Failed to authenticate with the device at ip.ip.ip.ip using TELNET

Answered Question
Aug 26th, 2010

Hi!

I can no longer use CCA :-)

I tried everything, but when I enter user and password after waiting a few tens of seconds I get the following error window: "Failed to authenticate with the device at ip.ip.ip.ip using TELNET. TELNET access is required for access to voice configuration. Cannot continue. Exiting CCA."

Given that I do not understand the need to use the 'telnet', I verified that UC500 was reachable from the PC via telnet. But CCA 2.2.5 don't work and I find no reason, even logging on to see go console error messages or anything else that turn me to the solution. Before removing CCA and back to 2.2.4, I see if I could solve the problem somehow.

I tried to see what was going on the network with wireshark:

Time          Source          Destination     Protocol     Info
-------------     --------------     ---------------     ---------     ----------------------------------------------------------------------------
722.508214     pc.pc.pc.128     uc.uc.uc.1     TELNET     Telnet Data ... (the password in clear text!!!!)
722.713551     uc.uc.uc.1     pc.pc.pc.128     TCP     telnet > xs-openstorage [ACK] Seq=80 Ack=37 Win=4092 Len=0
722.713606     pc.pc.pc.128     uc.uc.uc.1     TELNET     Telnet Data ... (a '/r/n' after send user pwd on previus pkt)
722.911528     uc.uc.uc.1     pc.pc.pc.128     TCP     telnet > xs-openstorage [ACK] Seq=80 Ack=39 Win=4090 Len=0
724.608892     pc.pc.pc.128     uc.uc.uc.1     TCP     xs-openstorage > telnet [FIN, ACK] Seq=39 Ack=80 Win=65456 Len=0
724.611192     uc.uc.uc.1     pc.pc.pc.128     TCP     telnet > xs-openstorage [ACK] Seq=80 Ack=40 Win=4090 Len=0
724.721538     uc.uc.uc.1     pc.pc.pc.128     TELNET     Telnet Data ... (a '/r/n')
724.721589     pc.pc.pc.128     uc.uc.uc.1     TCP     xs-openstorage > telnet [RST, ACK] Seq=40 Ack=82 Win=0 Len=0

...but do not understand why the PC ends the connection!

NB: Obviously the username and password are correct and the UC does not report login errors.

Can anyone give me a hint? 1k thanks

73,

Arturo

I have this problem too.
0 votes
Correct Answer by Steven DiStefano about 6 years 3 months ago

"" /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman";}

When we fail to authenticate to device using TELNET  using username/password  provided during discovery we show this dialog and exit and we don't log this exception to the log.

""

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman";}

Can we check if the "login delay" is configured or not?

CCA does not support this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Steven DiStefano Thu, 08/26/2010 - 11:10

Hints yes.   But a TAC case may be required.

So when you connect to a UC500 via CCA, you can connect via the IP address, or as a 'site'.  The site allows you to accumulate multiple elements in a community if you will and it saves this on your PC in Documents and Settings / .configurationassistant / communities

The behavior is that if all the user ids and PWs are all the same for all the devices, CCA prompts you once every time you connect to that site (community).   If they are different, it prompts per IP address of the element.  If you enter one wrong more than 3 times, it kicks you out.

I would guess that you are trying to connect to a site?  And maybe in that site, you are prompted for a network element that is in the community, but different that the one you are thinking you are entering credentials for?

Try to connect via IP of the device (dont use the saved site) and see if that makes a difference.

Try to telnet directly to the element and see if you can enter credentials that way.

Arturo Bianchi Thu, 08/26/2010 - 11:27

sdistef ha scritto:

I would guess that you are trying to connect to a site?

Yes,

only with 1 IP or device!

sdistef ha scritto:

Try to connect via IP of the device (dont use the saved site) and see if that makes a difference.

Idem,

'Failed to authenticate....'

sdistef ha scritto:

Try to telnet directly to the element and see if you can enter credentials that way.

~$ telnet gw.lab
Trying uc.uc.uc.1...
Connected to gw.lab.
Escape character is '^]'.


User Access Verification

Username: admin
Password:

cme#

73,

Arturo.

Steven DiStefano Thu, 08/26/2010 - 11:47

Is this a UC500 you are trying to connect to?  Your prompt says CME.  CCA doesnt support ISR.

