SNMP notify and remote SNMPv3 users
I've run into some problems trying to get SNMPv3 informs to work.
Currently I am working with this simplified (by removing views and ACLs) config:
snmp-server engineID remote XX.XX.XX.XX XXXXXXXXXXXXX
snmp-server group foobar v3 priv
snmp-server user foo foobar remote XX.XX.XX.XX auth sha XXXXXXXXXX priv aes 128 XXXXXXXXXXXX
snmp-server manager enable
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps errdisable
snmp-server host XX.XX.XX.XX informs version 3 priv foo vlancreate vlandelete port-security envmon power-ethernet config syslog mac-notification vlan-membership errdisable snmp
...not sure if the traps lines are even needed. I made sure to enter the snmp user after the remote engineid.
Anyway, problem number 1 is that with this configuration I always get no attempts to send informs:
SNMP Manager-role output packets
0 Get-request PDUs
0 Get-next PDUs
0 Get-bulk PDUs
0 Set-request PDUs
0 Inform-request PDUs
0 Timeouts
0 Drops
SNMP Manager-role input packets
0 Inform request PDUs
0 Trap PDUs
0 Response PDUs
0 Responses with errors
SNMP informs: enabled
Informs in flight 0/25 (current/max)
Logging to XX.XX.XX.XX
0 sent, 0 in-flight, 0 retries, 0 failed, 0 dropped
SNMP agent enabled
Problem number 2 is that whenever I reboot the switch, the remote user definitions disappear. This happens on two different platforms/IOS versions (3560 12.2(55)SE5 and 2960 15.0(2)SE4) otherwise I'd chalk it up to a regression. It also happens no matter how much I try to downgrade the auth/priv level -- even to v2c user definitions. Before the reboot the users are listed as stored in nonvolatile, just like all the local users.
Can anyone spot any missing components from this config? Has anyone else seen the lost snmp user entries behavior?
Yay... finally figured out a workaround for this one. If you add a local snmp user with the same name and parameters as the remote SNMP user, then everything suddenly works. A clue if you are having this problem is that when you list snmp users after adding the remote user, it does not show a Group-name for the user. After adding the local user, it shows a Group-name, informs get sent (using the remote user/engineID no less!) and the switch remembers both users after a reboot.
So the correction to the above configuration is:
snmp-server engineID remote XX.XX.XX.XX XXXXXXXXXXXXX
snmp-server group foobar v3 priv
snmp-server user foo foobar remote XX.XX.XX.XX auth sha XXXXXXXXXX priv aes 128 XXXXXXXXXXXX
snmp-server user foo foobar auth sha XXXXXXXXXXX priv aes 128 XXXXXXXXXXXXX
snmp-server manager enable
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps errdisable
snmp-server host XX.XX.XX.XX informs version 3 priv foo vlancreate vlandelete port-security envmon power-ethernet config syslog mac-notification vlan-membership errdisable snmp
Probably more people haven't noticed this problem because they configure the local user first before they realize they need to configure a remote user after consulting the docs, and do not delete the local user.
Similar Messages
-
Hello,
We recently added LDAP authentication to our UCS Manager (v2.0(1s)) and the binding of roles works and users are able to login using their AD accounts. However, I was wondering if anyone knows how to assign a locale to a remotely authenticated user. The option seems greyed out on my end. There are a handful of people that only need to see their single blade and we don't want them to see the rest of our servers.
Thanks,No they weren't part of those groups. I see where I went wrong: the mappings I made didn't include the locale, only the roles section.
However, I noticed another issue. Anyone that is in the base OU and below is allowed access to UCS Manager. Even if they are NOT apart of a UCS mapping, they get read-only access and see everything. Is there a way to deny all access unless a user is specifically apart of a group in AD that is mapped to a role in UCS Manager?
Lets say I have a blade on chassis 1 slot 6. I want a user in AD to only see and have access to that blade. Nothing else. Is that possible?
Thank you in advance for any help. -
Greetings,
I'm running a security tool DISA provides and it's reporting that on my XP box the following:
"This group has privileges associated with it that may allow anonymous access to the system."
The group is:
"Guests"
I've already disabled the Guest account, however the account isn't the same thing as the group, so how does one go about limiting anonymous privileges associated with the group?Remove any group membership if Guest account is member of.
