CiscoWorks LMS 4.0.1 + Catalyst 3750X - User Tracking Issue

Similar Messages

• CISCOWORKS LMS and CISCOSECURE ACS Authenticate any user with HD role

  Hi:
  We are using CiscoSecure for authentication and authorization for differente apps.
  Specifically, any user already in the ACS database is authenticated to log in CiscoWorks LMS, with HD role (this happens although none of the CiscoWorks apps have been checked for this group). 
  Why is this happening?
  We don´t want that any user (although they are only permitted the HD role) could login.
  Thanks a lot
  Julio

  Follow the ACS integration guide to ensure the group you don't want to have access to LMS have the roles set to "NONE" instead of the default HD roles.
  http://www.cisco.com/en/US/partner/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html

• LMS 4.0.1 user tracking issue

  Hi All,
  I have an interesting problem at one of my customers. They are using LMS 4.0.1, but they have a problem with user tracking with SNMPv3. They using a very simple SNMP configuration, wich is the following:
  access-list 80 permit x.x.x.x
  snmp-server group SNMPV3GROUP v3 priv write SNMPV3_VIEW access 80
  snmp-server view SNMPV3_VIEW iso included
  snmp-server view SNMPV3_VIEW mib-2 included
  snmp-server view SNMPV3_VIEW cisco included
  User name: SNMPV3USER
  Engine ID: 8000000903000014F2C38169
  storage-type: nonvolatile        active access-list: 80
  Authentication Protocol: SHA
  Privacy Protocol: AES128
  Group-name: SNMPV3GROUP
  snmp-server group SNMPV3GROUP v3 context vlan-X
  Now they have UT working well for their Ctalyst 4500 switches, and the half of the 6500s (They have 2950 switches as well, but for those UT with SNMPv3 is unsupported). So the problem is the following: they have 12 6500 switches, with the same IOS version (10 pieces of WS-C6506-E + SUP720-3B IOS: 12.2(18)SXF17 (IP Services), 2 pieces of WS-C6506 + SUP720-BASE IOS: 12.2(18)SXF17 (IP Services)). They have identical SNMP configuration on both devices. Based on the logs from LMS it seems that on the problematic switches for some reason LMS identifies the switchports as routed:
  ==============Checking for Device==============
  10.255.255.11 : INFO : The switch has been discovered by ANI Server.
  IP : 10.255.255.11
  Details :Cisco Internetwork Operating System Software
  IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF17, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by cisco Systems, Inc.
  Comp
  ==============Checking for port Gi1/1==============
  Gi1/1 : ERROR : ANI Server has discovered this port as a Routed port. Please run the UTDebug command only on ports connected to end hosts.
  The config in the device as follows:
  interface GigabitEthernet1/1
  switchport
  switchport access vlan 162
  switchport mode access
  no ip address
  no snmp trap link-status
  spanning-tree portfast
  end
  TOL_6506E_GT_COR_SW1#sh mac- | i Gi1/1
  *  162  0050.5648.a765   dynamic  Yes          0   Gi1/1
  TOL_6506E_GT_COR_SW1#sh ip arp vrf ebh | i 0050.5648.a765
  Internet  10.222.224.129        122   0050.5648.a765  ARPA   Vlan162
  TOL_6506E_GT_COR_SW1#
  I didn't find any relevant bugs. Has anyone have any idea?
  Thanks in advance,
  Imre

  I'm not sure why Campus looks at that port as a routed port, but I ignore the errors in the campus ANI logs as there are too many of them even when everything works.
  I always forget the OID (google knows it), but you best try to do an SNMP walk of the mac address table on the LMS server for a vlan you are interested in. Just to see if it can get it
  In CSCOpx\bin you find a snmpwalk.exe
  I'm not immediately sure why LMS would not be able to get that info via SNMP but it does narrow down on the root cause of your problem
  Cheers,
  Michel

• LMS 4.2.2 User Tracking - IP resolving

  Hello,
  I have made a fresh install of LMS 4.2.2 and I have a problem with the user Tracking.
  My architecture :
  A pair of 4500-X running  Version 03.03.00.SG
  10 stack of 2960-S running IOS : 12.2.55.SE5
  The 4500-X are routing cores. Everything is running SNMP V3 and I have entererd the commands for each VLAN :
  snmp-server group SDIS03-GP-RW v3 priv context vlan-x write SDIS03-V-RW
  All equipments are seen correctly by LMS. My problem is the user Tracking does not show the IP Addresses, I only have the MACs. I suppose this is an issue with ARP Table of the 4500-X that are not dowloaded by LMS but I don't konw why.
  I have seen several post on the forum for similar problems but it do not seems to resolv mine.
  Thanks by advance for your ideas.
  Regards,
  Abel.

