LMS 2.6 + SSG

Answered Question

I'm having a problem with LMS 2.6 and pushing configs out to our firewalls. We don't allow telnet into the firewalls, only SSH. LMS pulls the configs without a problem, but when I try to modify a config and push it out to a firewall it only seems to attempt to telnet and fails, so the config never gets pushed out. I made sure that SSH is the first in the list under RME transport settings for config deploy. Am I missing something else?

Correct Answer by Joe Clarke about 8 years 9 months ago

Ah, okay, this just means that telnet was attempted because SSH failed. The error points to a problem with one of the commands being deployed to the device. Exactly what are you deploying, and in what mode (merge or overwrite)?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Wed, 07/16/2008 - 09:28
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What RME application are you using to push the change (i.e. Archive Mgmt, Config Editor, Netconfig)?

Joe Clarke Wed, 07/16/2008 - 09:44
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Then you need to select Config Editor from the pull-down in the RME > Admin > Config Mgmt > Transport Settings window, and make sure the deploy protocol order is correct there as well.

Joe Clarke Wed, 07/16/2008 - 09:53
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Please post the job log from a failing Config Editor job.

Correct Answer
Joe Clarke Wed, 07/16/2008 - 10:00
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Ah, okay, this just means that telnet was attempted because SSH failed. The error points to a problem with one of the commands being deployed to the device. Exactly what are you deploying, and in what mode (merge or overwrite)?

Maybe I spoke to soon...I did remove the access-list line entirely...i still get the same error. Here it is:


e Command(s) failed on the device Insufficient no. of interactive responses(or timeout) for command: no access-list in_out extended permit ip host *.*.*.* any . TELNET: Failed to establish TELNET connection to *.*.*.* - Cause: connect timed out.

Joe Clarke Wed, 07/16/2008 - 13:05
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What happens when you run the command manually:


no access-list in_out extended permit ip host *.*.*.* any


What does the device say?

That's weird the access-list line gets removed even though I get the error (using RME). I tried removing 3 access-list lines instead of just one, I still get the same error, but one line does get removed. The line that gets removed is the same line that shows up in the error, and the other 2 lines do not get removed.


It works without a problem if I do it manually.

Joe Clarke Wed, 07/16/2008 - 13:21
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The device does not prompt you for anything when entering the problematic line?

Joe Clarke Wed, 07/16/2008 - 14:33
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

It would help to see the Config Editor job log with Config Job debugging enabled. If this data is too sensitive to post on an open forum, then I suggest you open a TAC service request.

Joe Clarke Wed, 07/16/2008 - 19:26
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

/var/adm/CSCOpx/files/rme/jobs/ConfigEditor on Solaris and NMSROOT\files\rme\jobs\ConfigEditor on Windows.

Actions

This Discussion