Table Of Contents
Troubleshooting Essentials
Change Audit FAQs
Configuration Management
Configuration Management FAQs
Troubleshooting Configuration Management
Contract Connection
Contract Connection FAQs
Inventory
Inventory FAQs
Troubleshooting Inventory
Software Management
Software Management FAQs
Troubleshooting Software Management
Syslog Analysis
Syslog Analysis FAQs
Troubleshooting Syslog Analysis
Data Extracting Engine
Data Extracting Engine FAQs
CiscoWorks Server
CiscoWorks Server FAQs
Essentials Process Description Table
Troubleshooting Essentials
This appendix provides information on troubleshooting Essentials applications and Essentials-related CiscoWorks Server problems.
Tip 
For the latest technical tips, suggestions for troubleshooting common issues, and frequently asked questions (FAQs) on most Essentials applications, you can go to the following URL:
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Software:Cisco_Resource_Manager_Essentials&s=Implementation_and_Configuration#Samples_and_Tips
•Change Audit FAQs
•Configuration Management
•Contract Connection
•Inventory
•Software Management
•Syslog Analysis
•Data Extracting Engine
•CiscoWorks Server
Change Audit FAQs
Q. Can I track every configuration change made to routers and switches in my network and who made them?
A. Yes, if the devices have been enabled for syslog. All changes made on a device are logged, including changes made by outside Telnet sessions.
You can enable Change Audit to listen to the syslog messages so that it can update the archive with the changed version of the configuration file and log the change. Select Resource Manager Essentials > Administration > Configuration Management > General Setup, then select the Change Probe Setup tab and enable Listen to Syslog Messages.
You can check for changes by selecting Resource Manager Essentials > Change Audit > All Changes. If the change was made by an outside Telnet session, Unknown is listed in the Connection Mode column of the report.
Configuration Management
Configuration Management FAQs
•Where can I find out what devices are supported by Configuration Management?
•If I import devices from a remote NMS, can I compare the startup vs. running configurations?
•Can I run Network Show Command sets for more than 10 devices?
•How many Network Show Commands are allowed per command set?
•Can I run all device commands using Network Show Commands?
•If I'm having problems with the Network Show Commands option, where can I check for error messages?
•I cannot unlock the device by the usual means. I need to go to CFG_ARCHIVE_LOCK. What is the procedure?
•Using RME, how do I configure Telnet credentials on a device by SNMP?
•Using RME, how do I configure SSH credentials on a device by SNMP?
Q. Where can I find out what devices are supported by Configuration Management?
A. Select Server Configuration > About the Server > Applications and Versions. Under the Applications Installed, click Configuration Archive to see a list of supported devices.
Q. If I import devices from a remote NMS, can I compare the startup vs. running configurations?
A. Yes, but first you must:
Step 1 Select Resource Manager Essentials > Administration > Inventory > Change Device Attributes.
You can select all the devices with the same passwords, or you can change the TACACS usernames and passwords.
Step 2 Update the device credentials for all the devices.
Q. Can I run Network Show Command sets for more than 10 devices?
A. Yes. You can run command sets for more than 10 devices if you:
•Schedule a job with Batch Reports. You can schedule this job either from the Network Show GUI or from the Network Show CLI.
•Run the command sets for immediate execution from the Network Show CLI. (The commands that you must use are:
cwconfig netshow -device device list -execcmdset cmdsetlist -execcmd remotecmd list).
However, if you run the Network Show command sets for immediate execution from the Network Show GUI, then you can run them only for a maximum of 10 devices.
Q. How many Network Show Commands are allowed per command set?
A. Each command set can contain a maximum of 6 commands from each device type. The supported device types are:
•IOS devices (Routers)
•Catalyst switches
•FastSwitch devices
•Content Engine
•Content Service switches
•PIX Firewall devices.
