Hi Kerim. I would need more information to be able to assist with this. Can you please answer the following: 1. Step-by-step, how are you trying to add the switches? 2. Are you seeing any error messages...if so...what is the message? 3. Have you verified credentials? What are the results? 4. (bonus) can you *manually* telnet/ssh to the switch and snmp poll it from the NCS? Thanks, -Joe
... View more
hi rguntenaa r, I know you haven't received a response in the last few days, so thought I would chime in. The error you mentioned is definitely a problem. I've seen it handled a couple of ways. One is to put it back as you said (but I've only seen this applied to earlier versions of LMS), and I don't believe this would be a very "clean" way to address the problem. The other way I've seen this issue addressed has been to update all device packages, and let the file be auto-generated in the update process. Again, I've only seen this done on earlier versions, but it sounds to me like this might be the best way to try and address this. Good luck and let me know how it goes. Regards, -Joe
... View more
This is normal behavior for an ACL applied to a Community String. If you want it blocked before it reaches the snmp engine, you will need to apply the ACL at the Interface level. Regards, -Joe
... View more
Hi Andrea. I thought that would be the issue... No worries though...could you please do a "show version" from both NAM's (from the cli) and compare them? Specifically, I would like to know if the "build number" is the same on both NAM's. Thanks, -Joe
... View more
Hi Andrea. This appears to be a cosmetic issue, and I've seen this issue before if you are using an unsupported browser to access the NAM. The supported browsers are FF3.6 and IE8.0...is that what you are using? http://www.cisco.com/en/US/partner/docs/net_mgmt/network_analysis_module_software/5.1_2/re lease/notes/nam512note.html#wp43061 Are you able to reproduce this issue on one of the browser versions listed above? Thanks, -Joe
... View more
Hi Kat. I think this is sufficiently complex enough at this point that we're going to need some debug enabled logging and possibly packet captures. That said, I believe it would be beneficial for you to open a TAC case, and then we can get our escalation and Development Teams involved. Is opening a TAC case a possibility for you? Thanks, -Joe
... View more
Hi Kat. You've successfully confused me. Based on what you've said, you have some devices using ACS 5.3...and the others..??? Thanks, -Joe
... View more
Hi Kat. No, don't be frustrated, this is good news! I say that because ACS/LMS integration issues are 99% of the time just a simple misconfiguration. And I have an excellent integration document for integrating your LMS 3.2 to ACS. Please check this over and match it to what you are seeing: This is a very good step-by-step guide that should help you configure ACS
with LMS correctly. Look carefully at the notes as much of the problems are usually
related to a mis-configuration. Once you have this setup, you can easily modify the
permissions for the users and groups. Hope this helps. Please let me know if you have
any questions or if this is what you were looking for.
ON CISCOWORKS
===============
1. Go to Common Services > Server > Security > Multi-Server Trust Management
> System Identity Setup and configure a System Identity User.
*Note: This System Identity User is NOT the same as the ACS admin user, it
has to be different.
*Note: If you get a popup error that says null, let me know because that
means that you are missing the comUser.dat file and I would need to send you
extra steps)
2. Ensure that the System Identity User you just created is a local user
with all the roles under Server > Security > Single-Server Management >
Local User Setup.
ON ACS
=======
3. Define a group for CW Admin Users in ACS.
3.1. Go to GROUP SETUP.
3.2. Rename an available group to something suitable such as CWAdmins.
3.3. Edit Settings.
3.4. Set sessions available to user to 'unlimited'.
4. Add the CW system identity user (and other Admin users in CW) to ACS.
4.1. Go to USER SETUP.
4.2. Create Users for Ciscoworks including the System Identity User in ACS.
4.3. Set a password.
4.4. Assign all these Admin users to the Group created in Step 3.
5. Add a network device group with Ciscoworks as a Client.
5.1. Go to NETWORK CONFIGURATION.
5.2. Enter a Name.
5.3. Enter IP address or range with wildcard masks.
5.4. Configure a Key.
5.5. Authenticate using: TACACS+ (Cisco IOS).
5.6. Click on Submit+Restart.
Note: (If NDG options are not visible, you can enable Network Device Groups
in ACS under INTERFACE CONFIGURATION > ADVANCED)
ON CISCOWORKS
===============
6. Change CW AAA Mode to ACS TYPE (and register CW applications with ACS).
6.1. Go to Common Services > Server > Security > AAA Mode Setup.
6.2. Select ACS type.
6.3. Fill in IP address/Hostname of ACS server
6.4. Fill in the ACS admin login information and the shared key
Note: "ACS admin login" must be a user with full admin rights to ACS (i.e.
one configured under Administration Control in ACS with ALL options checked)
and should not be the same as the System Identity User.
6.5. Put a check mark on "Register all installed applications with ACS".
6.3. Click on apply.
6.4. Restart the daemons with these commands from a command prompt window
on the LMS server:
>net stop crmdmgtd
>net start crmdmgtd
*WARNING: Make sure that AFTER the first successful registration to any
specific ACS server, you always keep this box UNCHECKED if switching between
ACS and non-ACS modes on LMS server. Failure to do so will erase all custom
roles (SUPERUSER) and you will need to do steps 7-8 on ACS again.
ON ACS
=======
7. Add a "SUPERUSER" role for each module of Ciscoworks in ACS.
7.1. Go to SHARED PROFILE COMPONENTS.
7.2. Select a CW module (such as Common Services).
7.3. click on ADD.
7.4. Name it CWSuperUser or something similar.
7.5. Select everything under the available functionality for that module.
7.6. Repeat above procedure for Ciscoview, RME, Campus, DFM and any other
Ciscoworks modules such as IPM, etc.
8. Assign the "SUPERUSER" role to the Admins Group (created in Step 3).
8.1. Go to GROUP SETUP.
8.2. Click on Edit Settings.
8.3. Select cwhp, rme, campus, dfm and any other CW components a select the
"SUPERUSER" role (created in step 7).
8.4. Click on Submit+Restart.
*Note: Once ACS mode is enabled on Ciscoworks, ALL devices MUST be added to
the same ACS server as clients for them to be manageable in Ciscoworks.
While the devices must be known (i.e. configured as clients) in the same ACS
server, they do not have to use that ACS for their own AAA configuration,
nor do those devices need to be configured for AAA themselves.
Here is also a link showing screenshots, it is for 4.1 but applies the
same for 4.2:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_pape r0900aecd80613f62.html
... View more
Choose a couple of the problem devices (different device models), Delete them from the DCR. Re-add them. Let me know if they work properlly after that. Thanks, -Joe
... View more
Hi Lothar. I'm doubtful that you can use cwcli, however I think that maybe it can be done using jobcli, something along the lines of: C:\PROGRA~1\CSCOpx\bin\cwjava -cw C:\PROGRA~1\CSCOpx com.cisco.nm.cmf.jrm.jobcli However, I have no idea what sub-commands might be used to specifically create an inventory collection job (I've never seen it done before), and I would be very wary of proceeding further without knowing what you might be getting into! :-) Maybe someone else will chime-in here that knows how it could be done. Good luck! -Joe
... View more
Hi. Please check that the "CiscoWorks" permissions for the Admin account are set to 'System Administrator', and then try again. Please let me know if this resolves this problem. Regards, -Joe
... View more