Ciscoworks LMS 3.2 Compliance Mgmt

Similar Messages

• Ciscoworks LMS 3.2 - Compliance mgmt negation problem

  Hi,
  Strange problem, that I am sure is being caused by me.
  Basically trying to run an advanced Compliance mgmt job, looking for a set of pre-requisites (this is working) and then removing all non compliance SNMP community strings from a sample device.
  I use two lines for this removal
  - snmp-server community [#!testR[OW]mon#] [#.*#] [#.*#]
  - snmp-server community [#!SNMP#] [#.*#] [#.*#]
  From what I see, this should remove all snmp-server communities from a device other than "testROmon", "testRWmon" and "SNMP". Obvious caveat is that they would all need to have two words after this (in this case, these are ro or rw and an ACL).
  When I run this it seems to try and remove twice as many snmp community strings as there actually are on the device config? So I guess the core questions are: -
  1) Does the above look sound and would it do what I think
  2) Does the Compliance management engine parse the entire config independantly for each line of the above and hence explain why I am getting more removals than I would expect or is there a problem somewhere?
  Any help on this appreciated as its driving me nuts

  Thanks Joseph,
  So if I also wanted to remove all SNMP traps bar: -
  snmp-server host 10.10.10.x (where x is any ip in the last octet)
  From a device, would I use
  - [#snmp-server host (!#10\.10\.10\..*#).#]
  Or doesn't this make sense?

• Ciscoworks LMS 3.2 compliance mgmt negation problem 2

  Sorry one more question,
  If I also wanted to remove all SNMP traps bar: -
  snmp-server host 10.10.10.x (where x is any ip in the last octet)
  From a device, would I use
  - [#snmp-server host (!#10\.10\.10\..*#).#]
  Any help appreciated

  Thanks Joseph,
  But if the line is say: -
  snmp-server host 10.10.10.1 testROmon
  Would I not need the .*# for the extra word? I guess this would only be needed if I were also searching for variations in this word?

• Ciscoworks LMS 4.0 – Fault Device Details Issue

         We currently use Ciscoworks LMS 4.0 but when I go into,  Monitor > Fault Settings > Setup > Fault Device Details   
         I get the following message (see attached document with screenshot) and being a LMS newbie am unsure what to do? As have tried to search for this
         file but no luck.
         So thanks in advance for any advice.

  Check if the fault management rediscovery page shows device as discovered and known or does it have any errors?
  Are you able to generate any fault management reports and view other pages?
  Just try to reboot the server/restart daemon to see if it is goes away.
  Else it is mostly corrupt FM DB. Which would need to be re-initialized.
  Fault Mgmt reinitialize is very simple task, which doesnt removes a lot of data, except past 31 days of FM history and custom notifications, if configured.
  Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **

• Using Ciscoworks to update netmask on mgmt interface for multiple switches

  Is it possible to user Ciscoworks LMS 3.2 to update the netmask for a management interface on multiple switches? For example, say I have a 3750 access switch management network, 172.28.185.0/27 (default gateway 172.28.185.1) that we're resizing to a /26. Is there a simple way to update just the netmask for the management interface on those devices using Netconfig?
  -David

  Unfortunately not.  You could use Netconfig or even baseline compliance for this, but since you need to know each interface's IP, that means you'd have to create parameterized templates.  Therefore, you would have to create a template "answer" file for each device in this subnet which had their IP address for the interface in question.
  Baseline compliance might be a little easier with a template like:
  Commandlet : CheckIP
  IsPrereq : Yes
  Submode : interface [#.*Ethernet.*#]
  + ip address [#172.58.185.\d+#] 255.255.255.224
  Commandlet : ReplaceIP
  Parent : CheckIP
  + ip address [IP] 255.255.255.192
  You would still need to provide a value for [IP] for each device when performing a deployment.