Q. Can I run all device commands using Network Show Commands?
A. No. Network Show supports only these commands:
show, ping, traceroute, help, where, ?, and version.
Q. If I'm having problems with the Network Show Commands option, where can I check for error messages?
A. You can check for messages in these locations:
•The Java console available with your browser.
•In the Process Status dialog box. Select Server Configuration > Administration > Process Management > Process Status.
Q. I cannot unlock the device by the usual means. I need to go to CFG_ARCHIVE_LOCK. What is the procedure?
A. A locked config file can only be unlocked through the application that has locked the config file.
For example, if you had checked out the config file using Config Editor, you should undo the check out of the config file using Config Editor, and not any other application. For example, if the config file has been checked out using Config Editor, then you cannot use cwconfig to unlock the file. The undo operation will fail.
Procedures to unlock the Config File and Device in different environments
•Unlocking the Config File using Config Editor
•Unlocking the Config File using cwconfig
•Unlocking the Device
Unlocking the Config File using Config Editor
To unlock the config file using Config Editor:
Step 1 From the Config Editor screen of RME, choose Tools > List Checkedout Files.
A list of checked out files is displayed.
Step 2 Select the config file to be unlocked from the list of checked out files.
Step 3 Click Undo Checkout.
The Config file is unlocked.
Unlocking the Config File using cwconfig
Execute the following command to unlock a config file that has been locked by the cwconfig application:
cwconfig unlock
For more details on using cwconfig, see cwconfig manpages.
For more information on cwconfig command see the Resource Manager Essentials online help (Resource Manager Essentials > Configuration Management > Using cwconfig).
Example A-1 Example Usage of cwconfig on Solaris:
server# pwd
/opt/CSCOpx/bin
server# ./cwconfig unlock -u <Username> -p <Password> -device 10.76.38.141
* Warning * The -p option is highly insecure and *not* recommended.
* Warning * See -u option for more details.
SUMMARY
Successful 10.76.38.141
Example A-2 Example Usage of cwconfig on Windows:
E:\RME>cwconfig unlock -u <Username> -p <Password> -device 10.76.38.140
* Warning * The -p option is highly insecure and *not* recommended.
* Warning * See -u option for more details.
SUMMARY
Successful 10.76.38.140
Unlocking the Device
To unlock the device:
Step 1 From the CiscoWorks desktop, select Server Configuration > Administration > Job Management.
The Job manager dialog box appears.
Step 2 In the lower panel of the dialog box, select the device that needs to be released.
Step 3 Click Free Resource.
The device will be released.
On your RME server, for more details, see the Server Configuration online help. (Select Server Configuration > Administration > Job Management > Managing Jobs and Resources.)
Q. Using RME, how do I configure Telnet credentials on a device by SNMP?
A. The procedure is to edit the config file of the device and push it back to the device using TFTP protocol.
Procedure
Step 1 Export the config file from the archive using the following command on the RME server machine:
cwconfig export -u username -p password -device device -f filename
If you have set the CWCONFIGFILE Environment variable, then we do not need to give the -u and -p parameters.
For the description, let us say the exported archive is stored as "example".
Example A-3 Running cwconfig export command
E:\Program Files\CSCOpx>cwconfig export -u username -p password -device 10.76.38.148 -f example
* Warning * The -p option is highly insecure and *not* recommended.
* Warning * See -u option for more details.
SUMMARY
Successful 10.76.38.148
E:\Program Files\CSCOpx>
Step 2 Edit the "example" file to change the passwords to what you want.
Example A-4 Edit the following lines to change the password, if you are using simple authentication mechanism.
line vty 0 4
password password
enable password password
Step 3 Save the file after editing.
Step 4 Download this config file ("example") to the device using the following command on the RME server machine.
cwconfig import -u username -p password -device device -f filename
Example A-5 Running cwconfig import command
E:\Program Files\CSCOpx>cwconfig import -u username -p password -device 10.76.38.148 -f example
* Warning * The -p option is highly insecure and *not* recommended.
