LMS2.6 user tracking problem !

Answered Question
Jul 22nd, 2007
User Badges:

Dear all ,

About Net :

There are more than 70, 2960 switches(access level) , and more than 30, 3750 (Dist level) ,and One 6509 as a core ,


Each 3750 ,is in one Vlan , and several 2960s are connected to a 3750 using trunk port ,(ip routing is enabled on each 3750),


Between 3750s and 6509 , EIGRP is used ,


Now using ciscoworks(LMS 2.6),It can discover all switches in the network ,but user tracking discoved users that connected to 3750 ports,and no users on 2960s are discovered,


What is the problem?How it will be solved?


Any help will be appreciated ,

Mike

Correct Answer by Joe Clarke about 9 years 12 months ago

In that output, I see you're using the community string "$snmp" where as you have been using "$nmp" in all of the posts in this thread. Make sure your community string in DCR agrees with that is configured on the device. The device has "$nmp" (i.e. no 's').

Correct Answer by Joe Clarke about 9 years 12 months ago

A static snapshot of "show snmp" is not useful as it's impossible to know what is incrementing. However, it could be that the switch thinks [email protected] is an unknown community string. I can't reproduce locally. That string works on my switches. You might try rebooting the switch, or temporarily configure a different community string without the '$' and see if you can walk the same object with the @32.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Joe Clarke Sun, 07/22/2007 - 07:44
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I'm not sure I clearly understand the problem. Are you saying that users on the 3750s are acquired by User Tracking, but those on the 2960s are not? In addition to that, all of the switches (3750s and 2960s) all show up on the Topology Map with the correct switch icon?


If the answer to both questions are yes, what version of SNMP are you using to manage these devices? What version of IOS are they running?


Typically, to debug this problem, you should enable vmpsadmin debugging under Campus Manager > Admin > Campus Data Collection > Debugging Options, then run a new UT acquisition, and check the resulting ut.log for instances of missing MAC addresses, and the IPs of switches that do not show users in UT.

m.hedayati Sun, 07/22/2007 - 22:56
User Badges:

Thank you for your reply,

All 3750s ports that connected to 2960 ,are in Trunk mode , the uplink to the core is "no switchport" and one or two ports that config as "switchport mode access vlan xx" ,are connected to wireless access points,

UT discovers these access-points , but couldn't discovers users on 2960s !!!

The network ,is working very good and there is no problem for users ,

I uses "SNMP-server comunity" on all switches and set an RO community,

Please find bellow the output of :

" utdebug -switch 192.168.186.2 -port fa0/1 "


192.168.186.2 is a 2960 and port fa0/1 is a port that is connected to a user,

please be informed that I have 2 VTP domain ,and the core(6509) and 2960 with "192.168.186.2" IP are in the same domain,

//OUTPUT OF utdebug //

==============Checking for Device==============


192.168.186.2 : INFO : The switch has been discovered by ANI Server.


IP : 192.168.186.2

Details :Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(25

)FX, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Wed 12-Oct-05 23:14 by yenanh


==============Checking for port fa0/1==============


This Port is in Vlan 32


UT is unable to find an end station on this port


See ACTION REPORT for possible remedies


==============Mac Address fetch through SNMP for Verification==============


Mac Address Status


SNMP query for vlan 32

MESSAGE DBConnection: Created new Database connection [hashCode = 7453641]

DCR device id of 192.168.186.2 is 23

Common trust user is: admin

User name in Security context is: admin

log4j:ERROR No appenders could be found for category (CTM.common).

log4j:ERROR Please initialize the log4j system properly.

