CiscoPrime LMS4.x problem with SNMP Authen failed

Unanswered Question
Apr 30th, 2012

Hi forum,

I am testing the CP LMS 4 OVA software Appliance.

I started with 4.1 and just upgraded to 4.2.

Allready in CP LMS 4.1 I saw problems with my devices in regards to LMS datacollection and when it does datacollection suddenly it fails for some SNMP packets resulting in the device promptly sending a TRAP back to my LMS with authentification failed !

I have dug into that and find that the LMS from time to time adds these values to the SNMP password/Communityname:

(Verified with Tools - packet capture, for evidence!)

@1

@10

@500

any i guess variations of that ...

so that the captured SNMP community is f.ex. public@500

this then is worng and the device traps the authn failed, which is the ncorrect behavior ...

why does LMS do this, and what can be done to stop this behavior ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Vinod Arya Mon, 04/30/2012 - 04:39

This is correct behaviour. BRIDGE-MIB is polled to get the cam-table or mac-address table data fromd devices. These information can only be collected on per Vlan basis and hence LMS adds @ to get end host per VLAN.

So if yourdevice has Vlan 1, 10, 50 etx, to get the mac address details it will poll each vlan like :

public@1

public@10

public@50 etx.

This is known as Community String Indexing. The error you see may appear if you have some Vlan ID still showing in snmp and not in show vlan and ciscoworks is polling that vlan as well.

Try to generate Vlan report for device and cross check if all the vlans are as per device. The extra one may come in suspended state.

-Thanks

Vinod

mbilgrav Mon, 04/30/2012 - 05:05

oh my !

my gray hairs are starting to show ...

I'll bet these 2800 routers with switchmodules do not support these MIBs as indexed ...

I get new gray hairs ...

why didnt LMS3.2 do the same ?

I run a LMS3.2 aswell, and I dont se authen fail here ...

could it be that CP LMS4.2 has a bug that when it comes to these modules it should nt  use indexing ?

how can I verify ??

in the router under test - I have the VLANs in in router, i.e. vlan 1, 10 and 500

so it makes good sense the LMS see this, but when the use of index community is used it is clearly not understood by router, as oit prompotly responds with authen-fail trap !

mbilgrav Mon, 04/30/2012 - 05:33

do you know which element in LMS thats using the indexed method ?

like UserTracking would be my guess ?

I was told, and can verify that, the UT is not supported on ISR G1 routers with eth HWIC switch modules ...

Vinod Arya Mon, 04/30/2012 - 05:58

I have seen this issue in LMS 3.2 as well. This is not from LMS side. What happens is, if any of the vlan is configured and than removed, it may still have its entry when LMS gets vlan information via SNMP.

There is a known old bug for this # CSCsl58740. For now on your LMS try this, to prevent user tracking from querying suspended vlans, changed property value for UTGetSuspendedVlans from 1 to 0 on the ut.properties file from NMSROOT\CSCOpx\campus\etc\cwsi.

      UTGetSuspendedVlans=0

Restart the daemon manager after that and run full DC and UT. Apart from User Tracking Ciscoworks doesnt need BRIDGE-MIB to be polled and none of the module uses Community String indexing.

-Thanks

Vinod

mbilgrav Tue, 05/01/2012 - 01:36

awsome answers !

thank you very much for your time and efforts - i really appreciate this.

I understand what you are telling me, but I think still there is a bug in regards to c2801/1841 routers support and the eth modules in the HWIC.

Let me try to explain.

1. endhosts directly conencted to a c2801 in a HWIC-D-9ESW module can not be tracked in UT

2. public@1 returns authen fail trap and vlan 1 is up and running.

as per your fine posts in this thread I now understand that the indexed SNMP strings are "common".

eventhough, the exact same router that is managed by both LMS32 and CP LMS 4.2 behaves differently, i.e. the LMS3.2 does not give traps, hence does not use SNMP indexed strings.

LMS4.2 does

and this is on all the same routers (I manage alot of them, so it is not just one actually)

In LMS4.2 I tried to day to disable Topology, layer-2 and UT management, and the traps stops.

So - again - you are spot on, with your correct answers, ie it is UT that causes these traps.

I think these ISR-G1 routers are - still - not supported for UT.

Can you collaborate that ?

mbilgrav Tue, 05/01/2012 - 01:50

in regards to your fix:

I run OVA virtual appliance

I can not find the setting ?