* Warning * See -u option for more details.
SUMMARY
Successful 10.76.38.148
E:\Program Files\CSCOpx>
Important Points to Remember
•Using the import command merges the modified config file with the running-config file of the device.
•For more details on passwords refer to:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008010a7b8.html
•Instead of the import command, write2run command can also be used which will download only the modified lines. However, write2run command in cwconfig does not erase commands in the running-config of the device, and this is a known issue.
For example, if the running config has the following two commands:
cdp timer 125
cdp holdtime 125
And then you export the config from the archive using export command, remove these two lines from the file and use write2run to write into the running-config file. Even though the status reported is successful, the commmands are still there in the running-config of the device.
The workaround for this is to edit the file and insert "no" in front of the commands that should be removed, instead of removing it.
•For more information on cwconfig command see the Resource Manager Essentials online help (Resource Manager Essentials > Configuration Management > Using cwconfig> cwconfig Command Man Page).
Q. Using RME, how do I configure SSH credentials on a device by SNMP?
A. The procedure is to edit the config file of the device and push it back to the device using TFTP protocol.
Procedure
Step 1 Export the config file from the archive using the following command on the RME server machine:
cwconfig export -u username -p password -device device -f filename
If you have set the CWCONFIGFILE Environment variable, then we do not need to give the -u and -p parameters.
For the description, let us say the exported archive is stored as "example".
Example A-6 Running cwconfig export command
E:\Program Files\CSCOpx>cwconfig export -u username -p password -device 10.76.38.148 -f example
* Warning * The -p option is highly insecure and *not* recommended.
* Warning * See -u option for more details.
SUMMARY
Successful 10.76.38.148
E:\Program Files\CSCOpx>
Step 2 Edit the "example" file to change the passwords to what you want.
Example A-7 Adit/Edit the following lines to change the password, if you are using simple authentication mechanism.
username username password 0 password
enable password password
Step 3 Save the file after editing.
Step 4 Download this config file ("example") to the device using the following command on the RME server machine.
cwconfig import -u username -p password -device device -f filename
Example A-8 Running cwconfig import command
E:\Program Files\CSCOpx>cwconfig import -u username -p password -device 10.76.38.148 -f example
* Warning * The -p option is highly insecure and *not* recommended.
* Warning * See -u option for more details.
SUMMARY
Successful 10.76.38.148
E:\Program Files\CSCOpx>
Important Points to Remember
•Using the import command merges the modified config file with the running-config file of the device.
•For more details on passwords refer to:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008010a7b8.html
•Instead of the import command, write2run command can also be used which will download only the modified lines. However, write2run command in cwconfig does not erase commands in the running-config of the device, and this is a known issue.
For example, if the running config has the following two commands:
cdp timer 125
cdp holdtime 125
And then you export the config from the archive using export command, remove these two lines from the file and use write2run to write into the running-config file. Even though the status reported is successful, the commmands are still there in the running-config of the device.
The workaround for this is to edit the file and insert "no" in front of the commands that should be removed, instead of removing it.
•For more information on cwconfig command see the Resource Manager Essentials online help (Resource Manager Essentials > Configuration Management > Using cwconfig> cwconfig Command Man Page).
Troubleshooting Configuration Management
Use Table A-1 to help troubleshoot the Configuration Management application.
Table A-1 Configuration Management Troubleshooting
Symptom
|
Probable Cause
|
Possible Solution
|
The archive cannot retrieve the configuration module for Catalyst devices.
|
Incorrect password given when adding or importing the device.
|
Enter the correct Telnet and enable passwords for the Catalyst devices in the Essentials database. The configuration archive uses Telnet to gather module configurations for Catalyst devices.
|
The archive cannot retrieve the running configuration for a device.
|
Incorrect read and write community strings given when adding or importing the device.
|
Enter the correct read and write community strings in the Essentials database.
