Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

LMS 3.2 issues

Hi all,

I'm having huge problems with LMS 3.2.....after doing a discovery I didn't like what was imported into the DCR.

So I deleted the devices out of Common Services, and re-imported the file so I can get an accurate number of devices

I am managing. Now RME doesn't seem to like/or find the Default credentials I configured in CS.

I'm checked all the devices in CS and told it to use the default credentials and it still not working, Inventory is failing, device credential

verification is not working. I'm trying my best to migrate from my old server with LMS 3.1 to the new server with LMS 3.2 as quickly

as possible. I also re-initalized the DB for RME and DFM.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: LMS 3.2 issues

It's not a question of credentials.  It's a question of the privacy algorithm of AES-128.  The device does not like this algorithm.  Check the "show snmp user" output from the device for cscowrkspriv3.  Make sure you're using the correct algorithm.

Cisco Employee

Re: LMS 3.2 issues

Well this is consistent with the fact that LMS 3.1 is working.  It really sounds like you had applied credential sets to those imported devices to fill in the gaps (i.e. where LMS 3.1 did not have credentials).  The gaps that were filled in caused the RME to use invalid credentials when communicating with devices.  You may consider diversifying the credential sets (i.e. creating a policy for SNMPv3 devices and one for SNMPv1/v2c devices).  This way, you can conditionally apply default credentials to future devices.

30 REPLIES
Cisco Employee

Re: LMS 3.2 issues

Are you sure the failures are due to a credential problem?  If so, select all the devices from DCR, and click the Update Credentials button.  Manually re-enter the correct credentials, and see if that corrects the RME problems.

New Member

Re: LMS 3.2 issues

Okay I think I done that.....but I will try again....

I just re-imported the devices so I'm letting RME do its Inventory and Device Mgmt collection in RME.

If I encounter the same issue as before I will try manually typing the credentials again, its funny though some devices are fine and a majority or not.

New Member

Re: LMS 3.2 issues

Alright I followed your recommendations and tried to re-run inventory collection and the devices are immediately failing.

Transport session to device failed. Cause:Authentication failed on device.

Cisco Employee

Re: LMS 3.2 issues

Export the devices from DCR under Common Services > Device and Credentials > Device Management, and look at the CSV file to see if DCR has the correct credentials.

New Member

Re: LMS 3.2 issues

I have verified that all the right credentials are entered in the device export.

This is the exactly same files as used from my server with LMS 3.1 installed.....I configured the server with

LMS 3.2 to mirror this server and it worked a couple of weeks ago. I don't understand why some of the devices

are working and some or not....I have 25 out of 425 devices that are able to get a success inventory collection

This is mind boggling.....

New Member

Re: LMS 3.2 issues

I'm thinking of Re-initializing the DB for CS to see if this solves the problem.....obviously since anything else isn't working.

New Member

Re: LMS 3.2 issues

The thing that concerns me is in RME the Configs are getting archived, but the Ineventory Collection is failing.

I had the exact same problem a couple of weeks ago and I opened a TAC, but ended up rebooting the server and got everything

working problem.  This is not the case now.

Cisco Employee

Re: LMS 3.2 issues

Start a sniffer trace filtering on udp/161 traffic to ONE failing device.  Then perform a new inventory collection for that device.  When it fails, post the sniffer trace and the IC_Server.log.

New Member

Re: LMS 3.2 issues

Hi,

Please see attachment.

Please advise my next steps to perform.

Cisco Employee

Re: LMS 3.2 issues

It looks like you have misconfigured SNMPv3 authPriv in DCR.  What are the configured SNMPv3 parameters on the device, and what do you have configurered in DCR?

New Member

Re: LMS 3.2 issues

I verified the credentials and validated that I am using the right credentials in the DCR as well as the device.

I also have a large number of number of devices that have SNMP1 and 2 configured that are failing as well.

I just ran an sniff on a device and it appears to be trying to use SNMP V3 versus 1 and 2.

Cisco Employee

Re: LMS 3.2 issues

This is probably due to a DCR misconfiguration.  Export the DCR credentials for this device, then post the resulting CSV file.

New Member

Re: LMS 3.2 issues

Here you go.....

Cisco Employee

Re: LMS 3.2 issues

The reason it is using SNMPv3 is because you have configured SNMPv3 in DCR.  You are saying that this device is configured for SNMPv3 authPriv with SHA-1 hashing and AES-128 encryption.  The device is saying that it does not support or is not configured for AES-128 encryption.  If you want to use SNMPv1 or v2c, then unconfigure the SNMPv3 parameters in DCR.

New Member

Re: LMS 3.2 issues

Hi JClarke,

I have a majority of my routers configured with SNMP V3 that supports it, I also have a number of devices using SNMP V1 and V2.