• Ciscoworks LMS RME / ASA Firewall configuration pre-shared key savings

  Does anybody know the concept about saving pre-shared by Ciscoworks LMS /RME ?
  Is there a way to get the unencrypted values from Ciscoworks LMS /RME for an ASA Firewall ?
  ASA config. saved with RME
  pre-shared-key *
  ASA config. saved to TFTP from ASA
  pre-shared-key 1ZdmaKVwEkQ66nD37d9kA9fj9z75

  If you enable "shadow directory" (RME - Admin - Config Mgmt - Archive Mgmt - Archive Settings), you can find the raw configs in locations such as /var/adm/CSCOpx/files/rme/dcma/shadow/Security_and_VPN/PRIMARY on Solaris, or its Windows equivalent, after one requisite cycle of Periodic Polling and/or Periodic Collection. That's the same config one'd get saving to TFTP manually.
  However, I don't recall how to unscramble the "asterisks" in the RME GUI, if at all possible.

• CiscoWorks LMS 4.1

  Hi,
  Currently we have CiscoWorks LMS 2.6 and looking to buy or if possible upgrade to latest version of CiscoWorks LMS 4.1
  I need confirmation is this LMS 4.1 is a bundle? Like including RME, Common Services, CiscoView, Device fault Manager, Campus Manager and etc.,?
  Naidu.

  An upgrade from LMS 2.x to LMS 4.1 is possible. With LMS 2.6 there was no device count restriction but the next major release (LMS 3.0) introduced licensing based on device count. So you have to determine which device count you need. Available licenses are for example:
      LMS41-300-UP-K9         Upgrade LMS 2.x 3.x to 4.1 Base DVD for 300 devices
      LMS41-1.5K-UP-K9         Upgrade LMS 2.x 3.x to 4.1 Base DVD for 1500 devices
  LMS 4.1 is a bundle and - under the cover - still contains CS, CiscoView, RME, CM, DFM and meanwhile also IPM (Internetwok Performance Monitor) and HUM (Health and Utilization Monitor); With LMS 4.x they cannot be installed as standalone applications as it was with LMS 2.x/ 3.x; Also the GUI has undergone a complete re-write (and thus re-organization) - see the link to the data sheets below.
  There will be some changes with LMS because it will be merged together with "Cisco Prime Network Control System" into "Cisco Prime Infrastructure".
  Thus the latest release of LMS (LMS 4.2) is available in the "Cisco Prime Infrasturcture" Bundle which contains both these products:
        Cisco Prime Network Control System 1.1        (Mgmt for Wireless Products)
        Cisco Prime LAN Management Solution 4.2       (Mgmt for Network devices)
  Data sheets for LMS 4.2 and LMS 4.1 are available here:
      http://www.cisco.com/en/US/customer/products/ps11200/products_data_sheets_list.html
  Ordering and licensing guide for "Cisco Prime Infrasturcture" is here:
      http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps12239/ordering_guide_c07-697784_ps11686_Products_Data_Sheet.html

• Compliance Mgmt

  Hi,
  I need Compliance mgmt help.
  I want to run a command against 2500 switches that make all Fast Ethernet ports implement as speed auto & duplex auto, except Gig port and trunk ports. Any help appreciated.
  THANKS
  I am using;
  LMS:3.2
  RME: 4.3
  CM:5.2.1

  Since you have RME 4.3, you might also consider using a Netconfig port-based job.  To do this, go to RME > Config Mgmt > Netconfig > Netconfig Jobs and create a new port-based job.  Define an custom group with the ruleset:
  Port.PortName StartsWith "Fa" AND
  Port.CM.AccessStatus = "Configured"
  Then select the Adhoc task, and enter the IOS commands:
  speed auto
  duplex auto
  Deploy that to all of the required switches and that will accomplish what you want.  Note: this requires that all switches are managed by Campus Manager.

• How do you install RSAC 4.3.2 when upgrading to ciscoworks LMS 3.2.1?

