LMS - Config archive; Failed to establish TELNET session; correct credentials

Answered Question
Nov 20th, 2009

Hi,

I have a problem when arhchiving configurations from my campus devices (routers/switches/firewalls) using LMS.

I am keep getting this error messages (for all devices):

1.           172.27.1.1 PRIMARY           STARTUP           Nov 22 2007 12:30:05           TELNET: Failed to establish TELNET connection to 172.27.1.1 - Cause: Authentication failed on device 3 times.   PRIMARY-STARTUP config Fetch Operation failed for TFTP.

I am using LMS 3.2. All devices are reachable and already in DFM (RME) repository.

I have set up all devices with correct snmp community, (using ver. 2). I have set up default credentials and I also configured devices with proper usernames and passwords. I enabled telnet on vty lines 0 - 15.

My question is simple - how come LMS cannot login to router/switch and arhives running/startup configuration? From command line (CMD) on my PC I am able to login to switch/router with username and password I have configured and I certainly can download configuration via TFTP.

What is preventing LMS to login into devices? Is there something I should know? :-)

Thank you for your help in advance!

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 7 years 1 month ago

You have set this device to be AUS-managed which is incorrect.  Edit the DCR credentials again, and remove the auto-update server credentials.  You should only have values populated under Primary Credential and possible Secondary Credential.  You may need delete and re-add this device to get things to work correctly.  Again, do NOT put anything under Auto Update Credential.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Joe Clarke Fri, 11/20/2009 - 05:25

The error does point to an authentication problem, and it is usually correct, but there have been issues where some other device interaction problem led to the same error.  If you are using telnet, start a sniffer trace capturing on all tcp/23 traffic between the RME server and the device, then perform a new Sync Archive operation.  Be sure to check the "Fetch startup" box.  The resulting trace should clearly illustrate why the archive is failing.

Matej Gololicic Fri, 11/20/2009 - 07:03

jclarke,

I tried tracking traffic from LMS server (172.29.25.45) to target device - switch (172.27.1.1).

I forced "archive synchronization". The traffic was flowing in-between nicely, but there are some errors.

172.27.1.1 ----> 172.29.25.45 (LMS)

Switch prompts for "Username:"

172.29.25.45 (LMS) ----> 172.27.1.1

RMS responds, but packet seems to be "damaged"

Header checksum: 0x0000 [incorrect, should be 0x21d4]

It seems to be bad checksum.

What does that mean exactly? This seem serious, but I dont have much experience troubleshooting with wireshark.

Also, can you be more specific about: "The error does point to an authentication problem, and it is usually correct, but there have been issues where some other device interaction problem led to the same error."

?

Joe Clarke Fri, 11/20/2009 - 08:57

No, the wireshark error is a false positive.  If you post the actual binary sniffer trace, I can analyze it.  It really sounds like the DCR credentials are not correctly specified for this device, though.  It sounds like you may not have a username configured in DCR.

In my statement, I meant there have been some issues where RME's interaction with the device was problematic, and RME thought  there was an error in authentication.

Matej Gololicic Fri, 11/20/2009 - 10:57

jclarke,

I am pretty sure that I have correctly set usernames and passwords (default credentials).I have checked these settings three times.

But never the less maybe there is some other trick I dont know, so please can you shortly (in few steps) describe how to configure credentials (just to be sure that I have done everything correctly - you know, you can never be too sure).

:-)

p.s. I am using Cat2960 and 3750 switches and ASA5520, if that helps in any way.

Thank you for your help and effort!

Joe Clarke Fri, 11/20/2009 - 11:07

Go to Common Servers > Device and Credentials > Device Management.  Select the device in question from the tree, then click the Edit Credentials button.  Fill in the appropriate username and password in the associated fields.  Then click Finish.  You should not get an error.

As I said, if you post the binary sniffer file, I can analyze it for you.

