During Config Archive, I'm encountering the following error when trying to connect using RME to a Cisco Catalyst 6513 FWSM.
"CM00139 Could not archive config, Cause: Action: Verify that device is managed and credentials are correct. Increase timeout value, if required."
I ran the credential verification using both the ssh protocol and the "SSH Enable Mode User Name and Password" check. It passes the protocol check, but fails with "Enable username credential missing." However, I do have the enable password set in device management/edit device credentials.
Solved! Go to Solution.
There is a problem entering enable mode. In order to fetch the config from an FWSM, RME must be able to enter enable mode, enter config mode, configure "no pager", then exit config mode. Can the credentials specified in DCR perform these steps? Try to perform those steps manually. what does the transaction look like?
to answer the question about the credentials that are in DCR, yes...the account that i'm using is able to enter enable mode, config mode and then is able to make the change to "no pager"...
I'm not clear what you mean by "what does the transaction look like".
From the LMS server, connect to the FWSM with SSH using the same credentials that are configured in DCR. Enter enable mode using the same enable password that is in DCR. Run the command "show pager". Then enter config mode, and configure "no pager". Then exit config mode. What does that transaction look like?
Type help or '?' for a list of available commands.
FWSM# sho pager
so, as you can see, from the LMS server, ssh to the FWSM is working...and works when you do the credentials check within RME...but, config arch is bombing on me...
You missed a step. You need to go into configure mode, and type "no pager". Also, enable ArchiveMgmt Service debugging under RME > Admin > System Preferences > Application Loglevel Settings, perform another Sync Archive to this FWSM, and post the dcmaservice.log.
sorry...i took from the show pager, that no pager was already set (from previously running the command). here is the output from the command:
fwsm> config t
fwsm(config)# no pager
fwsm># sho pager
after setting debug mode, i ran the config arch again, and attached is the output fo the dcmaservice.log from that run...I didnt want to include it all (WAY too much)....
The problem is in your use of privilege levels. RME is expecting enable level to be 15, but you are currently at privilege level 2. That said, you appear to be hitting a code path that should be impossible. What patches have you applied to LMS?
"code path" not sure what you mean...I have applied no patches to LMS since installation. Im running LMS Portal 1.1.0, RME 4.2.0, CV 6.1.8, CM5.1.0, DFM 3.1.0
Nevermind, I found the problem. I can provide a patch if you want to test it. You will need to open a TAC service request to get it.
absolutely...I'll have to get approval before applying it, but give me the bug fix number and i'll vet it out thru my leadership and get the tac case submitted...is it an LMS issue or a firewall issue? that will point me to which way i need to submit the tac case...
I don't have a bug yet. I'll file the bug when I get confirmation that my fix is the right one. The problem is with the FWSM code in RME.
lol...roger...let me tell the boss...
if the privledge level were increased to 15, would we still be seeing this problem?
J, Also, when I started this thread, I said this is a 6513...My apologies, it is a CAT 6509...Hope that doesnt make a difference...
I submitted the support request, but have gotten nothing back from those folks...
Shall we continue to wait, or can we proceed?
Your engineer just contacted me, and I sent him the patch. Another customer has since received it, but I have not heard back on the results.
I'm about to deploy the patch...I understand that what needs to be done is to drop the SharedDcmaSC.zip file into the following path:
No extraction has to be performed.
then restart the Daemon Manager.
There is much more to it than that. Hopefully your engineer explained how to backup the original file and verify the MD5 checksum of the new file.
That said, the zip file does go into this directory, and it must not be extracted.
Yes, I'm sorry...Yes, he said to backup the old file, also he sent a checksum MD5 number for verification and advised it must be RME 4.2
I've verified the MD5 checksum and have backed up the old file...
bout to drop and go
The file must be backed up to SharedDcmaSC.zip.orig. The name is important. If the backup retains the .zip extension, then RME will load the old file, and override the patch.