  We have ciscoworks LMS 3.2 which we have recently updated to ciscoworks 3.2.1 using the ciscoworks 3.2 Service Pack 1 patch file.  In the "Readme for CiscoWorks LAN Management Solution 3.2 Service Pack 1" document, it says that you have to install the Remote Syslog Collector 4.3.2 separately.  It says the file (setup.exe) is located at disk1/RSAC.  However, ciscoworks 3.2 Service Pack 1 only appears to be a patch file and when we ran the patch file on our Remote Syslog Collector server, the version remained at 4.3.0.  When I looked at the server where RME is installed (version 4.3.2), it says that Syslog Analyzer is 4.3.2 and Syslog Collector is version 4.3.0.  The patch file doesn't look like it has the installation files for RSAC 4.3.2 and there doesn't seem to be a directory that was created on the RME server to install the updated RSAC from, so how do you upgrade from RSAC 4.3.0 to RSAC 4.3.2?

  I opened up a TAC case, worked with TAC, and was able to update RSAC to version 4.3.2.  The procedure is:
  1. Download the ciscoworks LMS 3.2.1 patch file to the remote syslog server.
  2. Create a temporary directory on the remote syslog server (ex. c:\test)
  3. Go into the directory with the extracted LMS 3.2.1 patch file and type the command:
  Ciscoworks_LMS_3.2.1.exe /extract_all:c:\test
  4.  Go into the c:\test directory and find the RSAC folder.  In the RSAC folder is a setup file.  Run setup and install RSAC 4.3.2 over RSAC 4.3.0 (if you uninstall RSAC 4.3.0, you will get a message saying that RSAC 4.3.0 must be installed before installing RSAC 4.3.2)
  5. Check the installation by going to Common Services->Software Center->Software Update on the remote syslog server.  The version should be RSAC 4.3.2.

• User tracking not finding any hosts in Ciscoworks LMS 3.1

  L.S.
  Our test-configuration is as follows:
  Application versions:
  Ciscoworks LMS 3.1
  Ciscoworks Common Services 3.2.0
  Campus Manager 5.1.4
  We have 31 managed devices in Campus Manager (data has been collected on all),
  Edit: All of them show up green in the topology window.
  The device are: 2 6509 cores (running IOS s72033_rp-IPSERVICESK9_WAN-M version 12.2(18)SXF8), 1 ASA firewall (running ASA-OS version 8.0.5) and 29 switches (2960 and 3560 models both running ios version 12.2(52)SE). The switches are connected as follows:
  User tracking jobs are running normally, but aren't finding any end-hosts or IP phones at all (I suspect around 250-500 hosts+ on these switches)
  We are running SNMP v3 on the switches and have added the following configuration items to all the switches:
  snmp-server group readonly v3 auth context vlan-1
  <repeat for all present snmp-contexts as shown in show snmp context output>
  snmp-server group readonly v3 auth context vlan-83
  Debugging is enabled in CM->Admin->Debugging Options->User Tracking Server
  This is the UT.log file of the last major acquisition:
  messages will remian logged to file: D:\PROGRA~1\CSCOpx\log\ut.log
  2010/01/13 14:00:01 main MESSAGE ProcessInitializer: Properties will be read from D:\PROGRA~1\CSCOpx\campus\etc\cwsi\ut.properties
  I= 0value *.*.*.*
  I= 1value 6
  I= 2value 1
  2010/01/13 14:00:01 main MESSAGE DBConnection: Created new Database connection [hashCode = 10969598]
  PartialOrderNode tree dump: time base = VMPSMajor
  <root>
      VMPSMajor: <root>
      VMPSMajor:     VMPSMajor.GetXMLData
      VMPSMajor:         VMPSMajor.PingSweep
      VMPSMajor:         VMPSMajor.PopulateFromDCR
      VMPSMajor:             VMPSMajor.GetPortStatus
      VMPSMajor:                 VMPSMajor.GetBridgeTable
      VMPSMajor:             VMPSMajor.Sweep
      VMPSMajor:                 VMPSMajor.GetIpXlateTable
      VMPSMajor:                 VMPSMajor.GetIpv6XlateTable
      VMPSMajor:                     VMPSMajor.GenerateTable6
      VMPSMajor:                         VMPSMajor.GenerateTable
  SMFunction evaluation order: time base = VMPSMajor
    VMPSMajor.GetXMLData  Major
    VMPSMajor.PingSweep  Minor
    VMPSMajor.PopulateFromDCR  Major
    VMPSMajor.GetPortStatus  Minor
    VMPSMajor.Sweep  Major
    VMPSMajor.GetBridgeTable  Minor
    VMPSMajor.GetIpXlateTable  Minor
    VMPSMajor.GetIpv6XlateTable  Minor
    VMPSMajor.GenerateTable6  Major
    VMPSMajor.GenerateTable  Major
  Time base VMPSMajor has 5 major nodes and 3 minor traversals.
  log4j:ERROR No appenders could be found for category (CTM.common).
  log4j:ERROR Please initialize the log4j system properly.
  In classlist loader
  In classlist loader processing sub classes
  updation done
  In classlist loader completed
  2010/01/13 14:00:03 main MESSAGE DBConnection: Created new Database connection [hashCode = 12524859]
  Calling default
  Subnet to SubnetData Map Size :73
  2010/01/13 14:01:31 DBConnecton-Reaper MESSAGE DBConnection: Closed Database connection [hashCode = 12524859]
  2010/01/13 14:01:31 DBConnecton-Reaper MESSAGE DBConnection: Closed Database connection [hashCode = 10969598]
  2010/01/13 14:04:50 main MESSAGE DCRDevWrapper: Closing DCRProxy
  I'm slowly getting to a dead end here. What am I missing?