I can locate the file in /opt/CSCOpx/campus/etc/cws - but the file does not contain the entry UTGetSuspendedVlans

Should I simply add the entry or is it located in some other file for a OVA ?

mbilgrav Wed, 05/09/2012 - 01:28

I run OVA virtual appliance

I can not find the setting ?

I can locate the file in /opt/CSCOpx/campus/etc/cws - but the file does not contain the entry UTGetSuspendedVlans

Should I simply add the entry or is it located in some other file for a OVA ?

would you please care to comment ?

Vinod Arya Wed, 05/09/2012 - 12:57

Apologies for delay. I was busy with personal issues. If this is not in Ut.properties you can simply add it somewhere near

UTGetVlansOnDownPorts=0

UTGetSuspendedVlans=0

Make both the entries similar like above. Also, please configure similarly on aniserver.properties.

Also, User Tracking is supported in 2800 routers with the modules cevHwic4fe, cevHwic9fes,cevHwic4fes, cevHwic1fe, cevHwic2fe, cevHwic4fesC, cevHwic9fesC, cevEhwic4esg, cevEhwicD8esg, cevEhwicD8esgP, cevEhwic4esgP, cevHwic4ilp, cevHwic9ilp, cevC180x8ilp, cevHwic9ilpc

User Tracking is supported in 1800 series routers with the modules cevHwic4fe, cevHwic9fes,cevHwic4fes, cevHwic1fe, cevHwic2fe, cevHwic4fesC, cevHwic9fesC, cevEhwic4esg, cevEhwicD8esg, cevEhwicD8esgP, cevEhwic4esgP, cevHwic4ilp, cevHwic9ilp, cevC180x8ilp, cevHwic9ilpc.

Please share the Vlan report from LMS for the affected device and output of show vlan from device too.

-Thanks

mbilgrav Mon, 05/21/2012 - 07:22

Hi again,

I have been away for testing, and here is the results.

I run C2801 wiht 'IOS12.4.17, also I tried lastest 12.4.25f with same result.

I still get Atuh failed traps from LMS !

Even with router with only vlan1 active and configured.

show vlan-sw and VLAN report sho the same:

ru-01#sho vlan-sw

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/3/1, Fa0/3/2, Fa0/3/3, Fa0/3/4, Fa0/3/5, Fa0/3/6, Fa0/3/7, Fa0/3/8

10   VOICE                            active

1002 fddi-default                     active

1003 token-ring-default               active

1004 fddinet-default                  active

1005 trnet-default                    active

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        1002   1003

10   enet  100010     1500  -      -      -        -    -        0      0

1002 fddi  101002     1500  -      -      -        -    -        1      1003

1003 tr    101003     1500  1005   0      -        -    srb      1      1002

1004 fdnet 101004     1500  -      -      1        ibm  -        0      0

1005 trnet 101005     1500  -      -      1        ibm  -        0      0

******************

Technology Report

VLAN Report generated on 21 May 2012, 14:01:43 CEST

Export    

Printer-friendly format    

Help

Device IP:SNIP Device Name: ru-01 Domain:SNIP Device Type:2801

VLAN ID     VLAN Name     Status     VLAN Type     Associated Primary VLAN     MTU Size     Media Type

1     default     Operational     Normal     N/A     1500     ethernet

10     VOICE     Operational     Normal     N/A     1500     ethernet

1002     fddi-default     Operational     Normal     N/A     1500     fddi

1003     token-ring-default     Operational     Normal     N/A     1500     tokenRing

1004     fddinet-default     Operational     Normal     N/A     1500     fddiNet

1005     trnet-default     Operational     Normal     N/A     1500     trNet

Also I can not track users that connects  into the HWIC Directly. if the are in a switch, connected I have no problem.

I run with the two extra settings in both files you mentioned and restarted LMS appliance.

doesnt change a thing in behavior.

any thoughs are greatly appreciated.

regards

Martin

mbilgrav Wed, 06/06/2012 - 11:45

Hmm

Looks like a TAC case. ...

Sent from Cisco Technical Support iPad App

Actions

Login or Register to take actions

This Discussion

Posted April 30, 2012 at 4:29 AM
Stats:
Replies:11 Avg. Rating:
Views:1065 Votes:0
Shares:0

Related Content

Discussions Leaderboard