Also, is your PC directly connected to the UC500 LAN port?

Arturo Bianchi Thu, 08/26/2010 - 12:48

Obviously, I would not open the thread here ... CME is simply the hostname,,,


The problem occurs over internet via VPN, via WiFi, via LAN through a telephone, I don't tried to connect the PC directly @ lan port of UC540W but I guess that is not a link problem.

NB: Could be a timeout issue? FIN, ACK is sent after 2 seconds.... That the CCA was impatient?

73

Steven DiStefano Thu, 08/26/2010 - 12:54

OK, you didnt really say it was a UC500, so wasnt obvious. :-)

Connecting via WiFi of the UC500 or the Phone answers my question, AS LONG AS the phone is on the UC500 and the WiFi is from the UC500 or APs connected directly to it.   Something gave me the impression that you had some hops between your PC and the UC500 in your connection screen shots.

Should be no different than direct connect, where as the remote connection opens a different set of potential issues.

Do me a favor and connect it locally to a UC500 switch port and try again.  If/When if fails,

send the CCA Log File from Help:Support: GenerateLogFile.  Maybe there is a hint in there.

Arturo Bianchi Thu, 08/26/2010 - 13:34

No,

I tried a direct connection and the problem is still here!

I am unable to generate log, when CCA go in error I can push only OK button and CCA die!

73

Steven DiStefano Thu, 08/26/2010 - 13:45

You may be able to grab the application log from the PC manually please...

C:\Program Files\Cisco Systems\CiscoSMB\Cisco Configuration Assistant

Arturo Bianchi Thu, 08/26/2010 - 13:53

Most files are 0 bytes long, only Application_Log report some output:

++: DEBUG:  : User Preference Settings App Version=2.2 (5)
++: DEBUG:  : Current App Version=2.2 (5)
++: DEBUG:  : *** Site name: DIM - Lab
++: DEBUG:  : *** Remove site from history list: DIM - Lab
++: DEBUG:  : Last used connection string: http://DIM+-+Lab:80/
++: DEBUG:  : Filtered connection string: DIM+-+Lab
++: DEBUG:  : SiteName : DIM+-+Lab DecodedName: DIM - Lab
++: DEBUG:  : DIM - Lab is customer site name: true
++: DEBUG:  : Set connection string to: ---.---.---.---
++: DEBUG:  : Filtered connection string: DIM+-+Lab
++: DEBUG:  : Duration for [upd Mirror<--Device() @ com.cisco.cpnm.features.defn.connect.ConnectDialogTask] = [1265] msec.
++: DEBUG:  : *** Site name: DIM - Lab
++: DEBUG:  : *** Remove site from history list: DIM - Lab
++: DEBUG:  : Last used connection string: http://DIM+-+Lab:80/
++: DEBUG:  : Filtered connection string: DIM+-+Lab
++: DEBUG:  : SiteName : DIM+-+Lab DecodedName: DIM - Lab
++: DEBUG:  : DIM - Lab is customer site name: true
++: DEBUG:  : Set connection string to: ---.---.---.---
++: DEBUG:  : Filtered connection string: DIM+-+Lab
++: DEBUG:  : Filtered connection string: DIM+-+Lab
++: DEBUG:  : Filtered connection string: DIM+-+Lab
++: DEBUG:  : WDTask::setHierarchy .TroubleshootingLogsTask
++: DEBUG:  : Duration for [create() @ com.cisco.cpnm.features.defn.logs.TroubleshootingLogsTask] = [78] msec.

NB: I understand that the program tries to connect using something invented name of the site?