  Well, our problem was resolved finally through a weird coincendence after having a websession with a Cisco TAC engineer (TAC case SR 613376661)
  We changed the
  snmp-server group readonly v3 auth context vlan-xxxx
  commands in the switches to:
  snmp-server group writeonly v3 auth context vlan-xxxx
  that is: use the writestring in the snmp-server groups instead of the read string.
  After we changed that, all of the User Tracking mysteriously started working.
  As far as I know, the writestring should not be needed, but apparently it is....
  Is there any explanation for this?

• CiscoWorks LMS 2.6

  Dear All
  We are running CiscoWorks LMS 2.6
  I have scheduled a backup in Common Services > Server > Admin > Backup
  My question is, what does this backup actually do?
  Does it just backup the CW configuration?
  Or does it include data such as devices configuration archive, reports, jobs, device inventory etc
  If it does not, anyone have a suggestion of how this can be achieved?
  I am looking into DR scenario - i.e. how we can restore net devices if the device AND CW server is destroyed.
  Thanks
  Phil

  Phil;
    You may want to move this thread to the Network Infrastructure>Network Management community; they focus on LMS there.
  Scott

• Custom device prompt in Ciscoworks LMS

  Hello,
  In emerging network infrastructure of our client we decided to use some custom promps at device VTY (SSH and Telnet). Console users are network authenticated by means of ACS, and in case ACS is not reachable, we decided to use login prompts as follows:
  Username(local):
  Password(local):
  In this local mode, when CiscoWorks LMS (3.1) tries to collect configuration of switches, VLAN configuration exactly, we got such error messages in LMS interface:
  TELNET: Failed to establish TELNET  connection to 10.52.0.1 - Cause: Authentication failed on device 3 times. VLAN  Config fetch is not supported using TFTP. Command failed VLAN Config fetch is  not supported using RCP.
  Of course, we have checked the possibility to got from LMS host to these devices by SSH and Telnet, credentials are correct, only login prompts are as described earlier.
  I conclude, we need to tell LMS to accept our custom prompts. Is there any possibility and how to achieve this?