SNMP v2 credentials found for 192.168.186.2

caught Snmp Exception while quering for mac for vlan 32

com.cisco.nm.lib.snmp.futureapi.SnmpReqTimeoutException: SnmpRequestTimeout on 1

92.168.186.2 while performing SnmpWalk(*) at index = -1

at com.cisco.nm.lib.snmp.futureapi.SnmpFuture.value(SnmpFuture.java:175)


at com.cisco.nm.lib.snmp.futureapi.SnmpTableFuture.value(SnmpTableFuture

.java:141)

at com.cisco.nm.ani.clients.ut.UTDebug.UTSnmp.fetchMacTable(UTSnmp.java:

230)

at com.cisco.nm.ani.clients.ut.UTDebug.UTDebug.parseSnmpAndDisplay(UTDeb

ug.java:273)

at com.cisco.nm.ani.clients.ut.UTDebug.UTDebug.startDebugging(UTDebug.ja

va:234)

at com.cisco.nm.ani.clients.ut.UTDebug.UTDebug.(UTDebug.java:62)

at com.cisco.nm.ani.clients.ut.UTDebug.UTDebug.main(UTDebug.java:103)

MESSAGE DBConnection: Created new Database connection [hashCode = 2569862]

DCR device id of 192.168.186.2 is 23

SNMP v2 credentials found for 192.168.186.2


==============ACTION REPORT==============


UT is actually failing for the following ports

fa0/1


SNMP CHECK : First check if the end host MAC that is missing in UT is seen in th

e

above MAC table with a Valid status. If not, SNMP is not returning values.

So UT may be hitting a CatOS SNMP bug. Manual verification can be done by

running snmpwalk on the Bridge table for the vlan. snmpwalk [ -v 1 ] device

[email protected]_id .1.3.6.1.2.1.17.4.3. Have this information available when

calling Cisco TAC.


UT FAILURE : If there was no SNMP falure, then UT is failing to pick up entries

for the ports. Please follow the steps one by one. If the action taken for

the step fails, move to the next step.


STEP : Add the property "UTGetVlansWithUserPorts=1" in ANIServer.properties.

Please restart ANIServer after setting this and then run a rediscover.


STEP : If the above steps do not solve the problem, enable Trace and Debug for

the vmpsadmin module in Debugging Options. Do a full UT Discovery (Discover

All), and contact Cisco TAC with the ANI log and this log file.



Joe Clarke Mon, 07/23/2007 - 06:38
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

If the 2960s connect to APs, what users are actually directly connected to the 2960s? It sounds like your problem is with finding users connected to the APs.


As for the above output, it appears there may be an issue with your community string. Please attach a show run from this switch. If you cannot do that because of security concerns, then please open a TAC service request.

m.hedayati Mon, 07/23/2007 - 07:12
User Badges:

Hi Clarke ,

In Rack-A , there are 3 2690s that their Gi0/1 is connected to ports 1 to 3 of 3750G ,


All the users are connected to 2960s ports ,

One 3com AP is connected to port Gig1/0/10 of this 3750G ,


UT, discovers just the AP (no WLAN users), that is connected to port Gig1/0/10 , and users that connected to 2960s are not discovered ,


I really confused ,I think everything is OK , but UT does not work correct ,


Please help me to solve this problem ,

Regards , Mike

Joe Clarke Mon, 07/23/2007 - 07:21
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Without the config from the switch, the logs I mentioned earlier, and a sample missing MAC address, I cannot say what the problem is.

m.hedayati Mon, 07/23/2007 - 07:24
User Badges:

OK , I'll send it ASAP ,


For sure,could you please tell me What you need to khow and what I have to send for you?




Joe Clarke Mon, 07/23/2007 - 07:41
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The show run from the switch, a sample missing MAC address on the port to which it connects, and the ut.log after enabling vmpsadmin debugging as I described earlier and running a full UT major acquisition

m.hedayati Tue, 07/24/2007 - 06:48
User Badges:

Hello Clarke ,

The size of ut.log is more than 5MB , please find attached ut1.log ,that I cut some texts from it ,


And please find attached output of sh run command for an access switch(2960),


Please let me know ,if you need more information ,



Attachment: 
Joe Clarke Tue, 07/24/2007 - 07:55
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I need to see the full log. You can compress it, or you can open a TAC service request, and have TAC analyze this. Also, you need to provide a sample missing MAC address, and the port to which it directly connects on this 2960.

m.hedayati Tue, 07/24/2007 - 22:54
User Badges:

Hi Clarke ,

Please find attached ut full log ,


I send 2 Sample MAC as bellow :


00-14-2a-c1-15-57

This is MAC of Ciscoworks server , that is connected to port 0/20 of switch 2960 ,this switch is connected to port 1/0/6 of 3750 ,


another sample MAC is :


00-04-79-66-e0-7d

that is connected to port 0/45 of 2960,this switch is connected to port 1/0/4 of 3750,


Thank you very much and waiting fro your answer ,



Attachment: 
m.hedayati Wed, 07/25/2007 - 11:09
User Badges:

Hi Clarke ,

Did you see ,the ut.log ?