  I found a reference on the LMS Supported Devices Table:
  The following features are not supported:
  VRF Lite, LANE Management, User Tracking, VLAN Management
  Configuration Deploy Protocols: HTTPs
  Configuration Fetch Protocols: HTTPs
  I wonder if it's due to this fact (mentioned in the 4500-X IOS XE Release Notes):
  The following features are not supported on a Catalyst 4500-X Series switches:
  •CISCO-IETF-IP-FORWARD-MIB
  •CISCO-IETF-IP-MIB

• User tracking not finding any hosts in Ciscoworks LMS 3.1

  L.S.
  Our test-configuration is as follows:
  Application versions:
  Ciscoworks LMS 3.1
  Ciscoworks Common Services 3.2.0
  Campus Manager 5.1.4
  We have 31 managed devices in Campus Manager (data has been collected on all),
  Edit: All of them show up green in the topology window.
  The device are: 2 6509 cores (running IOS s72033_rp-IPSERVICESK9_WAN-M version 12.2(18)SXF8), 1 ASA firewall (running ASA-OS version 8.0.5) and 29 switches (2960 and 3560 models both running ios version 12.2(52)SE). The switches are connected as follows:
  User tracking jobs are running normally, but aren't finding any end-hosts or IP phones at all (I suspect around 250-500 hosts+ on these switches)
  We are running SNMP v3 on the switches and have added the following configuration items to all the switches:
  snmp-server group readonly v3 auth context vlan-1
  <repeat for all present snmp-contexts as shown in show snmp context output>
  snmp-server group readonly v3 auth context vlan-83
  Debugging is enabled in CM->Admin->Debugging Options->User Tracking Server
  This is the UT.log file of the last major acquisition:
  messages will remian logged to file: D:\PROGRA~1\CSCOpx\log\ut.log
  2010/01/13 14:00:01 main MESSAGE ProcessInitializer: Properties will be read from D:\PROGRA~1\CSCOpx\campus\etc\cwsi\ut.properties
  I= 0value *.*.*.*
  I= 1value 6
  I= 2value 1
  2010/01/13 14:00:01 main MESSAGE DBConnection: Created new Database connection [hashCode = 10969598]
  PartialOrderNode tree dump: time base = VMPSMajor
  <root>
      VMPSMajor: <root>
      VMPSMajor:     VMPSMajor.GetXMLData
      VMPSMajor:         VMPSMajor.PingSweep
      VMPSMajor:         VMPSMajor.PopulateFromDCR
      VMPSMajor:             VMPSMajor.GetPortStatus
      VMPSMajor:                 VMPSMajor.GetBridgeTable
      VMPSMajor:             VMPSMajor.Sweep
      VMPSMajor:                 VMPSMajor.GetIpXlateTable
      VMPSMajor:                 VMPSMajor.GetIpv6XlateTable
      VMPSMajor:                     VMPSMajor.GenerateTable6
      VMPSMajor:                         VMPSMajor.GenerateTable
  SMFunction evaluation order: time base = VMPSMajor
    VMPSMajor.GetXMLData  Major
    VMPSMajor.PingSweep  Minor
    VMPSMajor.PopulateFromDCR  Major
    VMPSMajor.GetPortStatus  Minor
    VMPSMajor.Sweep  Major
    VMPSMajor.GetBridgeTable  Minor
    VMPSMajor.GetIpXlateTable  Minor
    VMPSMajor.GetIpv6XlateTable  Minor
    VMPSMajor.GenerateTable6  Major
    VMPSMajor.GenerateTable  Major
  Time base VMPSMajor has 5 major nodes and 3 minor traversals.
  log4j:ERROR No appenders could be found for category (CTM.common).
  log4j:ERROR Please initialize the log4j system properly.
  In classlist loader
  In classlist loader processing sub classes
  updation done
  In classlist loader completed
  2010/01/13 14:00:03 main MESSAGE DBConnection: Created new Database connection [hashCode = 12524859]
  Calling default
  Subnet to SubnetData Map Size :73
  2010/01/13 14:01:31 DBConnecton-Reaper MESSAGE DBConnection: Closed Database connection [hashCode = 12524859]
  2010/01/13 14:01:31 DBConnecton-Reaper MESSAGE DBConnection: Closed Database connection [hashCode = 10969598]
  2010/01/13 14:04:50 main MESSAGE DCRDevWrapper: Closing DCRProxy
  I'm slowly getting to a dead end here. What am I missing?