  If you're sure the failure is due to the custom prompt, yes, you can simply follow the steps in the following document to let LMS know about that:
  http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_tech_note09186a00801442c9.shtml

• Ciscoworks 3.2 RME Compliance Management w/ 802.1x Port Configs

  I am currently trying to use LMS 3.2 Compliance management to verify and alter our access port configurations for 802.1x. Below is our current configuration:
  switchport access vlan XX
  switchport mode access
  authentication control-direction in
  authentication event fail retry 0 action authorize vlan XXX
  authentication event no-response action authorize vlan XXX
  authentication port-control auto
  authentication periodic
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 10
  dot1x max-req 1
  dot1x max-reauth-req 1
  storm-control broadcast level 75.00
  spanning-tree portfast
  spanning-tree bpduguard enable
  I require the configurations to be changed to:
  switchport access vlan XX
  switchport mode access
  authentication event fail action authorize vlan XXX
  authentication event no-response action authorize vlan XXX
  authentication port-control auto
  authentication periodic
  dot1x pae authenticator
  dot1x timeout tx-period 8
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  spanning-tree portfast spanning-tree bpduguard enable
  Addtionally, I require LMS to verify that the port is indeed an access port with 802.1x already applied to it before adjusting the configurations. I have tried pushing this compliance check out with a prerequisite of having "switchport mode access" applied to it, and then having the next command set state:
  Submode: interface [#Ethernet*/*/*#]
  - dot1x max-req 1
  - dot1x max-reauth-req 1
  + no dot1x max-req 1
  + no dot1x max-reauth-req 1
  This was a simple test on a single device to see if I could remove the limits on authentication and requests entered. The job states successful and there are no devices that are non-compliant, however no changes to the device configurations have been made. I seek assistance in command syntax or if there is another way to push this out, as I have about 1k network devices to go through and make these changes.

  The following tempalte should do what you want:
  Name: Global     SubMode: No      isPrerequisite: No
  Ordered : No     Prerequisite-Commandset : none     Parent: none
  Name: Switchport     SubMode: Yes      isPrerequisite: Yes
  Ordered : No     Prerequisite-Commandset : none     Parent: none
    interface   [#FastEthernet.*#]
  +[#switchport mode access#]
  Name: 802fix     SubMode: No      isPrerequisite: No
  Ordered : No     Prerequisite-Commandset : Switchport     Parent: Switchport
  -dot1x max-req 1
  -dot1x max-reauth-req 1
  Note that I have changed to [#FastEthernet.*#] to be applied on
  FastEthernet interfaces.

• CiscoWorks LMS 4.0 No muestra los dispositivos

  Buenas.
  Tengo el CiscoWorks LMS 4.0, y de un momento a otro me dejo de mostrar los dispositivos que me habia reconocido, hice de todo y nada, por ultimo desinstale e instale nuevamente y lo mismo, me reconoce los dispositivos pero no me los muestra.
  Quien me puede guiar para saber que problema estoy experimentando.
  Gracias.
  Jose Luis Diaz Ortega
  Ingeniero de Sistemas.
  Administrador de redes.       

  Gracias.
  Si antes me mostraba en el inventario todo los dispositivos y en la opcion de monitor igualmente, pero cuando trataba de hacer una modificacion en la parte de configuracion no me desplegaba los dispositivo. Como tenia este problema lo que hice fue instalar nuevamente la aplicaciones, hice en descubrimiento me reconoce los dispositivo pero ahora no me muestra nada en inventario al igual que en la opcion de monitor.
  Siempre he trabajado con la verison LMS 4.
  opcion de inventario
  opcion de monitor
  En la imagen siguiente son los dispositivos que fueron reultado del descubrimiento realizado, esto sigmifica que los encuentra pero no me muestra informacion en la opcion de inventario y monitor.
  Jose Luis Diaz Ortega
  Ingeniero de Sistemas.
  Administrador de redes.

• CiscoWorks LMS 4.0 Time Zone Problem

  Hi,
  CiscoWorks LMS 4.0 timezone is VET. I know that LMS time is syncronized with system time. Hovewer, system time is correct but LMS's time is wrong.
  -I restarted LMS CW Deamon Manager
  -I re-installed LMS
  My problem still exists.
  What should I do to syncronize the time?
  Thank you for your help.

  My setup files were corrupted. I tried new setup and LMS succesfully installed.