Matej Gololicic Mon, 11/23/2009 - 01:20

jclarke,

I have done exactly the same as you mentioned.

Do I have to restart some services in LMS in order to use new credentials, or it refreshes automaticly?

p.s. which format (for the trace file) do you need, is .pcap ok?

edit: I've uploaded trace file (when LMS is talking to devices) I hope it's relevant.

Attachment: 
Joe Clarke Mon, 11/23/2009 - 07:40

PCAP format is fine, but the file is still being queued for upload, and I cannot yet see it.

Joe Clarke Mon, 11/23/2009 - 10:55

According to this, DCR does not have a valid username for this device.  If you can, export the current DCR credentials for this device under Common Services > Device and Credentials > Device Management, and post the export.  If you do not want to share this data, open a TAC service request, and they can analyze the export to identify the root cause.

Matej Gololicic Thu, 11/26/2009 - 04:46

jclarke,

I have exported default credentials into a file as you said. Here is what it contains:

===================================================================================

; This file is generated by DCR Export utility
Cisco Systems NM Data import, Source=DCR Export; Type=DCRCSV; Version=3.0

;
;Start of section 0 - Basic Credentials
;
;HEADER: management_ip_address,host_name,domain_name,device_identity,display_name,sysObjectID,dcr_device_type,mdf_type,snmp_v2_ro_comm_string,snmp_v2_rw_comm_string,snmp_v3_user_id,snmp_v3_password,snmp_v3_auth_algorithm,snmp_v3_priv_password,snmp_v3_priv_algorithm,snmp_v3_engine_id,rxboot_mode_username,rxboot_mode_password,primary_username,primary_password,primary_enable_password,http_username,http_password,http_mode,http_port,https_port,cert_common_name,secondary_username,secondary_password,secondary_enable_password,secondary_http_username,secondary_http_password
;
172.27.1.1,172.27.1.1,,,172.27.1.1,1.3.6.1.4.1.9.1.516,0,999990243,seng_lms,,,,,,,,,,,,testlab,,,,,,,,,,,


;
;Start of section 1 - AUS proxy
;
;HEADER: management_ip_address,host_name,domain_name,device_identity,display_name,aus_username,aus_password,aus_url,aus_port
;
172.27.1.1,172.27.1.1,,,172.27.1.1,,,,

;End of CSV file

===================================================================================

Username and password seems ok to me.

Any idea?

Correct Answer
Joe Clarke Thu, 11/26/2009 - 09:03

You have set this device to be AUS-managed which is incorrect.  Edit the DCR credentials again, and remove the auto-update server credentials.  You should only have values populated under Primary Credential and possible Secondary Credential.  You may need delete and re-add this device to get things to work correctly.  Again, do NOT put anything under Auto Update Credential.

Matej Gololicic Thu, 11/26/2009 - 13:36

jclarke,

I went under "server setup - default credentials sets" and I chose my default credentials (named 1) - all fields are blank under "Auto update server managed device credentials". I can even post a screenshot here.

But then I went back and created a new "default credentials set" (named 2), removed all devices from DFM and added them back. Config archiving is now working...

Hmmm, I dont know what went wrong with first credentials. I've set the new credential (named 2) exactly the same as the old one (named 1).

Anyway thanks for your help and effort!

p.s.: I see you have a lot of experience with LMS so I will post some more questions for you on this forum :-)

ifthekharul.alam Wed, 02/29/2012 - 03:39

Hi Joseph/Matej,

I am facing similar problem. For your information : i am using LMS 4.1.

But i tried whatever Matej told last. Delete all the credential set. Assign new policy. Then try for new Synch. But in vain. i also auto update, didn't put anything over there.

Can you guyz help me out..

Thanks in advance

Regards

Russell

Joe Clarke Wed, 02/29/2012 - 14:23

Russell, there was a lot more involved in determining the root cause of this issue.  I recommend you start a new thread and include the sniffer trace of the config archive session as was done here.

Actions

This Discussion