You can also change the order of the protocols used to retrieve the configuration. (The configuration archive downloads configurations from devices using three different transport protocols in order: TFTP, Telnet, and rcp.)
|
The archive cannot retrieve the startup configuration for a device.
|
Incorrect password given when adding or importing the device.
|
Enter the correct Telnet and enable passwords for the device in the Essentials database.
If the device is configured for TACACS authentication, add the TACACS username and password (not the Telnet password) in the Essentials database when you import the device.
If the device is configured for local user authentication, add the local username and password in the Essentials database.
|
DNS hostname mismatch.The hostname is unknown to DNS.
|
The device does not have the DNS server set up to resolve the hostname.
|
Make sure the DNS server can recognize the device hostname, or specify the IP address instead of the hostname.
|
SNMP timeout prevents TFTP from retrieving the running configuration for a device.
|
SNMP did not allow enough time for the operation.
|
Increase the SNMP timeout values.
|
Network Show Commands execute command set error message:
Sorry, no output for this command. Internal error.
|
The device is unreachable.
|
Enable the device.
|
The device attributes have been changed.
|
Update the device attributes in the Inventory database by selecting Resource Manager
Essentials > Administration > Inventory > Change Device Attributes.
|
Network Show Commands message:
%Incomplete command.
|
Incomplete show command specified.
|
Instead of entering an abbreviated command, such as show ip, provide the complete command, for example show ip route.
|
Network Show Commands error message:
The command you entered is not a valid command.
|
Used an invalid show command.
|
Enter a valid show command.
|
Network Show Commands error message:
Failed to run show commands.
|
The wrong command has been entered for the device. For example, a switch command has been entered for a router.
|
Make sure you enter a command that is valid for the device.
|
Network Show Commands mail error message:
SMTP not configured properly.
|
The SMTP server is not running on the mailer machine.
|
Make sure the SMTP server is running on the host.
|
Contract Connection
Contract Connection FAQs
•What are the different types of serial numbers used in Contract Connection?
•What do I do if the serial numbers are out of sync?
•Why is the Electronic Serial Number field blank?
Q. What are the different types of serial numbers used in Contract Connection?
A. There are three types; two on the device and one in the inventory database:
•Shipment Serial Number, which is embedded on the chassis hardware.
•Electronic Serial Number, which you set using CLI when you introduce the device to the network.
•Managed Serial Number, which is the serial number reflected in the inventory database.
Q. What do I do if the serial numbers are out of sync?
A. For Contract Connection to work properly, start with the Shipment Serial Number, because that is the serial number known to Cisco, and do the following:
Step 1 Using the CLI, as described in the device configuration guide, make sure that the Electronic Serial Number matches the Shipment Serial Number.
Step 2 Change the Managed Serial Number to match the other two using Resource Manager Essentials > Inventory > Administration > Change Device Attributes.
Q. Why is the Electronic Serial Number field blank?
A. It is blank because it was not set in the device software when the device was introduced to the network. Update the number using the CLI, as described in the device configuration guide.
Inventory populates the Managed Serial Number using SNMP to get the MIB serial number information from the Electronic Serial Number setting. If the Managed Serial Number field is blank, the inventory collector could not collect the information for one of these reasons:
•The Electronic Serial Number field is not set. You can set this field by using the CLI as described in the device configuration guide, and update the inventory database by selecting Resource Manager Essentials > Inventory> Administration > Change Device Attributes.
•The device does not support MIBs for serial numbers. Select Resource Manager Essentials > Inventory > Administration > Change Device Attributes to enter the information in inventory.
Inventory
Inventory FAQs
•Where can I find out what devices are supported by Inventory?
•What main methods do I have for performing data collection?
•How often should I run Schedule Collection?
•What does the Inventory Poller do?
•How do I know when a schedule collection was last performed and how long it took?
•How can I see the most recent changes?