You can also use restricted group policy to remove group membership on muliple computers at once. -
I am trying to build a basic TCL skeleton script that reads a remote SNMP OID and displays the value on the screen.
I don't want it to be an EEM Event, I just want to run it from the (tcl)# prompt.
So I guess I'm asking if you can use cli_exec and other commands in the "namespace import ::cisco::eem::*" in a normal non-EEM script - can I do that?
This is the error I get:
OTN.159(tcl)#source flash:TCL_SNMP_Remote_Read.tcl
invalid command name "::cisco::eem::event_register_none" ^
% Invalid input detected at '^' marker.
What am I missing?
================= TCL_SNMP_Remote_Read.tcl ==============================
::cisco::eem::event_register_none
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if [catch {cli_open} RESULT]
{ error $RESULT $errorInfo }
else { array set cli1 $RESULT }
if [catch {cli_exec $cli1(fd) "snmp get v2c 192.168.1.100 public timeout 1 oid 1.3.6.1.2.1.1.1.0" } RESULT]
{ error $RESULT $errorInfo }
else { set SnmpSysDesc $RESULT }
if [catch {cli_close $cli1(fd) $cli1(tty_id)} RESULT] {
error $RESULT $errorInfo
puts $SnmpSysDesc
=========================================================================
In the sho-run config I have:
event manager directory user policy "flash:/"
event manager session cli username "cisco"
Any help to get me started would be greatly appreciated!
TimIf you don't want an EEM policy, then don't use any of the EEM constructs. Instead, all you need is this:
set output [exec "snmp get v2c 192.168.1.100 public timeout 1 oid 1.3.6.1.2.1.1.1.0"]puts $output -
Routing issue for remote vpn user and spoke
Hi all,
i have configure VPN (see attached file)
before upgrading ASA from 8.3 to 8.4, SPOKES was able to communicate between them and also remote VPN users was able to access spoke site.
after upgrade ASA HUB, neither spoke-to-spoke nor remoteuser---to---spoke cannot communicate
here is NAT exemption configuration on ASA HUB. only this ASA have been upgrade. nothing have been done on other site
object network 172.17.8.0
subnet 172.17.8.0 255.255.255.0
object network 10.100.96.0
subnet 10.100.96.0 255.255.240.0
object network VPN-SUBNET
subnet 172.20.1.0 255.255.255.0
nat (outside,outside) source static 172.17.8.0 172.17.8.0 destination static 10.100.96.0 10.100.96.0
nat (outside,outside) source static 10.100.96.0 10.100.96.0 destination static 172.17.8.0 172.17.8.0
nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 10.100.96.0 10.100.96.0
nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 172.17.8.0 172.17.8.0
same-security traffic permit intra-interface
same-security traffic permit inter-interface
Please do you know what can be the problem ?
thanks so much for your helpSince you are not NATing any of those traffic and it's a u-turn traffic, pls remove those 4 NAT statements. They are not required at all.
Pls "clear xlate" after removing it and let us know how it goes. -
SUSPEND and NOTIFY converted as remote hold and remote retrieval
The other side says that is sending SUSPEND and NOTIFY - SS7 messages which are converted as remote hold and remote retrieval on PRA.
It says those message are coming to my Cisco box (c5350-is-mz.123-18), but the IOS it is not able to interprete them correctly.
I am not seeing this messages in any debugs... Anyone have any idea about ?
Thanks
Robert
Attached is the debug i've got from the other sideWhat debugs are you getting on the access server? The remote side is trying to communicate with the access server but maybe the messages are getting dropped. Following link may help you
http://www.cisco.com/en/US/docs/routers/access/as5350/software/configuration/guide/54basic.html -
Remote Control and Remote View Problem
Hi,
I work at a High School running Netware 6.0 SP5 and Zen works 4.01 ir7.
Remote Control and Remote View works great but I noticed one problem.
We have a logo of the school that is forced down on to the desktop when a
user logs in through group policies. This logo works perfect for the
desktop wall paper and loads every time a user logs in.
When I Remote Control or Remote View a computer the users desktop wall
paper turns from the logo being forced down through group policies to the
desktop to a blue desktop wall paper.
I would prefer the desktop wall paper staying the schools logo when I
Remote Control or Remote View because if the desktop wall paper changes to
the blue color I mentioned above when I Remote Control or Remote View the
users computer, they will know that someone is taking over their computer
which sometimes we dont want them knowing.