  Well, our problem was resolved finally through a weird coincendence after having a websession with a Cisco TAC engineer (TAC case SR 613376661)
  We changed the
  snmp-server group readonly v3 auth context vlan-xxxx
  commands in the switches to:
  snmp-server group writeonly v3 auth context vlan-xxxx
  that is: use the writestring in the snmp-server groups instead of the read string.
  After we changed that, all of the User Tracking mysteriously started working.
  As far as I know, the writestring should not be needed, but apparently it is....
  Is there any explanation for this?

• CiscoWorks LMS 4.0.1, user tracking acquisition problem on 3750 stack.

  Hello.
  We are using Catalyst 3750 switch stacks with software 12.2(44)SE. We have two stacks, only one with IP routing enabled.
  When we try to run an Acquisition Action on this, from Admin> Collection Settings> User Tracking, the system replies with an error "Failed to start acquisition: Device unreachable. Please enter a valid device".
  Device Center reports "success" on all collector status.
  Acquisition starts successfully when we try with the other stack.
  With LMS 4.1 demo, users acquisition runs successfully.
  Any suggestions is appreciated.
  Thanks.
  Regards.
  Andrea

  Hello Andrea,
  just wanted to let you know that I have fixed that for our system. I reinitated the UT Database with the following command:
  /opt/CSCOpx/bin/perl /opt/CSCOpx/campus/bin/reinitdb.pl -restore -ut -all
  It's important to call perl with the full path, otherwise it will completely fail.
  Hope this will help you.
  Greetings

• CiscoWorks LMS 4.0.1, user tracking acquisition problem.

  Hello.
  We are using Catalyst 3750 with 12.2(44)SE. We have two stack configured, one with IP routing enabled.
  When we try to run an Acquisition Action on IP routing enabled stack, from Admin> Collection Settings> User Tracking, the system replies with an error "Failed to start acquisition: Device unreachable. Please enter a valid device".
  Acquisition starts successfully when we try with the other stack.
  We are going to investigate!
  Any suggestions is appreciated.
  Thanks.
  Regards.
  Andrea

  You aren't using SNMP v3 perchance are you? If you are, you need to use contexts. Reference this thread.
  Have you tried initiating a full data collection and been successful? Reference this thread.
  If neither of these suggestions works, the latter thread linked above has some more detailed troubleshooting suggestions.
  Hope this helps.

• LMS 4.0.1 and User tracking with SNMP v3

  Hi! (again )
  I've another problem with our new LMS 4.0.1.
  We manage our devices with SNMP v3 but the user tracking don't want to work flawlessly.
  I've attached an example from our SNMP configuration. Basicly it's the same in our devices.
  1st the problem was that no matter what I did the User tracking didn't want to find any host. I left it and worked on something else. After 2 weeks suddenly appeard couple of thousand end host.
  As earlier (LMS 2.6 or 3.2 with snmp v2) it is the same that LMS cannot differentiate normal end host and IP Phones although we have several thousand from both. But this is only one problem.
  The other is that there are switches with the same IOS and SNMP configuration and from one I get the UT data and from another one I didn't get anything. Only from some 4506 (aprox. 12-15) and 6506 (2) works and we have 20+ 4506 and 10+ 6506. Not to mention the other switches (couple of houndred 2960 and 3750).
  I'll be grateful if somebody could advice what to do.
  Thanks
  Gabor

