager

c:\> net start crmdmgtd

7) Ensured that the following files are created under NMSROOT\MDC\Apache\conf\ssl

server.crt

server.key

server.pk8

8) Resubscribed the Syslog Collector.

After this I was able to setup syslog automated action to send an email alert based on the *err-disable* in a syslog message and viola!!

Thanks again for all your help troubleshooting this!