DX NetOps

Hi,

I have discovered some devices (model SwCat45xx) which have been put into the NCM family "Cisco IOS - SSH Capable of type NCM_IOS_Post_12_2_Family"

When I try a capture, the first capture is OK but after that all the captures always fail.

And I get this popup error

SPCC-OCC-10747 : Error capturing configuration for host:

SPC-OCC-11549 : Capture failed

And there is also this event :

Configuration Manager - Capture failed for host running configuration file from device xxxxxxxx of type SwCat45xx on landscape spectrosrv01 initiated by user yyyyy. Specific error: java.io.IOException: SSHSCP.readString, error: Privilege denied.

The first capture gives this event :

Configuration Manager - Capture succeeded for host running configuration file from device xxxxxxx of type SwCat45xx on landscape spectrosrv01 initiated by user yyyyy.

What could be wrong?

Patrick

Hi Patrick,

Could you select the "Cisco IOS - SSH Capable" node on the Explorer tab and select Information tab on Contents panel  and look at Device Configuration Transfer Settings -> Default Communication Mode?

Could you also check Communication Mode on device model level under its Information tab -> Network Configuration Manager -> Local Communication Configuration subview?

If you are using SNMP/TFTP Communication Mode please make sure you have set WRITE SNMP Community String on the device model and TFTP server has been running on SpectroSERVER machine and configure under Configuration Manager -> Information tab -> TFTP Configuration subview.

If you are using SSH/SCP and having problem, could you try the following command using the same specified user on bash shell (outside of Spectrum application) on the SpectroSERVER machine.

scp <user>@<router s IP>:running-config .

e.g.

scp spectrum@10.10.10.10:running-config .

Note: please notice the dot character at the end of the command line is required.

The command will prompt you to key in user’s password and you will get the configuration from the router provided the user has been configured with privilege 15 and SSHv2 and SCP has been configured properly.

If running this works, then NCM should work too using SSH/SCP Communication Model. If no, then it may be network or router’s configuration issue.

Hi,

Thanks for your help

I have tried the scp command

> scp spectrum@www.***.yyy.zzz:running-config .

The authenticity of host 'www.***.yyy.zzz (www.***.yyy.zzz)' can't be established.

RSA key fingerprint is bd:09:............

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ''www.***.yyy.zzz' (RSA) to the list of known hosts.

Password:

running-config 100% 76KB 75.9KB/s 00:00

Connection to 'www.***.yyy.zzz closed by remote host.

So I don't understand why this doesn't work with NCM.

In what directory can I find this copied file on the Spectroserver?

Patrick

Hi Patrick,

Do you get running-config file created under the directory you have run the scp command? If so, run 'cat running-config' and see the contents of the file if it is containing the router running configuration. The "Connection to 'www.***.yyy.zzz closed by remote host." message is not happening in our environment. As Matt has said this could be user's Privilege issue.

If you have the running-config file and it contains the router configuration completely then theoretically NCM should work using the same SSH/SCP communication mode. If not, can we check NCM configuration to make sure SSH/SCP communication mode being used? If everything is right but NCM is still not working please try to increase the device model DCM Timeout parameter and redo the NCM capture.   

Hey Patrick,

Can you confirm you are using a user that has Privilege 15 rights to the device?

This error generally happens when the user being used does not have proper permissions to the device.

Thanks!

Matt

Hi,

Thank you for your help.

I have been working with my network friends and they have found what was going wrong.

We had to put this command line missing in the Cisco devices config :

     aaa authorization exec default group tacacs+

Now it works. Thank you.

Regards

Patrick

We too are having this issue. The privileges are correct and we have a similar line to what Patrick-P mentioned. SCP from CMD works as expected, but spectrum is still having issues collecting configs from certain devices. There does not seem to be a pattern and is completely random when it occurs. Any other suggestions?

aaa authorization exec default group tacacs-servers if-authenticated

Hi,

we had  an issue with some IOS-XE devices and NCM using SNMP/TFTP.

Because of a bug (?) these devices send the response to the write request after finishing the file transfer.

This may result in timeouts and an error message.

Our workaround was setting the DCM timeout to 10.000.

Regards, Frank

Hi,

@Frank, thank you! We have the same problem IOS-XE and some 4500 dervices with SNMP/TFTP!

Best regards

Christian

Frank, did you end up determining that this is a bug? We are experiencing this as well on some IOS-XE devices. 

Thanks,

Michael

Michael, I didn't speak with Cisco Support yet. So, I can't tell you, is it a bug or a feature. The fact is, some devices send the response to the write request after finishing the file transfer and this may cause time outs.  I've captured the communication.