Cisco Works - DCR and Default Credentials

Unanswered Question

After initial installation of CW and device creation/import we opted to change the SNMP RO and RW community strings on all of our devices. We also added an ACL on each device to limit SNMP traffic to two syslog servers. After running the job to change the strings, the Default Credentials in CW were changed to match the new community strings. Since that time I have run multiple CDA jobs to ensure that communication with the devices is working properly. CDA jobs report that 80% of my devices have "Wrong Credentials" for SMMP Read and Write.

Is it possible that after changing the community strings and the CW default credentials, the new community strings did not take? Is there any way to verify that the default credentials are what they should be?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yjdabear Fri, 03/20/2009 - 10:28
User Badges:
  • Gold, 750 points or more

I have a mix of devices in DCR, some added with manually entered credentials, some with "use Default Credentials" checked. A device list export from DCR shows all of them populated with the same SNMP community strings. Changing the SNMP community string in Default Credentials triggers no corresponding change in the DCR export. Based on that, it would appear Default Credentials are only applied to newly added devices to DCR.

yjdabear Fri, 03/20/2009 - 10:42
User Badges:
  • Gold, 750 points or more

Yeah, one'd expect it should, shouldn't it?

I can't make sense of why you're seeing only 80% failures in CDA. How's the distribution of old vs new SNMP strings, in your DCR export? (DCR - Device Management - Export)

Do you have the previous SNMP strings in the Secondary Credentials? I wonder how that might impact CDA results.

yjdabear Fri, 03/20/2009 - 10:52
User Badges:
  • Gold, 750 points or more

Never mind the Secondary Credentials. It doesn't apply to SNMP strings.

Martin Ermel Fri, 03/20/2009 - 12:04
User Badges:
  • Blue, 1500 points or more

it is as yjdabear said: default credentials are only applied to devices newly added to DCR; devices in DCR which were yet contacted successfully have their credentials stored in the database until you change them through Common Services > Device and Credentials > Device Management;

Could it be that 20% of the devices were added/discoverd after you made the changes?

In Device And Credentials > Report you can launch a report that tells you when a device was added/updated/deleted to DCR

Martin Ermel Fri, 03/20/2009 - 13:24
User Badges:
  • Blue, 1500 points or more

I am not sure if I understand it correct...

If you think a RME job (net config) that changed community strings on devices should also trigger and update of DCR to reflect these changes, then no this is not the fact. And I do not know of any process that automatically _updates_ credentials in DCR. Credentials are only changed through the GUI:

Common Services > Device And Credentials > Device Management =>edit credentials

or CLI with 'dcrcli'

or by an import of devices into DCR;

How do you setup the CDA job?


This Discussion