Solved: LMS 3.2 RME CLI cwcli config Compliance job

Andre KULECZKO · ‎10-15-2010

Hello,

I try to use the "cwcli config compareanddeploy"command in CLI since i need to make first report, then add several monitoring configuration lines in thousand of equipments.

cwcli config comparewithbaselin -u *** -p ** -baseline templatesnmptrap.txt -device switch1

I got this error message in return:

SUMMARY
=======
Failed: compareanddeploy: The job could not be created since no device is available.

<cwcli> ERROR - The baseline template templatesnmptrap.txt is not valid for this device switch1

I need to find out what is the command line to make valid my baseline template for all devices:

CIscoWorks document file "Using cwcli Commands" chapter 19-1 78-16503-01 doesn't seems to contain this feature described, neither this error message:

Could someone help me finding corresponding command line to make it possible ?

Regards,

Andre

Joe Clarke · ‎10-29-2010

I cannot reproduce. The last template I posted shows my 3560 with this config:

interface Vlan127
ip address 192.168.0.133 255.255.255.0
standby 127 ip 192.168.0.134
!

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet group 1
snmp-server enable traps power-ethernet police
snmp-server enable traps rep
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps bgp
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps event-manager
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable

As being non-compliant due to the missing HSRP trap definition. I wonder if the config known to RME is not the same as the config on the device. Go to RME > Config Mgmt > Archive Mgmt > Version Tree and look at the latest config on your test device. Make sure it has the prerequisite Vlan configuration, and make sure it is missing the HSRP trap definition.

View solution in original post

Joe Clarke · ‎10-17-2010

Please post the templatesnmptrap.txt file and post the sysObjectID of switch1. Chances are the baseline was created for a different switch type than your selected device.

Andre KULECZKO · ‎10-19-2010

Hello,

please find file templatesnmptrap.txt enclosed:

sysObjectID of switch1 is 1.3.6.1.4.1.9.1.219

Please find also enclosed log file issued from the modified CLI command hereunder:

cwcli config compareanddeploy -u xxx -p xxx-baseline templatesnmptrap.txt -input devicelist2.txt -d 5 -l templatesnmptrap.log

devicelist2.txt contains the hereunder line:

------------------------

-device switch1

------------------------

Regards,

Andre

Joe Clarke · ‎10-19-2010

Please export the template to XML from within the Compliance Templates page. Post the resulting XML export.

Andre KULECZKO · ‎10-20-2010

Hello,

your request helped me realize the real problem:

In fact, there is no newbaselinetemplates *.tpl file named templatesnmptrap.txt available for exportation in XML, since templatesnmptrap.txt:is not considered as baselinetemplate.

It seems that the real error resulting from the CLI command that should have been displayed is:

no existing baseline template name templatesnmptrap.txt

So now, I need to find out what is the command line syntax to create the baseline template named templatesnmptrap.tpl and containing at least the configuration lines:

+ snmp-server host 192.168.38.2 public

+ snmp-server host 192.168.38.3 public
+ snmp-server host 192.168.38.35 public

Please note that I want to make many baseline templates containing different lines, for different devices categories, reason for command line creation mode, otherwise, alternative solution is to make global templates based on conditions like Prerequisite, Prerequisite-Commandset and SubMode lines in commandsets which might be time consuming....

Please advise if baseline templates can be created from command line.

Thanks and Regards,

Andre

Joe Clarke · ‎10-20-2010

You cannot create baseline templates from the CLI. You need to create those in the GUI.

Andre KULECZKO · ‎10-22-2010

Hello,
As mentionned in previous message, i will then use alternative solution:

make global templates based on conditions like Prerequisite, Prerequisite-Commandset and SubMode lines in commandsets which might be time consuming.

I have made the following template for test:

hsrp trap will be activated for sending only if standby line is present on the device

Template Name:   MonitoringHSRPStep2templat
Name: Global     SubMode: Yes                             isPrerequisite: Yes
Ordered : No       Prerequisite-Commandset : none Parent: none
   interface   vlan 127

+ standby 127 ip 192.168.0.134

Name: SnmpserverEnableTrapsHsrp     SubMode: No     isPrerequisite: No
Ordered : No     Prerequisite-Commandset : Global      Parent: none
   + snmp-server enable traps hsrp

Compliance job result indicates 1 out of 1 Compliant for selected device:

Compliant Devices
Device Name Latest Version Created On
switch1 10 Oct 15 2010 20:35:01

althought line "snmp-server enable traps hsrp" is not present on the device

is there anything wrong making the job checking only the global configuration lines checking,

i.e. "interface vlan 127" and "standby 127 ip 192.168.0.134"

and not configuration line presence in SnmpserverEnableTrapsHsrp child ?

i.e "snmp-server enable traps hsrp"

Thanks in advance and regards,

Andre

Joe Clarke · ‎10-22-2010

Change your submode to:

interface Vlan127

Note there cannot be a space between "Vlan" and "127". That should work for you. If not, post the config from this device less any sensitive info.