We have Windows 98SE computer running Novell Client 3.4 and we have some
computers running Windows XP Professional SP1 and Windows XP Professional
SP2 both running Novell Client 4.91 SP2.
The Remote Control and Remote View problem of the desktop wall paper
changing on the users computer occurs on all operating systems mentioned
above.
Is there a solution to my above problem? When Remote Controlling and
Remote Viewing someone's computer I don't want the desktop wall paper to
change.
Thanks!Bpilon,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at
http://support.novell.com.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://support.novell.com/forums)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
How to use the same services-config for the local and remote servers.
My flex project works fine using the below but when I upload my flash file to the server I doesn't work, all the relative paths and files are the same execpt the remote one is a linux server.
<?xml version="1.0" encoding="UTF-8"?>
<services-config>
<services>
<service id="amfphp-flashremoting-service"
class="flex.messaging.services.RemotingService"
messageTypes="flex.messaging.messages.RemotingMessage">
<destination id="amfphp">
<channels>
<channel ref="my-amfphp"/>
</channels>
<properties>
<source>*</source>
</properties>
</destination>
</service>
</services>
<channels>
<channel-definition id="my-amfphp" class="mx.messaging.channels.AMFChannel">
<endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
</channel-definition>
</channels>
</services-config>
I think the problem is the line
<endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
but I'm not sure how to use the same services-config for the local and remote servers.paul.williams wrote:
You are confusing "served from a web-server" with "compiled on a web-server". Served from a web-server means you are downloading a file from the web-server, it does not necessarily mean that the files has been generated / compiled on the server.
The server.name and server.port tokens are replaced at runtime (ie. on the client when the swf has been downloaded and is running) not compile time (ie. while mxmlc / ant / wet-tier compiler is running). You do not need to compile on the server to take advantage of this.
Hi Paul,
In Flex, there is feature that lets developer to put all service-config.xml file configuration information into swf file. with
-services=path/to/services-config.xml
IF
services-config.xml
have tokens in it and user have not specified additional
-context-root
and this swf file is not served from web-app-server (like tomcat for example) than it will not work,
Flash player have no possible way to replace token values of service-config.xml file durring runtime if that service-config.xml file have been baked into swf file during compilation,
for example during development you can launch your swf file from your browser with file// protocol and still be able to access blazeDS services if
-services=path/to/services-config.xml
have been specified durring compilation.
I dont know any better way to exmplain this, but in summary there is two places that you can tell swf about service confogiration,
1) pass -services=path/to/services-config.xml parameter to compiler this way you tell swf file up front about all that good stuff,
or 2) you put that file on the webserver( in this case, yes you should have replacement tokens in that file) and they will be repaced at runtime . -
One WLC for Headquarter and Remote Site
Hi
I have a question about the WLC remote deployment.
We have the following design at the moment:
Headquarter
- Network 192.168.49.0 /24
- WLC 4402 Version 4.2.61.0
-- 3 x LAP1252
-- Layer 3 LWAPP
-- SSID wep
-- SSID wpa
- Windows PDC with Active Directory, DHCP Server and local Data Storage
- ACS Version 3.2 for TACACS and RADIUS authentication --> External DB to Active Directory
Remote Site
- Network 192.168.50.0 /24
- 2 x LAP1252
-- SSID wep
-- SSID wpa
- Windows PDC with Active Directory, DHCP Server and local Data Storage
- ACS Version 3.2 for TACACS and RADIUS authentication --> External DB to Active Directory
Connection between Headquarter and Remote Site
- 2 Mbit ADSL
The problem is, that the wireless clients on the remote site get an ip address out of the headquarter DHCP Range 192.168.49.0 /24. The users on the remote site
most of the time only use the local data server in the remote office. With the actual design the hole traffic is switched over the 2 Mbit ADSL connection the the
WLC in the headquarter and back to the remote site. That works but it is not that performant.
The problem could be solved with HREAP, but what I think is, that it is not possible to have the same SSID at headquarter and remote site with different VLANs.
How can I achieve, that the clients on the remote site connect to the same SSID (wep or wpa), get an ip address from the remote site DHCP server (192.168.50.0)
and the traffic is switched localy.
I hope you understand what the problem is.