I create another site with a valid DNS name and I try to connect... Last log lines are:

++: DEBUG:  : conn string: HTTP://valid.name.tld:80/
++: DEBUG:  : ConnectionMediator:connect() : http://valid.name.tld:80/
++: DEBUG:  : URL After Decoding :http://valid.name.tld:80/
++: DEBUG:  : ConnectionMediator:isFederation() : http://valid.name.tld:80/
++: DEBUG:  : initAppMode():http://valid.name.tld:80/
++: DEBUG:  : ConnectionMediator:isFederation() : http://valid.name.tld:80/
++: DEBUG:  : initAppWithConnection():http://valid.name.tld:80/
++: DEBUG:  : Found Module For device type : UC540W-BRI-K9
++: DEBUG:  : *** RouterInfo.ShVer.Fields=[UC540W-BRI-K9, cme, 1 day  23 hours  49 minutes, flash:uc500-advipservicesk9-mz.150-1.XA2, , 15.0(1)XA2, N, N, , UC500-ADVIPSERVICESK9-M, , 1 ]
++: DEBUG:  : [email protected]: getAuthCreds() called for: telnet://uc.uc.uc.1:23; realm: null
++: DEBUG:  : [email protected]: getAuthCreds() called for: telnet://uc.uc.uc.1:23; realm: null
++: DEBUG:  : [email protected]: getAuthCreds() called for: telnet://uc.uc.uc.1:23; realm: null

73

Steven DiStefano Thu, 08/26/2010 - 14:07

while the logs are looked at, can you tell us if User Password is the same as "enable" password?

I am told, if not, thats the problem, as CCA wants them to be the same.

Correct Answer
Steven DiStefano Thu, 08/26/2010 - 14:42

"" /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman";}

When we fail to authenticate to device using TELNET  using username/password  provided during discovery we show this dialog and exit and we don't log this exception to the log.

""

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman";}

Can we check if the "login delay" is configured or not?

CCA does not support this.

Steven DiStefano Thu, 08/26/2010 - 14:47

Also, /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman";} we want to see whether there is anything in the line vty area that blocks TELNET.

If you can snip that in here?

Arturo Bianchi Thu, 08/26/2010 - 14:54

yes... 'login delay 2' ...but this did not bother to version 2.2.4 .

Now, I can enter!!!

I d'on't understand why CCA indicates a problem with the CUE ('Voicemail may not working normally... yes or no'); but that's another story (thread!?)

Very thanks,

Arturo.

Steven DiStefano Thu, 08/26/2010 - 15:01

We are happy to help,

please remember a system not configured with CCA cannot be supported by CCA.

There are just too many variables.....like this one.

:-)

Arturo Bianchi Thu, 08/26/2010 - 15:15

This is a real limit of the CCA, with version 3 maybe things will get better! CCA Is too rigid; should still accept/tollerate the changes made by CLI also because, obviously, are made to speedup provisioning or activate functions not provided by the CCA.

I think I will have to return to the factory cfg because is now in the loop on the dialplan (30 minutes and still not show the dialplan)!!!

73,

Arturo.

Armando De La Torre Tue, 08/09/2016 - 10:30

I was also getting this error message

"Failed to authenticate with the device at ip.ip.ip.ip using TELNET. TELNET access is required for access to voice configuration. Cannot continue. Exiting CCA.

Trying to use Cisco Configuration Assistance to work on a UC560.

As soon as I change the enable password to match the Username/Password;   I was able to open up CCA.

Hope this helps some one else!!

Steven DiStefano Thu, 08/26/2010 - 15:22

Yes, you do.

I hope you are not too dissatisfied that we dont support CLI configured systems.  We used to maintain an out of band configuration guide which used to show partners how to steer clear of what CCA wanted to reserve and interpret a certain way, but that didnt work out well, because there are TOO MANY knobs to tune on UC500 and because frankly most ignored it :-)

We have to come to a point where your costs and our costs of sustaining your practice in hybrid mode is just unrealistic.

I think you will like CCA 2.2.5.  I really do.  I think if you look at the feature reference guide (updated last week) of what we can do with 2.2.5 and try it, you will 'come home to CCA"

On that note, I am going home now ;-)

Arturo Bianchi Thu, 08/26/2010 - 15:33

sdistef ha scritto:

On that note, I am going home now ;-)


Good return at home, I go now to sleep ... I agree with what you say but could open a nice thread to discuss this...

73,

Arturo

patrick.hurley Wed, 10/06/2010 - 22:10

I had the same problem and as soon as I changed the username password and the enable password to be the same it worked.  Creepy.

Arsen Gharibyan Thu, 05/31/2012 - 11:20

Hello ,Im having the same issue

aaa new-model

aaa authentication login default local

aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local

aaa session-id common

i was able to use cca  couple days ago and now its just stoped working

and im still able to telnet to it

any ideas ?