ciscoworks unable to collect config in RME due to firewall?

Unanswered Question
Jan 6th, 2010
User Badges:

My CW is unable to collect the config in RME


I'm using CDP, OSPF, and BGP for discovery..



I udnerstand that CW use snmp read community string to discover network devices. I can see CW pick up the devices in the device management list, but when I do a ssh credential check, the devices behind the firewall fails. The snmp R & W credentials are correct I can logon to the network device using the primary account without an problem. What could be the problem? What do I need check/perform in order to collect the aconfig for archive. Do I need to open a port on the firewall for CDP traffic? Other devices (not behind the firewall) works fine.


Your input is greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Wed, 01/06/2010 - 08:56
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

CDP is not required for RME to fetch configs.  What version of RME do you have?  What error do you get when trying to fetch the config?  What type of devices are failing?  What version of code are they running?

baotran09 Wed, 01/06/2010 - 09:19
User Badges:

Im running RME 4.3.1


Attached is the screenshot [2] of unsuccessful configs archive and inventory collection failures.


Here are e error messages:

SH: Failed to establish SSH connection to 10.x.x.x - Cause: Read timed out. TELNET: Failed to establish TELNET connection to 10.x.x.x - Cause: connect timed out.
Could not detect SSH protocols running on the device TELNET: Failed to establish TELNET connection to 10.x.x.x - Cause: connect timed out.
Could not detect SSH protocols running on the device TELNET: Failed to establish TELNET connection to 10.x.x.x - Cause: connect timed out. Failed to fetch config using TFTP Failed to fetch config using RCP.Verify RCP is enabled or not. Failed to fetch config using SCP.Socket closed Verify SCP is enabled or not.


I can logon (using putty) without a problem using the same account.

Attachment: 
Joe Clarke Wed, 01/06/2010 - 09:26
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The error points to a firewall or access list blocking tcp/22 from the RME server.  While you can login using PuTTY with the same credentials, can you login from the RME server?

baotran09 Wed, 01/06/2010 - 09:33
User Badges:

All my CW applications (including RME) are locate on the same server, and yes I can telnet/ssh from the server.


I dont think the ACL block it as I can remote to it using putty

Joe Clarke Wed, 01/06/2010 - 09:36
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

From the server, telnet to this device on tcp/22.  That is:


telnet 10.x.x.x 22


What output do you get?

Joe Clarke Wed, 01/06/2010 - 09:48
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You may need to increase one of the timeouts in the cmdsvc.properties file.  I suggest you open a TAC service request so more analysis can be done.

baotran09 Wed, 01/06/2010 - 09:51
User Badges:

Got it, so you think its got nothinhg to do with the firewall? I have problem with 200+ devices

Actions

This Discussion