I have a total of  5 or 6 routers that have had no problem with RME inventory collection. These devices are all configured the same....the same devices are also configured on the server running LMS 3.1 and I have absolutely zero problems.

Cisco Employee

Re: LMS 3.2 issues

All I can say is what the sniffer trace tells me, and that is that SNMPv3 authPriv is not working as you have configured it.  Beyond that, more analysis of the devices and configs would be required.    If you want to follow this through, then I suggest you open a TAC service request.

New Member

Re: LMS 3.2 issues

I will double check DCR again and type them slowly and figure out why the rest of the devices are not working as they do not use

SNMP V3.

I will keep you posted

Cisco Employee

Re: LMS 3.2 issues

It's not a question of credentials.  It's a question of the privacy algorithm of AES-128.  The device does not like this algorithm.  Check the "show snmp user" output from the device for cscowrkspriv3.  Make sure you're using the correct algorithm.

New Member

Re: LMS 3.2 issues

Hi....I finally took the time to actually log into the device.

This device is not configure for V3 this is a  6509...I was thinking it was a Router.

It should be using V1 and V2.

New Member

Re: LMS 3.2 issues

I unchecked SNMP V3 from the DCR for SNMP default credentials and the same amount of devices are failing in RME.

I was not experiencing none of this until I deleted devices from DCR and reimported my file.

Device 172.18.243.244 should be using V2.

See attached

Cisco Employee

Re: LMS 3.2 issues

Default credentials has nothing to do with devices already in DCR.  In that case, you must edit the credentials for those devices in DCR, and make the necessary changes.  That is, go to Common Services > Device and Credentials > Device Management, select the devices, and click Edit Credentials.  Make the required changes.

New Member

Re: LMS 3.2 issues

Hi JClarke,

I performed the steps you recommended and still encountering the same problems.....should I go ahead and open a TAC?

Cisco Employee

Re: LMS 3.2 issues

Post the new DCR export and new sniffer trace.

New Member

Re: LMS 3.2 issues

Hi

Please see attached.....jp01ncsw07 is a device that successfully entered into inventory collection on November 27th now it is failing.

Cisco Employee

Re: LMS 3.2 issues

The DCR data remains unchanged, but the sniffer trace is now showing an SNMPv3 unknown username error.  I assume that you want to disable SNMPv3 for these devices in LMS.  If that is the case, go to Common Services > Device and Credentials > Device Management.  Check the boxes next to both devices, and click the Edit Credentials button.  Click the Next button twice.  On the SNMP screen, check the  SNMPv3 box (if it isn't check already), and clear out the Authentication Username and Password fields, set the Auth and Privacy algorithms to None, and clear out the Privacy password and Engine ID fields.  Then uncheck the SNMPv3 box, and click finish.

Then export the credentials again, and verify the SNMPv3 fields are empty.  Then, once that is confirmed, perform a new inventory collection.  It should succeed using the configured SNMP RO community string.

New Member

Re: LMS 3.2 issues

Those steps you just suggested are a little different in LMS 3.2 When I go to device management and check the box next to the device and select next

it goes to a Credential Set Selection and I choose the template I created to be used as teh default credentials I choose apply only missing device credentials then next and uncheck snmpv3

Now by me unchecking smpv3 for those two devices it is working now......So I am assuming I have to go through all my devices that SNMP V3 is configured I have to edit devices credentials to tell it whether or not to use V3.

Why I didnt encounter this issue when I first set this server with LMS 3.2 and imported the list from my old Ciscoworks server this worked before?

Cisco Employee

Re: LMS 3.2 issues

The steps I provided were from an LMS 3.2 server.  I had wanted you to bypass the credential set screen, and manipulate the credentials directly.  As to why this worked initially, I cannot say.  I was not there when you did the initial setup, and I did not see the initial DCR import/export.

New Member

Re: LMS 3.2 issues

Oh ok.....after bangin my head against the desk numerous amounts of times. I deleted the devices in DCR and reimported the export file from my server with LMS 3.1 and chose *no default* credentials it imported into the RME inventory Collection successfully.

Cisco Employee

Re: LMS 3.2 issues

Well this is consistent with the fact that LMS 3.1 is working.  It really sounds like you had applied credential sets to those imported devices to fill in the gaps (i.e. where LMS 3.1 did not have credentials).  The gaps that were filled in caused the RME to use invalid credentials when communicating with devices.  You may consider diversifying the credential sets (i.e. creating a policy for SNMPv3 devices and one for SNMPv1/v2c devices).  This way, you can conditionally apply default credentials to future devices.

677
Views
0
Helpful
30
Replies
CreatePlease to create content