What is the problem?

Waiting for answer,

Brgrds , Mike

Joe Clarke Wed, 07/25/2007 - 12:30
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The log tells me that there was a timeout problem trying to fetch the users on vlan 32 from this switch. This could indicate that the community string for this switch in DCR is wrong. The device is configured for "$nmp" so UT should be using [email protected] to get the users from this switch on vlan 32.


You should first check DCR, and make sure the read-only community string for this switch is correct. If so, test that you can walk the following OID under Device Center > SNMP Walk using the community string [email protected]:


.1.3.6.1.2.1.17.4.3

m.hedayati Tue, 07/31/2007 - 03:20
User Badges:

Hello Clarke ,

I check DCR , It is ok ,

Using SNMPWALK , just 3750 switches answer it, for example in Rack-C ,all ports are in Vlan40 ,management ip for 3750 is 192.168.186.49 ,and for one 2960 is 192.168.186.50.


Now using snmpwalk ,for [email protected] on 3750 everything is ok ,but for 2960 doesn't answer!!!

I have to tell you that all 2960s will answer to snmpwalk without @VlanID ,

please find attached ,debug output for 3750 ,with ip "192.168.186.49"

Thank you for your help,

Mike



m.hedayati Tue, 07/31/2007 - 06:46
User Badges:

Hi again ,

Please find bellow the output of "show snmp" command on 2960 switch,

I use "snmpwalk" using [email protected]

----------------------------------

ack-c#sh snmp

Chassis:

9225 SNMP packets input

0 Bad SNMP version errors

772 Unknown community name

0 Illegal operation for community name supplied

0 Encoding errors

37900 Number of requested variables

0 Number of altered variables

166 Get-request PDUs

8142 Get-next PDUs

0 Set-request PDUs

8453 SNMP packets output

0 Too big errors (Maximum packet size 1500)

6 No such name errors

0 Bad values errors

0 General errors

8453 Response PDUs

0 Trap PDUs

SNMP global trap: disabled


SNMP logging: disabled

SNMP agent enabled

---------------------------------


When I run "debug snmp packet" on that ,It just show me "6d09h: SNMP: Packet received via UDP from 172.31.32.116 on Vlan200" 6 times!!

Correct Answer
Joe Clarke Tue, 07/31/2007 - 09:25
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

A static snapshot of "show snmp" is not useful as it's impossible to know what is incrementing. However, it could be that the switch thinks [email protected] is an unknown community string. I can't reproduce locally. That string works on my switches. You might try rebooting the switch, or temporarily configure a different community string without the '$' and see if you can walk the same object with the @32.

m.hedayati Tue, 07/31/2007 - 11:20
User Badges:

Thank you for your fast reply,

Did you see the message that I posted it on Jul 31, 2007, 4:20am PST ?



Correct Answer
Joe Clarke Tue, 07/31/2007 - 11:27
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

In that output, I see you're using the community string "$snmp" where as you have been using "$nmp" in all of the posts in this thread. Make sure your community string in DCR agrees with that is configured on the device. The device has "$nmp" (i.e. no 's').

m.hedayati Tue, 07/31/2007 - 11:39
User Badges:

On that switch ,I was set ,$snmp as community,


I'll set new community without $ on a 2960 and restart UT and will send you the result ,

I hope the problem is solved ,

Regards , Mike

m.hedayati Wed, 08/01/2007 - 23:01
User Badges:

Dear Clarke ,

At first ,Thank you very much for your time,

It seems te be BUG of ciscoworks;


I defined SNMP community with $ and @(example SNMP-SERVER COMMUNITY @t$nmp RO )


In this case , UT can't fetch users on 2960s VLANs!!


When I created new community without $ and @ ,it correctly worked ,


Is there any documents about relation between char-sets of SNMP community and CISCOWORKS ?


Thanx again , Mike

Actions

This Discussion