  Understanding Debugger Utility
  The utility displays a report on the reasons why User Tracking failed to discover end hosts on specific ports.
  In many cases, User Tracking may not perform as expected. This may be  because of problems in other LMS applications. For instance LMS Server  may have devices that are not discovered or inadequate VLAN discovery in  Topology Services.
  You can run the utility to troubleshoot problems, or provide the report  and log generated by the utility when you contact TAC for help in  diagnosing problems.
  The debugger utility uses the data collected by LMS Server and reports the reasons for the missing ports in User Tracking.
  This tool also has an SNMP component embedded which runs an SNMP query  for the table as a part of verification for SNMP failure. For example,  SNMP bugs in Catalyst operating system because of which User Tracking  may fail to discover devices.
  This generates an Action Report that you can use to analyze the data.
  The Debugger Utility:
  1. Checks the switch ports in a sequential order.
  2. Reports violation of basic rules for each of the missing ports such as link ports and trunk ports.
  3. Checks for SNMP retrieval of data, if the ports pass the validity check.
  4. Generates an Action Report suggesting possible remedial actions to retrieve the valid missing ports.
  Using Debugger Utility
  The Debugger Utility is available at $NMSROOT/campus/bin/ (where $NMSROOT is the directory where you have installed CiscoWorks).
  To run the Debugger Utility, run the command:
  utdebug -switch switch-ip -port port1[,port2 ...] [-export filename]
  where,
  switch is the switch to which the end hosts are connected.
  ports are the ports on the switch which have missing end hosts User Tracking.
  -export filename specifies  that the debug messages be stored in the file specified. If this option  is not used, the messages are displayed on the console.
  For example,
  utdebug -switch 10.29.6.12 -port 5/12
  utdebug -switch 10.29.100.10 -port Fa0/10
  utdebug -switch 10.29.6.14 -port Gi6
  Pretty sure you will find this and perhaps more in the build in help of LMS
  Cheers,
  Michel

• Adding Device support/definitions in Ciscoworks LMS 3.2

  Hi All
  I am having some issues adding updated definitions for Cisco C3750X-48PS switches.
  We have ciscoworks LMS 3.2 and I need to update the definition/device support for these switches. We are conducting a network refresh and are having some issues with ciscoworks polling these devices correctly.
  I have looked through the various user guides and searched on google with not much luck as to how to actually do this, the links I have found breifly go into it, but not indepth, and the cisco links I have found, of course have redirects to new pages which bear to resemblance to what is in the original document.  Is there a clear guide out there on how to update the switch definiton in ciscoworks? So I can i can try and do this correctly?
  I am new in my current role and I want to ensure I am doing this correctly. Apologies if this has been asked before.
  thanks                 

  First thing to check is the supported device table for LSM3.2. According to it, the 3750X-48P-S is supported pretty much across the board by the LMS tools.
  So you then need to just make sure you update the RME, CM, DFM and CiscoView device packages to integrate the updates into your server. While you can manually download and install the various packages, this task is more easily accomplished via the application GUI itself.
  In LMS 3.2, updates can be done via the Common Services Software Center. The User Guide (here) tells how to use that area in great details. I usually just select "everything" for updating so as to be fully updated for whatever gets installed (as opposed to trying to pick and choose the minimal set of packages).

• Custom device prompt in Ciscoworks LMS

  Hello,
  In emerging network infrastructure of our client we decided to use some custom promps at device VTY (SSH and Telnet). Console users are network authenticated by means of ACS, and in case ACS is not reachable, we decided to use login prompts as follows:
  Username(local):
  Password(local):
  In this local mode, when CiscoWorks LMS (3.1) tries to collect configuration of switches, VLAN configuration exactly, we got such error messages in LMS interface:
  TELNET: Failed to establish TELNET  connection to 10.52.0.1 - Cause: Authentication failed on device 3 times. VLAN  Config fetch is not supported using TFTP. Command failed VLAN Config fetch is  not supported using RCP.
  Of course, we have checked the possibility to got from LMS host to these devices by SSH and Telnet, credentials are correct, only login prompts are as described earlier.
  I conclude, we need to tell LMS to accept our custom prompts. Is there any possibility and how to achieve this?

  If you're sure the failure is due to the custom prompt, yes, you can simply follow the steps in the following document to let LMS know about that:
  http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_tech_note09186a00801442c9.shtml

• LMS 4.0.1 stops collecting users and hosts.

  Hello.
  We are using CiscoWorks LMS 4.0.1.
  Acquisition info reports last acquisition end time 19 July and Campus data collection running.
  Number of host entries is 68 but we have two thousands PCs.
  When we try to perform an acquisition action with scope all hosts and users, we receive this message
  Failed to start acquisition: Construction of XML data required for UT is in  progress.Please try after some time.
  Any ideas?
  Thanks.
  Andrea

  Using SNMP v2....