•Why is the Device Serial Number field blank in inventory?
•How can I make sure a device's serial number is correct, and fix it, if it is wrong?
•Why am I receiving an error message, Write Community = INCORRECT although I have entered the correct Write Community String? This was done using the Inventory tasks, Add Devices or Change Device Attributes.
Q. Where can I find out what devices are supported by Inventory?
A. Select Server Configuration > About the server > Applications and Versions. Under Applications Installed, click Inventory Manager to see a list of the supported devices.
Q. What main methods do I have for performing data collection?
A. You have the Schedule Collection option (Resource Manager Essentials > Administration > Inventory) or the Update Inventory option (Resource Manager Essentials > Administration > Inventory).
Schedule Collection is the heavyweight collection method. It collects on all managed devices at a scheduled time and updates the database.
Update Inventory collects information only on the devices you specify, and it collects the information right away. Update Inventory uses the same collection mechanism as Schedule Collection.
Q. How often should I run Schedule Collection?
A. You should run the Schedule Collection option at least once a week. If your system has more than 100 devices, you might not want to run Schedule Collection that often because it could place too heavy a load on your network. To detect changes in managed devices with the least impact on your network, use the Inventory Poller option.
Q. What does the Inventory Poller do?
A. The Inventory Poller uses a "lightweight" mechanism to determine whether database information is out-of-date. Although the Inventory Poller itself does not perform an actual collection, it determines whether any device information is out-of-date. If information is outdated, the Inventory Poller initiates a full collection on the pertinent devices.
Q. How do I know when a schedule collection was last performed and how long it took?
A. The Scan History option (Resource Manager Essentials > Inventory > Scan History) will give you this information.
Q. How can I see the most recent changes?
A. To view inventory changes made in the last 24 hours, use the Inventory Change Report option (Resource Manager Essentials > 24-Hours Reports).
To view changes made since the last scheduled collection, use the Change Audit application.
Q. Why is the Device Serial Number field blank in inventory?
A. The field is blank because inventory could not obtain the information from the device. This is due to one of these reasons:
•The serial number was not set in the device software when the device was introduced to the network. This should have been done using CLI, as described in the device configuration guide.
The device does not support MIBs for serial numbers.
•In either case you can set the serial number in the inventory database by selecting Resource Manager Essentials > Administration > Inventory > Change Device Attributes, and setting the field to the serial number printed on the device chassis.
Q. How can I make sure a device's serial number is correct, and fix it, if it is wrong?
A. The serial number in inventory should always match the number printed on the chassis. If the serial number does not match the number on the chassis, change it using Resource Manager Essentials > Administration > Inventory > Change Device Attributes.
Q. Why am I receiving an error message, Write Community = INCORRECT although I have entered the correct Write Community String? This was done using the Inventory tasks, Add Devices or Change Device Attributes.
A. Check if you have dropped the system group from the view (read-view and write-view). The system group must be available for read and write operation. In MIB-II, the system group is available as the default.
Troubleshooting Inventory
Use Table A-2 to troubleshoot the Inventory application.
Table A-2 Inventory Troubleshooting Table
Symptom
|
Probable Cause
|
Possible Solution
|
Device import from local database fails. (Solaris only.)
|
The user casuser is not a member of the CiscoWorks groups.
|
Add group membership before starting Essentials.
|
The name resolution is incorrect.
|
Correct the name resolution. If that is not possible, then apply remote import rules; add .rhosts to the casuser home directory.
|
Device import from remote NMS fails.
|
Essentials and the remote NMS reside in different DNS domains.
|
Set up Essentials and the remote NMS stations in the same DNS domains.
|
The device serial numbers or the router chassis numbers differ from those on outside labels.
|
Hardware reports get data from the user-defined optional serial number field when the device or router is added to Essentials (or through Change Device Attributes), not from the SNMP variable chassis serial number. The user-defined serial number takes precedence over the outside label number.
|
No action is required. However, you might want to change the serial number so that it matches the outside label number by selecting Resource Manager Essentials > Inventory > Change Device Attributes.
|
The device stays in a pending state.
|
The database is corrupt.
|
See these troubleshooting FAQs:
•How do I re-initialize the Essentials database on a Solaris system, if the Essentials database is corrupted and the database restore operation has failed?
