LMS 2.6-"hidden" devices

Unanswered Question
Mar 19th, 2008

When trying to verify what devices aren't in LMS, I've found that DCR will tell me a device already exists if I try to add it. Its apparently in LMS 'somewhere' but doesn't show up anywhere in DCR when I drill down through all groups. If I search DCR or Device Manager by name or IP, its empty. However, I may be lucky to find that its listed in the 'Devices that need to be added to ACS' report. What alternate method am I missing that will show me these devices?

thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Wed, 03/19/2008 - 12:09

Since you are integrated with ACS, you need to make sure that device's IP address and/or hostname is known to ACS. If you look at the Devices not in ACS report, you'll see the IP address and hostname of the device. Add the device as an ACS client using those values (or adjust an existing client's IP address range accordingly), then restart ACS, and logout and back into LMS.

js88888888 Wed, 03/19/2008 - 16:20

Cool, well that fixed a problem for a few of my devices. I do have several (all) MSFC modules that are still showing up as "not in ACS" even though I've verified they are. The credential test checks out and I can access the device using the same creds as what CW is set up to use. The only thing that may be different is these devices do have many IPs associated with them in ACS since they act as gateways to multiple networks. Not sure if that's an issue or not but they are all the same model. But they are in fact, on the same ACS server.

Joe Clarke Wed, 03/19/2008 - 16:32

Exactly how do they appear in the Not in ACS report, and how are they configured as clients of ACS?

js88888888 Wed, 03/19/2008 - 16:39

The display name on left column is the IP address. The attributes list the IP Address as the actual DNS/host name and the Host Name = the IP address.

Yes, I've fully checked that these are all ACS clients. But you do raise an interesting point as these devices were the only ones that reverse the IP and Host Name data on the Attributes column.... not sure why.

Joe Clarke Wed, 03/19/2008 - 16:49

Since the device shows up by IP address, and that IP address is a TACACS+ client in ACS (or that IP address is in a range of client addresses), then everything should work. Of course, this assumes you are not using NDGs in ACS. If you are using NDGs, then your System Identity User as well as the current logged in user need to have access to the NGD which contains this device.

js88888888 Tue, 07/15/2008 - 13:05

Following up on that, if you do see a device "not in ACS" in the report, how do you go about just deleting it entirely? Say, I put in a device that was never in ACS but is now retired and want to remove its existence in CW.

Joe Clarke Tue, 07/15/2008 - 13:12

You can either temporarily break ACS integration to delete the device, or add a bogus record to ACS, delete the device, then delete the ACS entry.

You might also be able to delete the device using dcrcli, but I do not have an LMS/ACS setup at the moment, so I cannot test.

js88888888 Thu, 07/17/2008 - 09:47

Thanks. I can't break ACS integration but if you find any more info using the DCRCLI please let me know.

Joe Clarke Thu, 07/17/2008 - 10:38

You can try this:

dcrcli -u admin cmd=lsids all

If you see the hidden device there, try:

dcrcli -u admin cmd=del id=ID

Where ID is the ID you see in the lsids command.

js88888888 Thu, 07/17/2008 - 11:51

thanks, I found and deleted two of the four devices. Any idea where I could find the other two?

Joe Clarke Thu, 07/17/2008 - 12:13

If they are not being shown via dcrcli, then the only way would be to break the ACS integration. If they are still not showing up, this may point to a corrupt CMF database.

js88888888 Thu, 05/21/2009 - 09:44

Going back to this Jclarke. I'm accumulating more and more in the "not in ACS" report that don't show up in DCRCLI and am getting into some secondary issues with aliasing in DFM on devices I can't delete in CS.

Short of rebuilding a new CW install, what would you recommend I do to clean these devices up? thanks

js88888888 Thu, 05/21/2009 - 09:45

Going back to this Jclarke. I'm accumulating more and more in the "not in ACS" report that don't show up in DCRCLI and am getting into some secondary issues with aliasing in DFM on devices I can't delete in CS.

Short of rebuilding a new CW install, what would you recommend I do to clean these devices up? thanks

Joe Clarke Thu, 05/21/2009 - 09:50

Follow my previous instructions. You either need to add the devices showing up in this report to the ACS server to which LMS is integrated, or temporarily break ACS integration, remove the devices from DCR, then setup filters so that they do not get re-added. Once DCR is to your liking, you can then re-enable ACS integration.

jhbrubaker Tue, 06/09/2009 - 11:33

Once we add the device into ACS, how do we get LMS to move it into DCR and remove from the "not in ACS" list? Thanks!

Joe Clarke Tue, 06/09/2009 - 11:51

This happens automatically once you log out and log back in. In extreme cases, restarting Daemon Manager may be required.

Actions

This Discussion