cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1264
Views
0
Helpful
16
Replies

LMS 2.6 + SSG

niro
Level 1
Level 1

I'm having a problem with LMS 2.6 and pushing configs out to our firewalls. We don't allow telnet into the firewalls, only SSH. LMS pulls the configs without a problem, but when I try to modify a config and push it out to a firewall it only seems to attempt to telnet and fails, so the config never gets pushed out. I made sure that SSH is the first in the list under RME transport settings for config deploy. Am I missing something else?

1 Accepted Solution

Accepted Solutions

Ah, okay, this just means that telnet was attempted because SSH failed. The error points to a problem with one of the commands being deployed to the device. Exactly what are you deploying, and in what mode (merge or overwrite)?

View solution in original post

16 Replies 16

Joe Clarke
Cisco Employee
Cisco Employee

What RME application are you using to push the change (i.e. Archive Mgmt, Config Editor, Netconfig)?

Config Editor

Then you need to select Config Editor from the pull-down in the RME > Admin > Config Mgmt > Transport Settings window, and make sure the deploy protocol order is correct there as well.

Yea that's what I did...I have SSH, Telnet, TFTP, SCP as selected protocols under config deploy for Config Editor...in that order.

Please post the job log from a failing Config Editor job.

Here is the log from the last job I tried to run (I starred out the IP):

Command(s) failed on the device TELNET: Failed to establish TELNET connection to *.*.*.* - Cause: connect timed out. Insufficient no. of interactive responses(or timeout) for command

Ah, okay, this just means that telnet was attempted because SSH failed. The error points to a problem with one of the commands being deployed to the device. Exactly what are you deploying, and in what mode (merge or overwrite)?

Ah I think I see the problem...I'm modifying an access-list and out of habbit I put no in front of the line I want to remove instead of just removing it...I'm going to try it again tonight...thanks! :)

Maybe I spoke to soon...I did remove the access-list line entirely...i still get the same error. Here it is:

e Command(s) failed on the device Insufficient no. of interactive responses(or timeout) for command: no access-list in_out extended permit ip host *.*.*.* any . TELNET: Failed to establish TELNET connection to *.*.*.* - Cause: connect timed out.

What happens when you run the command manually:

no access-list in_out extended permit ip host *.*.*.* any

What does the device say?

That's weird the access-list line gets removed even though I get the error (using RME). I tried removing 3 access-list lines instead of just one, I still get the same error, but one line does get removed. The line that gets removed is the same line that shows up in the error, and the other 2 lines do not get removed.

It works without a problem if I do it manually.

The device does not prompt you for anything when entering the problematic line?

Nope..if I paste the multiple lines directly I get no prompts from the firewall.

It would help to see the Config Editor job log with Config Job debugging enabled. If this data is too sensitive to post on an open forum, then I suggest you open a TAC service request.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: