Unable to add switches to CAM via SNMP

Unanswered Question
Jan 20th, 2010
User Badges:
  • Bronze, 100 points or more

Hello all,


I am now starting some POC work and was progressing well until I came to adding some 4510 switches to the CAM to control OOB devices.


I have full IP connectivity between the switch management VLAN interface (the switch is running in layer 2 only) and the CAM eth0 interface over the network with no firewalls in the way.


I have tried configuring both SNMP versions on the CAM and I have captured the SNMP communication between the switch and the CAM which is being received by the switch and is being responded to. So I have proved that SNMP packets are reaching the various devices. There is no routing or switching issues.


Would someone please mind giving me a hand and tell me why the CAM cannot control the switch. When you try to add the switch it comes up with a message like "unable to control 10.108.2.15" This is the management VLAN2 on the test switch. I have used test communities public and private respectively on the CAM to match the switch.


SNMP switch config snippet below. The CAM is at 10.108.100.10.


snmp-server engineID local 800000090300001D4572F86E
snmp-server community public RO 10
snmp-server community private RW 10
snmp-server trap-source Vlan2
snmp-server enable traps snmp linkdown
snmp-server enable traps mac-notification change move threshold
snmp-server host 10.108.100.10 version 2c private
snmp-server host 10.108.100.10 version 2c public


access-list 10 permit 10.108.100.10   (This is the CAM referenced in ACL 10 so the poll will work)


Thanks kindly,


Oliver

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Faisal Sehbai Sat, 01/23/2010 - 20:17
User Badges:
  • Gold, 750 points or more

Oliver,


CCA is very picky when it comes to working right in OOB configs with the switch versions. If you haven't can you please verify that the 4510's have the supported codes?


http://bit.ly/SwitchSupport


HTH,

Faisal

o.priest Sun, 01/24/2010 - 03:36
User Badges:
  • Bronze, 100 points or more

Hi again Faisal,


The switch is a 4510R-R with 2 x SUP6-E's running code 12.2.53SG so the code is very recent. As the SUP6-E's are based on 4900 code I think that may be clue as to why things are not working however the SUP6-E should have full NAC support according to all documentation.


I would just like to add that our 5508 WLC's cannot be added to the CAM either and they are running version 6.0 WLC code. Again very recent code.


I can add 3750 switches fine so I know the configs are correct.



Doing this testing is most frustrating indeed as the NAC products just do not work as they should. I have asked for this to escalated to our SE so we should get a TAC case raised.


Faisal if you could be of any additional assistance this would be most appreciated.


Thanks,


Oliver

Faisal Sehbai Sun, 01/24/2010 - 05:12
User Badges:
  • Gold, 750 points or more

Oliver,


I'm sorry for the frustration you're going through. Raising a TAC case is the right approach since it lets us involve the dev groups too, if need be.


To start off, can you share with me your sh tech from the switch, the packet capture you've done, and the version of checks and rules (Clean Access -> Updates) ?


Thanks,

Faisal

o.priest Sun, 01/24/2010 - 09:42
User Badges:
  • Bronze, 100 points or more

Hi I have raised a TAC case. I will drop you an email from my work address shortly with the service requestno. if you are interested in following the issue.


Thanks,


Olly

Faisal Sehbai Tue, 01/26/2010 - 09:48
User Badges:
  • Gold, 750 points or more

Documenting the solution for this problem: Customer had to update the Checks and Rules to get the proper OIDs, after which adding the switch became possible.


HTH,

Faisal

o.priest Tue, 08/31/2010 - 01:31
User Badges:
  • Bronze, 100 points or more

Hi Rodrigo.


I am deploying a virtual gateway OOB solution. Remember you can still do OOB with a virtual gateway design. As Faisal from TAC has mentioned I couldn't control the switches via SNMP because even though I was using supported IOS I had a fresh NAC install and needed to run an update via HTTP under "Device Management, Clean access, Updates, Update" to download the necessary SNMP OID's.


Thanks,


Olly

o.priest Tue, 08/31/2010 - 05:47
User Badges:
  • Bronze, 100 points or more

Are they running at least 12.2(35)SE5?


Please mention the exact model number of your 2960.


Thanks,

o.priest Tue, 08/31/2010 - 07:50
User Badges:
  • Bronze, 100 points or more

Your version looks good. Raise a TAC case and get Cisco to help you.


Can you add the 2960 to the CAM and manage the ports?


Regards,


Oliver

rodrigo.antunes Tue, 08/31/2010 - 10:13
User Badges:

Hi,


It´s exactly what i can´t do. :-)


I can add only 2960G. I can´t add 2960 (normal - 24 ports fast and giga uplink).

I´d like to try anothers solutions before open a case. I don´t want to spend more time.


Rodrigo Antunes

o.priest Tue, 08/31/2010 - 11:25
User Badges:
  • Bronze, 100 points or more

Rodrigo,


I don't have heavy exposure with the 2960's but I have never heard of a 2960G. Looking at the platforms online I see 2960 and 2960-S. Is this an old EOL platform or something?


The output you sent me before with the show ver was that from a device that didnt work?


I am surprised you do not have a service contract if you are running NAC in your enterprise!


Regards,


Olly

Faisal Sehbai Wed, 09/01/2010 - 03:07
User Badges:
  • Gold, 750 points or more

Rodrigo,


Please post the screenshots from your CAM for the following screens:


Clean Access -> Updates

Profiles -> SNMP Receiver

Profiles -> Device

Profiles -> Device -> Edit (on the switch model that you're trying to add)


Also please post a show running-config from the switch that isn't working


Thanks,

Faisal

rodrigo.antunes Wed, 09/01/2010 - 05:50
User Badges:

Hi people. Hi Faisal.


I´d like to great for the attention. Following the tips, i updated the NAC Manager (AV List, OIDs, etc.) and got to add the 2960 switch.

The problem was really the old MIBs. I was surprised because, previously, i installed 4.8 release (July 2010) and didn´t get to add switch too. I thought that release was complete.


Thaks a lot people!!!


Rodrigo Antunes

Actions

This Discussion