Thanks in advance for your help!Yes, putting the remote AP's in HREAP mode will allow the same WLANs to be available on the AP's but the traffic would be locally switched at the AP instead of being tunneled back to the controller. After you put the AP in HREAP mode you then would configure which VLAN you want traffic for each WLAN to be dumped onto for that AP.
-
Screen sharing and remote management no longer working after some uptime
Server is withoiut monitor.
Users need to login via screen sharing from time to time.
"Enable screen sharing and remote management" is ticked in Server.app everything is working fine (for days, weeks).
ARD reports "Screen Sharing Available", so remote management is not running how it should.
Screen Sharing.app is "Connecting…" forever.
Kickstarting ARD (http://support.apple.com/kb/HT2370) does not help.
Restart fixes it.
Is there a workaround (over ssh) or a fix?seduc wrote:
Do you know if
fdesetup authrestart
works then too?
Off-hand, no. I don't. See this posting, or as would be typical in any case, try it? -
Screen Sharing and Remote Management
Is there a way in 10.6 to make both Screen Sharing and Remote Management run at the same time?
In the past (10.5), you could convince Mac OS to run both Screen Sharing and Remote Management to run simultaneously. I say "convince" because you could not enable them both through System Preferences. You could turn one on, then use Terminal to enable the other. This worked great for me, because I needed remote management for the machines I managed, and the users need screen sharing to work from home.
However, the work-around for 10.5 no longer seems to work for 10.6. Has any one gotten this to work yet for 10.6? Thanks!I figured this out. First enable Remote Management via System Preferences. Then create /private/etc/ScreenSharing.launchd with 'enabled' as it's contents.
-
Exchange Server 2013 and Remote Access VPN on a single server running Windows Server 2012?
Just by way of background, I have been installing and administering network servers, e-mail systems, VPN servers, and the like for many years. However, my involvement with Exchange and Windows Server has been mostly on the forensics and data recovery
level, or as a (sophisticated) user. I have never tried to deploy either from scratch before. My deployment experiences have been mostly with Linux in recent years, and with small private or personal "servers" running such cutting edge
software as Windows XP back when it was new. And even NetWare once.
When a client asked me if I could set up a server for his business, running Exchange Server (since they really want Outlook with all of its bells and whistles to work, particularly calendars) and providing VPN access for a shared file store, I figured it
could not be too difficult given that its a small business, with only a few users, and nothing sophisticated in the way of requirements. For reasons that don't bear explaining here, he was not willing to use a vendor hosting Exchange services or cloud
storage. There is no internal network behind the server; it is intended to be a stand-alone server, hanging off a static IP address on the Internet, providing the entirely mobile work-force of about 10 people with Exchange-hosted e-mail for their computers
and phones, a secure file store, and not much else. If Exchange didn't need it, I would not need to install Active Directory, for example. We have no direct need for its services.
So I did the research and it appears, more by implication than outright assertion, that I should be able to run Windows Server 2012 with Exchange Server 2013 on a server that also hosts Remote Access (VPN only) and does nothing else. And it appears
I ought to be able to do it without virtualizing any of it. However, I have spent the last three or four days fighting one mysterious issue after another. I had Remote Access VPN working and fairly stable very quickly (although it takes a very
long time to become available after the server boots), and it has mostly remained reliable throughout although at times while installing Exchange it seems to have dropped out on me. But I've always been able to get it back after scrounging through the
logs to find out what is bothering it. I have occasionally, for a few minutes at a time, had Exchange Server willing to do everything it should do (although not always everything at the same time). At one point I even received a number of e-mails
on my BlackBerry that had been sent to my test account on the Exchange Server, and was able to send an e-mail from my BlackBerry to an outside account.
But then Exchange Server just stopped. There are messages stuck in the queues, among other issues, but the Exchange Administration Center refuses now to display anything (after I enter my Administrator password, I just get a blank screen, whether on
the server or remotely).
So, I am trying to avoid bothering all of you any more than I have to, but let me just begin with the basic question posed in the title: Can I run Exchange Server (and therefore Active Directory and all of its components) and Remote Access (VPN only) on
a single Windows Server 2012 server? And if so, do I have to run virtual machines (which will require adding more memory to the server, since I did not plan for it when I purchased it)? If it can be done, can anyone provide any pointers on what
the pitfalls are that may be causing my problems? I am happy to provide whatever additional information anyone might like to help figure it out.