•How do I re-initialize the Essentials database on a Windows system, if the Essentials database is corrupted and the database restore operation has failed?
|
The DIServer is not running.
|
Check the process status. If the DIServer is not running, restart it.
|
A broadcast address has been imported and is being used for an SNMP write.
|
Suspend the device. Run the address validation tool on the device by selecting Server Configuration > Diagnostics > Connectivity Tools > Validate Device Addresses to ensure that a broadcast address or network address is not being used.
|
Devices are not importing.
|
The access list is applied to the SNMP-server community configurations.
|
Add the permissions to the access lists on all routers.
|
There has been an SNMP timeout.
|
Increase the SNMP slow timeout and slow retry values.
|
Reverse DNS lookup failed.
|
Add a device entry to the localhost file.
|
The device name is not configured in the DNS or localhost file.
|
Add a device entry to DNS or localhost file.
|
Cannot add a device to the database.
|
The HPOV/SNMP has an old version of wsnmp.dll files.
|
Remove or rename HP OpenView version of the wsnmp.dll files.
|
Software Management
Software Management FAQs
•Can an option be provided during Software Management installation to update the /etc/inetd.conf file?
•How does Software Management handle proxy environments?
•Does Software Management support proxy with user authentication environments?
•When a Software Management job is scheduled, how is the baseline determined? When I distribute a job, is an automatic backup performed?
•Can I set up a periodic download of Software Management images from Cisco.com?
•Is browser timeout something I should consider when downloading?
•Do bug reports work for both Cisco IOS and switches? How is the filtering done? Does Software Management document how much we can filter at a granular level?
•What are crypto images?
•When does Software Management use the RCP protocol to transfer images?
•Are there DNS dependencies for RCP to work properly for a device?
•Why does Software Management sometimes leave behind image files in the tftpboot directory after an upgrade?
•How much temporary space is required during image distribution?
•What is the maximum recommended number of devices per upgrade job?
•What is the default SNMP timeout used by Software Management? Can I configure it?
•At what time will the images directory get created during the process of obtaining images from a device? Does this happen during the initial step?
•Which Cisco IOS devices support bootldr images?
•Should I use special images with SWIM for 2900XL/3500XL devices?
•How can I speed up Image Recommendation?
•When a job is rejected, can it be edited or should I resubmit?
•Can different group members edit jobs? What are the restrictions?
•What is the role of the registry files in RME?
•How do I upgrade Network Analysis Module (NAM) using Software Image Management (SWIM)?
•The image imported from Cisco.com (CCO) or from the device, is staged into a temporary staging area. However, the status of the import job is Pending for Import. Why is this so?
•Is the SNMP read-write community string needed for Software Management to work?
Q. Can an option be provided during Software Management installation to update the /etc/inetd.conf file?
A. No. The Software Management installation automatically adds an entry in the /etc/inetd.conf file to start the in.tftpd process.
Note This process may not work in all environments. After installing, the administrator must ensure that the system is setup correctly to run the TFTP/RCP server.
Q. How does Software Management handle proxy environments?
A. Software management uses http protocol to communicate with Cisco.com for downloading images and their attributes. If you use http proxy for Internet connectivity, configure proxy URL information by selecting Resource Manager Essentials > Administration > System Configuration.
Q. Does Software Management support proxy with user authentication environments?
A. No.
Q. When a Software Management job is scheduled, how is the baseline determined? When I distribute a job, is an automatic backup performed?