• CiscoWorks LMS 4.0.1 - some questions

  Hello community,
  I would like to ask some questions about CiscoWorks LMS 4.0.1.
  We are using for a few days, and I can't set some request in the system. I hope someone could help me to customize the CW as I would like to use it.
  - We have some Catalyst 6500s, and between them there are Etherchannels. CiscoWorks sends us email because HighUtilization, and it relies on a Gi interface. I read that CW doesn't support etherchannels, is this true.
  - I would like to receive email notifications about errdisabled state, etc. I know this is dome by RME, not DFM. The CiscoWorks server acts as Syslog server, too, and it collects the syslogs. I see in the Syslog summary, that the device sends to CW the syslog, but I can't receive email. I did an automated actions, (Monitor-Syslog-Automated actions), I defined the parameters (Facility: *, Sub-facility: *, Severity: 2, Mnemonic: PSECURE_VIOLATION, Description: *), but CW doesn't send me an email.
  - I would like to customize interface threshould parameters per device. We have some router with Tunnel utilization 90%, but it's okay because we have a 10Mbit line for the external site. But when our distribution switch ethernet utilization would be 90%, it would be critical. Where can I set these parameters per device/interface?
  Thank you for your help in advance.
  Ferenc KURIS

  If you go to  Monitoring > Fault Settings > setup > fault device details
  Select the device click view and click the device to open the detailed device view.
  There you may see the tu interface under interfaces and set it to managed.
  Cheers,
  Michel

• CiscoWorks LMS 4.0.1 - Could not generate the report

  Hello,
  I am running CiscoWorks LMS 4.0.1 since 6 months and I wanted to generate today a report about the interface utilization on 2 Cisco switches (Catalyst 3750G). The corresponding job is created, it runs and then i get "succeeded with info" in the "Run Status" column. When I want to click then on the "View Report" link, I get the following error: "Could not generate the report. Either data is not available for the specified duration or the report job failed."
  I tried the same procedure with 2 other switches but I have got the same result.
  Does anybody has an idea of how I can fix this issue?
  Thanks a lot in advanced.
  Best regards,
  Marc Hoffmann

  Hi Marc,
  I have this problem too. I rebooted my Windows but no solved. You known the service name responsible for this error? You have any other sugestion?
  Thank you !!!

• Ciscoworks LMS 4.0 DFM Custom Traps

  Hello,
  We want to use Ciscoworks LMS 4.0 for Access Control List Monitoring. i.e. if we end the ACLs with "log" entry, we may send  the ACL deny logs to the Ciscoworks as Syslog or Snmp Trap format.
  With "debug snmp packets" command we may observe the packets are sent to the LMS, but the traps don't show up as alarms. Is it possible to observe any trap entry with LMS DFM Fault Manager by customizing the module, because we think the engine of the DFM analyzes the traps and shows some of the traps, not all of the traps are observable.
  The command output is as below:
  Thanks in Advance,
  Best Regards,
  Mar  2 10:28:30.028: SNMP: Queuing packet to 10.10.10.1
  .Mar  2 10:28:30.028: SNMP: V1 Trap, ent ciscoSyslogMIB.2, addr 10.10.20.1, gen  trap 6, spectrap 1
  clogHistoryEntry.2.742 = SEC
  clogHistoryEntry.3.742 = 7
  clogHistoryEntry.4.742 = IPACCESSLOGDP
  clogHistoryEntry.5.742 = list 191 denied icmp   10.10.10.1 -> 10.10.20.1 (0/0),   10 packets
  clogHistoryEntry.6.742 = 69082382

  DFM consumes the traps and decides based on its built-in code-book what to do - rise one of the predefined Events or just silently ignore it. The best DFM can do is forward the trap as-is to another trap receiver.
  Perhaps the LMS Syslog-Server can do what you want and lauch automated actions (like scripts or e-mail) based on certain criteria.
  But you should take care of the underlying syslog file and keep its size under control with logrot.pl utility.
  The online help of LMS should give you more details on the syslog capabilities or this link to the LMS 4.0 Administration Guide:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guide/admin/useNotif.html#wp1075603

• CiscoWorks User Tracking Utility

                     Does Cisco have any plans to incorporate the CiscoWorks User Tracking Utility into LMS Prime 4.2 or any newer version of LMS? This tool is very useful in identifing where a computer or device is located on a switch. I know SolarWinds just came out with their own version of the User Tracking utility, and I am wondering if Cisco is going to continue on with theirs.

  I'm pretty sure the user tracking functionailty will be ported to NCS, the final Prime Infrastructure. We will see next year in version 2 what it looks like.
  When that happens a client for on your PC will soon be developed as well.
  I'm just wondering how cisco is establishing what features are to be ported into the final Prime Infrastructure.
  I mean, their marketing people are probably the best in the industry, and know exactly what they can sell out there.
  But I don't think they have a clue what is esential to manage a larger, bussines critical network, and what is nice to have.
  Cheers,
  Michel