Andre KULECZKO · ‎10-27-2010

Hello,

thanks for your return concerning space removing:

Althought this removing, compliance result is still not providing unmatching concerning line "+ snmp-server enable traps hsrp":

please find enclosed file device switch1 configuration, with confidential information removed (or changed).

Joe Clarke · ‎10-27-2010

Post the XML export of this compliance template.

Andre KULECZKO · ‎10-28-2010

Hello,

please find xml export enclosed.

One additionnal information:

If Global Command Sets is set to isPrerequisite:Yes,

and SnmpserverEnableTrapsHsrp is set with Prerequisite-Commandset : Global

result of Compliance Job is 1 out of 1 Compliant for switch1,

which is incorrect since snmp-server enable traps hsrp is not present in switch1 configuration

If Global Command Sets is set to isPrerequisite:No,

and SnmpserverEnableTrapsHsrp is set with Prerequisite-Commandset : none

result of Compliance Job is 0 out of 1 Compliant for switch1

Command(s) to Deploy is correctly mentionned:

+snmp-server enable traps hsrp

Command sets contained in the template:

Name: Global SubMode: Yes isPrerequisite: Yes

Ordered : No Prerequisite-Commandset : none Parent: none

interface vlan127

+ standby 127 ip 192.168.0.134

Name: SnmpserverEnableTrapsHsrp SubMode: No isPrerequisite: No

Ordered : No Prerequisite-Commandset : Global Parent: none

+ snmp-server enable traps hsrp

The goal is to have this configuration line deployed only if hsrp is present checking that configuration line containing standby is present.

regards

Joe Clarke · ‎10-28-2010

You have vlan as lowercase. It needs to be uppercase (just like in the config). Try this template.

Andre KULECZKO · ‎10-29-2010

Hello Joseph,

Thanks for your return.

I have imported the template MonitoringHSRPStep2template2.xml:

containing following lines:

Name: Global SubMode: Yes isPrerequisite: Yes
Ordered : No Prerequisite-Commandset : none Parent: none
interface Vlan127
+ standby 127 ip 192.168.0.134
Name: SnmpserverEnableTrapsHsrp SubMode: No isPrerequisite: No
Ordered : No Prerequisite-Commandset : Global Parent: none
+ snmp-server enable traps hsrp

result is the same: i.e. 1 out of 1 Compliant

It seems than case sensitvity was not the source of line +snmp-server enable traps hsrp unchecking,

since "interface Vlan127" or "interface vlan127" provides same result:

1 out of 1 Compliant.

It sounds that compliance templates management process (dcma BaseLineSearchHandler or cwconfig ?)

reacts the same way as IOS about case sensitivity and additional spaces,

i.e. it is reinterpreting characters to his convenience to make it match configuration sens.

regards,

Andre

Joe Clarke · ‎10-29-2010

I cannot reproduce. The last template I posted shows my 3560 with this config:

interface Vlan127
ip address 192.168.0.133 255.255.255.0
standby 127 ip 192.168.0.134
!

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet group 1
snmp-server enable traps power-ethernet police
snmp-server enable traps rep
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps bgp
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps event-manager
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable

As being non-compliant due to the missing HSRP trap definition. I wonder if the config known to RME is not the same as the config on the device. Go to RME > Config Mgmt > Archive Mgmt > Version Tree and look at the latest config on your test device. Make sure it has the prerequisite Vlan configuration, and make sure it is missing the HSRP trap definition.

Andre KULECZKO · ‎11-02-2010

Hi Joseph,

We had to restart LMS server today:

since this restart, compliance job provides good result for condition +snmp-server enable traps hsrp missing

Now, uppercase or lowercase gives different result:

"interface Vlan127" provides result 0 out of 1 Compliant -> +snmp-server enable traps hsrp missing

"interface vlan127" provides result 1 out of 1 Compliant -> since this interface Vlan line does not exist

Thanks for your help,