A. There are two operations that import images from the network to the software library:
•Baseline tasks
•Synchronization
The baseline task (Resource Manager Essentials >
Software Management > Add Image to Library > Network) should be done only once as a part of the initial setup. This imports the images running on the network to your library.
To keep the library synchronized with any new images and changes caused by upgrades from sources other than Software Management, schedule a synchronization job to run periodically at appropriate intervals.
When this synchronization job runs, it looks for differences between the library and the network and allows any new images to be imported. During job distribution, Software Management backs up the current running image only if the option to backup current running image or TFTP fallback was selected when the job was created.
Q. Can I set up a periodic download of Software Management images from Cisco.com?
A. No. However, you can schedule a one-time import from Cisco.com to occur at a later time. Software Management does not allow you to automatically import images from Cisco.com to the library based upon your preferences.
Q. Is browser timeout something I should consider when downloading?
A. The image import operation from Cisco.com and other devices can be done on a scheduled basis. Since this process runs as a background task on the server, the browser is not involved. However, when an immediate import operation is done, it is performed as a foreground task, and the browser can still timeout.
Q. Do bug reports work for both Cisco IOS and switches? How is the filtering done? Does Software Management document how much we can filter at a granular level?
A. Yes, bug reports are supported for both the Cisco IOS software and Catalyst switches. The filtering is done only on the basis of the software version and the platform. This means that a Cisco 2503 running IOS 11.3(2) will produce the same report as a Cisco 2511 access server running IOS 11.3(2).
In Software Management, the features and protocols enabled on the device are not taken into account. This can result in a large number of bugs being reported against a device, not all of which may be applicable to your environment. You must manually review the bugs to find those which may be important to you.
Q. What are crypto images?
A. Crypto images are software images that use 56-bit Data Encryption Standard (DES) (or higher) encryption, and are subjected to export regulations. You must be a registered Cisco.com user, and be eligible and authorized to download such images.
Q. When does Software Management use the RCP protocol to transfer images?
A. If you select the remote copy protocol (RCP) preference under Resource Manager Essentials > Administration > Software Management > Edit Preferences, Software Management uses the RCP protocol to transfer images (upload and download) to Cisco IOS software devices that support CISCO-FLASH-MIB.
Cisco Catalyst 5000 switches and Cisco 700 Series devices do not support RCP. Cisco IOS devices that do not support RCP include Cisco 7000 Series (RP-based 7000 only) and MC3810. All other Cisco IOS devices support the RCP protocol. Software Management always uses the TFTP protocol for config file updates on Cisco IOS devices.
Q. Are there DNS dependencies for RCP to work properly for a device?
A. Yes. If there are multiple IP addresses configured on the device, all IP addresses on the device must be configured using Domain Name System (DNS). Examples of devices with multiple IP addresses are those having many interfaces, with each interface configured with its own IP address, or a device that interfaces configured with primary and secondary IP addresses.
Configure the DNS so all IP addresses are resolved to the same host name. The host name in the DNS should match the hostname in the RME Inventory.
Q. Why does Software Management sometimes leave behind image files in the tftpboot directory after an upgrade?
A. Software Management removes the image files from the tftpboot directory after the upgrade unless the tftp fallback job option is set. If the tftp fallback option is set, Software Management uploads the image from the device and leaves it in the tftpboot directory for fallback.
Software Management also modifies the boot system commands on the device to add a fallback command to boot from the original image on the Essentials TFTP server if the upgraded image does not boot.
Q. How much temporary space is required during image distribution?
A. The amount of free space that is required depends upon the image file size and the number of devices that are being upgraded simultaneously. If the tftp fallback option is set, additional free disk space is required to keep the current image in the tftpboot directory. Disk space is used both in the tftpboot and temp directories.
Q. What is the maximum recommended number of devices per upgrade job?
A. Each job upgrades devices sequentially. The duration of the upgrade varies depending on the network bandwidth and the type of devices being upgraded. The recommended maximum number of devices per job is 12.
