Have an issue with my archive sync.
we recently moved from local accounts on our devices to a TACACS appliance. I setup a TACACS account for my LMS to use to perform the sync archive. It is a security level 15 account.
i setup the appropriate credentials in device credentials section, removing the old local account, and placing the TACACS account.
Each time I attempt a sync, I am returned the following error:
|*** Device Details for <DEVICE> ***|
|Protocol ==> Unknown / Not Applicable|
|Selected Protocols with order ==> SSH|
CM0151 PRIMARY RUNNING Config fetch failed for <DEVICE> Cause: Couldnot enter ENABLE Mode from USER Mode on Device. Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
SSH is the only protocol configured for use on the switch i'm attempting to archive and is the configured protocol within LMS. I can SSH from the machine in which LMS is running and enter configuration mode without a problem. I have increased the SNMP timeout value.
what am I missing here?
an additional note:
I performed a "Check Device Credential" and was returned the following as a result:
"Enable username credential missing"
within the credential edit location, there is only 1 place to put a username, so i'm not real clear what this error means.
and if placing the credentials by editing device credentials doesnt get the credentials in the appropriate area, what does?
how can i confirm your theory...
To verify whether the enable password is populated, you could choose Export from DCR - Device Mamanagent, either in CSV or XML format (don't forget to tick the "Export Device Credentials" box if on LMS 3.2). Then examine the line for the problem device.
Also, you could set up a sniffer session, or use the Packet Capture tool bundled with LMS, to capture the conversions during a Sync Archive job (scheduled or ad-hoc) against the problem device. That could shed some light, depending on what protocol you've selected (less with SSH).
Lastly, you can examine the Sync Archive job logs or post them here. For example, on Solaris, it's located in /var/adm/CSCOpx/files/rme/jobs/ArchiveMgmt/[jobID]/. Of course, having debug on would be much better, so you may want to schedule an ad-hoc Sync Archive after enabling debug on ArchiveMgmt in RME.
I turned on debugging, looked at the txt file that is generated and it says the same thing as the error that is displayed
Actually, its not an error concerning the password. It is stating that the enable username is missing in one section of LMS
but seems to manifest itself in RME as an authentication failure.
"Could not enter ENABLE Mode from USER Mode on Device"
Now I'm starting to suspect you device is running one of the IOS versions affected by CSCsu21040.
Basically, the buggy IOS asks for "Username: " again after receiving "enable", which throws RME for a loop.
Some of the affected IOS I've seen:
Understood...some buggy IOS's, but how do I work around it? I cant upgrade all my IOS's (very large datacenter).
Is there a method to do so?
i responded via email a bit ago...
However, a follow on to that email...this problem only occurred when i changed TACACS appliances. We were using TACACS on one appliance and are now using it on another appliance...
same configuration, just different user accounts...
Then I wouldn't attribute the problem to the bug unless one could manually duplicate the symptom of getting the extraneous "username: " prompt upon trying to enter enable mode. It could be another cause entirely.
And I am not being prompted when I merely SSH into the devices...so,
probably not the bug you reference causing it...
I am perplexed...
Anybody have any other thoughts?
I've removed a device, added back in, restarted all the services for LMS, reinventoried the device, I have validated and revalidated the credentials and nothing seems to point to the problem.
is there a log that would give some indication of what is happening between LMS and the device...Nothing apparent is in the switch log.
hmm..but, now that we are talking about it,
the credentials are present for the initial ssh login process...
its not really saying the password is in correct, its saying the Enable Username is missing.
Has anyone found a solution to this issue? I am experiencing the same thing.
Even my credential check is telling me it fails for "Enable username credential missing."