sync archive failing

Unanswered Question
Apr 1st, 2010
User Badges:

hey folks..


Have an issue with my archive sync.


we recently moved from local accounts on our devices to a TACACS appliance.  I setup a TACACS account for my LMS to use to perform the sync archive.  It is a security level 15 account.


i setup the appropriate credentials in device credentials section, removing the old local account, and placing the TACACS account.


Each time I attempt a sync, I am returned the following error:


*** Device Details for <DEVICE> ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> SSH
Execution Result:


CM0151 PRIMARY RUNNING Config fetch failed for <DEVICE> Cause: Couldnot enter ENABLE Mode from USER Mode on Device. Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.


SSH is the only protocol configured for use on the switch i'm attempting to archive and is the configured protocol within LMS.  I can SSH from the machine in which LMS is running and enter configuration mode without a problem.  I have increased the SNMP timeout value.


what am I missing here?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Bruce Summers Thu, 04/01/2010 - 07:40
User Badges:

an additional note:


I performed a "Check Device Credential" and was returned the following as a result:



        "Enable username credential missing"


within the credential edit location, there is only 1 place to put a username, so i'm not real clear what this error means.


thanks


Bruce 

yjdabear Thu, 04/01/2010 - 09:09
User Badges:
  • Gold, 750 points or more

Both point to the enable password being missing in DCR for the device.

Bruce Summers Thu, 04/01/2010 - 09:17
User Badges:

hmmm..


and if placing the credentials by editing device credentials doesnt get the credentials in the appropriate area, what does?


how can i confirm your theory...


bruce

yjdabear Thu, 04/01/2010 - 09:39
User Badges:
  • Gold, 750 points or more

To verify whether the enable password is populated, you could choose Export from DCR - Device Mamanagent, either in CSV or XML format (don't forget to tick the "Export Device Credentials" box if on LMS 3.2). Then examine the line for the problem device.


Also, you could set up a sniffer session, or use the Packet Capture tool bundled with LMS, to capture the conversions during a Sync Archive job (scheduled or ad-hoc) against the problem device. That could shed some light, depending on what protocol you've selected (less with SSH).


Lastly, you can examine the Sync Archive job logs or post them here. For example, on Solaris, it's located in /var/adm/CSCOpx/files/rme/jobs/ArchiveMgmt/[jobID]/. Of course, having debug on would be much better, so you may want to schedule an ad-hoc Sync Archive after enabling debug on ArchiveMgmt in RME.

Bruce Summers Thu, 04/01/2010 - 12:25
User Badges:

I turned on debugging, looked at the txt file that is generated and it says the same thing as the error that is displayed


Actually, its not an error concerning the password.  It is stating that the enable username is missing in one section of LMS


but seems to manifest itself in RME as an authentication failure.


"Could not enter ENABLE Mode from USER Mode on Device"

yjdabear Thu, 04/01/2010 - 12:31
User Badges:
  • Gold, 750 points or more

Now I'm starting to suspect you device is running one of the IOS versions affected by CSCsu21040.


Basically, the buggy IOS asks for "Username: " again after receiving "enable", which throws RME for a loop.


Some of the affected IOS I've seen:
12.2(17r)SX3
12.2(17r)SX5
12.2(33)SXH3


Fixed-In

12.2(33.3.12)SXH
12.2(33)SXH4


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsu21040

CSCsu21040 Bug Details

Enable authentication prompts for username/password instead of just pass
Symptom:

With enable authentication configured, the router/switch prompts for both username and password instead of just password.

Conditions:

This problem has been seen on IOS 12.2(33)SXH3.

Workaround:

Enter both username and password when prompted
Bruce Summers Thu, 04/01/2010 - 12:44
User Badges:

Understood...some buggy IOS's, but how do I work around it? I cant upgrade all my IOS's (very large datacenter).


Is there a method to do so?


Bruce

yjdabear Thu, 04/01/2010 - 12:45
User Badges:
  • Gold, 750 points or more

No workaround that I'm aware of from the LMS end.

Bruce Summers Thu, 04/01/2010 - 12:45
User Badges:

i responded via email a bit ago...


However, a follow on to that email...this problem only occurred when i changed TACACS appliances.  We were using TACACS on one appliance and are now using it on another appliance...


same configuration, just different user accounts...


bruce

yjdabear Thu, 04/01/2010 - 12:48
User Badges:
  • Gold, 750 points or more

Then I wouldn't attribute the problem to the bug unless one could manually duplicate the symptom of getting the extraneous "username: " prompt upon trying to enter enable mode. It could be another cause entirely.

Bruce Summers Thu, 04/01/2010 - 12:50
User Badges:

Agreed.


And I am not being prompted when I merely SSH into the devices...so,

probably not the bug you reference causing it...


I am perplexed...


Bruce

Bruce Summers Thu, 04/01/2010 - 19:11
User Badges:

Anybody have any other thoughts?


I've removed a device, added back in, restarted all the services for LMS, reinventoried the device,  I have validated and revalidated the credentials and nothing seems to point to the problem.


is there a log that would give some indication of what is happening between LMS and the device...Nothing apparent is in the switch log.


thanks.


bruce

Bruce Summers Thu, 04/01/2010 - 09:23
User Badges:

hmm..but, now that we are talking about it,


the credentials are present for the initial ssh login process...


its not really saying the password is in correct, its saying the Enable Username is missing.


bruce

fredareid Wed, 01/26/2011 - 08:49
User Badges:

Has anyone found a solution to this issue? I am experiencing the same thing.


Even my credential check is telling me it fails for "Enable username credential missing."

Actions

This Discussion