Thanks!An old thread but I ran into this issue and thought I share my solution since I ran into the same issue. Configuring VPN removes the HTTPS 443 binding on the Default Site in IIS for some strange reason; just go and editing the bindings, add HTTPS and things
should be back to normal. -
Create DB link between my local system and remote system
Hi,
I need help to create DB link between my local system Database and remote system database both the database are oracle.
Please check the script which i have written is correct or not. Its giving me error sql command not ended properly
create public database link MERU_PROD_LOCAL_PROD
CONNECT TO SUDHIR
identified by sudhir123
using (DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS =
(COMMUNITY = tcp.world)
(PROTOCOL = TCP)
(Host = 23.23.150.144)
(Port = 1521)
(CONNECT_DATA = (SERVICE_NAME = sudhir)
I am executing this command in my local system connecting to the remote database link. Please suggest me is this method correct.
Thanks
SudhirHi Hilton,
I fixed that issue. Now i am creating the DB link this ways please check is this proper or not
create or replace database link meru_prod_local_prod connect to portal identified by Oracle!123 using 'MERUPROD';
remote machine
User Name: portal
Password : Oracle!123
MERUPROD is the tnsora entry
It gives error as
Error starting at line 1 in command:
create or replace database link meru_prod_local_prod connect to portal identified by Oracle!123 using 'MERUPROD'
Error at Command Line:1 Column:18
Error report:
SQL Error: ORA-00922: missing or invalid option
00922. 00000 - "missing or invalid option"
*Cause:
*Action: -
Remote control and remote desktop client in sccm 2012 ?
What is the difference between remote control and remote desktop client in sccm 2012 ?
Remote Control is a built-in feature for SCCM 2012 and uses the RPC protocol. When you use this, the user can still be logged on while helping.
Remote Desktop is a buit-in feature for Windows and uses the RDP protcol. When you use it, the user will be logged off.
Why you would use one over the other depends on your requirements.
Blog: www.danielclasson.com/blog |
LinkedIn:
Daniel Classon | Twitter: @danielclasson -
Hello, dear colleagues.
We are using Windows Server 2012 R2 as Remote Desktop Server. Also use Windows Server 2008 R2 with Remote Desktop Service Manager to control RDS user sessions (Send Message, Disconnect, Logoff, Query Info).
Send Message, Disconnect, Logoff options works only for users in Administrators group.
I can't to configure permissions for Remote Desktop Users, specific user or AD group.
To set permissions I'm running RDS Host Configuration on Windows Server 2008 R2 and connect to Windows Server 2012 R2. Then double-click
RDP-Tcp, Security tab, add specific user account , AD group or configure
advanced permissions
for Remote Desktop Users.
But, as I sad above, these options works only for users in Administrators group. How to make it work for Remote Desktop Users or specific user, AD group?
Thanks.
P.S. If move specific user from Remote Desktop Users group to Administrators group on
Windows Server 2012 R2 - it works.Hi,
You can prevent administrators from changing the permissions for a connection by applying the
Do not allow local administrators to customize permissions Group Policy setting.
This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Apart there is one command with which you can set the permission for that check the related
article. Additionally checkthis
thread for more detail.
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
I want to remove the VMware from my iMac intel will this remove the wind7 also cleanly ?
Hi, I know where to go uninstall the VMware (fusion), im just concerned that if i remove VMware it wont remove the windows7 cleanly, I never actually use it, someone thought it would be a good idea for me at the time, as I was new to Mac, well I had
-
Computer Recognizes Ipod As An "Unknown Device"
How Do I Get My Computer To Recognize My Ipod As An Ipod Or Mass Strage Device?
-
Existing settings do not carry over on updating. ie: tabs below.
on updating firefox does not carry over and of the user adjusted settings. WTF in previous version I could hover over a thumnail with the curser and it would open to size in a new phantom window. was a great feature. I set firefox to check but not in
-
Does anyone have any info on MacKeeper?
Hi, I was prompted to install MacKeeper prior to shutting down last night, but now I'm questioning if this is actually an "Apple" program or is someone trying to phish my system? Does anyone have any information on this? Thank you!
-
Tabuler display in query designer
HI , How can we enables tabular display (we want change the order like CHAR1 KF1 CHAR2 KF2 CHAR3 KF3 ) in query designer in sap bi 7.0 not in analyzer . can anyone please share information on this .. Thanks, EDK... Edited by: EdK666 on Nov 8