Q. What is the default SNMP timeout used by Software Management? Can I configure it?
A. Software Management makes three attempts to connect to the device using SNMP. The first retry timeout interval of 10 seconds is not configurable. Subsequent retry timeout intervals are configurable and are based on the value in the slow timeout variable. To verify the timeout value, select Resource Manager Essentials > Administration > System Configuration.
If the initial attempt to connect to the device fails, Software Management waits three minutes before it attempts to connect again. The three minute wait enables routing protocol or spanning tree convergence to occur, which could have been initiated because another device was rebooted during the software upgrade.
The number of retries is not configurable. The underlying Software Management stack also tries three times to connect to the device. All the secondary addresses configured in DNS for the device are tried during each attempt.
Q. At what time will the images directory get created during the process of obtaining images from a device? Does this happen during the initial step?
A. The software images directory gets created at the time of importing an image to the library; however, this should be transparent to you.
Q. Which Cisco IOS devices support bootldr images?
A. The following Cisco IOS device families support bootldr images:
•Cisco 4500, 4700
•Cisco 7500, RSP-based 7000
•Cisco 7200
•Access Servers 5200, 5300, 5800
•Route Switch Module (RSM) on Catalyst 5000
Q. Should I use special images with SWIM for 2900XL/3500XL devices?
A. 2900XL/3500XL devices consist of the following images:
•Regular Cisco IOS Software Image.
•A TAR format HTML image that contains files for Visual Switch Manager.
•A TAR format image that contains both the above mentioned images.
Software Management uses the TAR format image as well as the Cisco IOS image. These images are posted on Cisco.com. When Add Image to Library from CCO/Slam Dunk is used, only these images are displayed.
The location for the 2900XL and 3500XL images on Cisco.com is as follows:
Cisco.com > Technical Support > Software Center > Cisco IOS Software.
Q. How can I speed up Image Recommendation?
A. If you include Cisco.com for Image Recommendation, try to limit the images by filtering (Resource Manager Essentials > Administration > Software Management >Edit Preferences).
Q. When a job is rejected, can it be edited or should I resubmit?
A. No. You cannot edit or retry the rejected job. You should schedule a new job.
Q. Can different group members edit jobs? What are the restrictions?
A. The only job attribute that can be edited is the schedule time for non maker-checker jobs. Any user who has the netadmin role defined can edit jobs or create new jobs; however, in the maker-checker model, the jobs can only be approved by users who are in the approver list specified during the creation of the job.
Q. What is the role of the registry files in RME?
A. Software Management manipulates the Windows registry to automatically manage remote authentication during the rcp transfers on Windows. The following registry parameters are important for rcp service on Windows:
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmrsh\
Parameters\DEBUG
Dictates the amount of debug information written in the Windows event log.
(Default = 0, Maximum = 0xff)
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmrsh\
Parameters\rhosts
Contains the list of authenticated hosts that can run remote commands on this machine. This list is automatically managed by Software Management.
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmrsh\
Parameters\rusers
Contains the list of authenticated remote users that can run remote commands on this machine. This list is automatically managed by Software Management.
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmrsh\
Parameters\NoRuserCheck
If set to 1, the remote user authentication is skipped or, in other words, any remote user from authenticated hosts can run commands on this machine. (Default = 0)
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmrsh\
Parameters\NoRhostCheck
If set to 1, the remote host authentication is skipped or, in other words, commands can be run on this machine from any remote machine.
(Default = 0)
Q. How do I upgrade Network Analysis Module (NAM) using Software Image Management (SWIM)?
A. To upgrade NAM using using Software Image Management (SWIM):
•Ensure that the passwords for NAM's application and maintenance modes are the same.
This is because SWIM takes the password information from Inventory. However, Inventory requires the application mode password to manage the device, and SWIM requires the maintenance mode password to upgrade the device. Therefore, the passwords for NAM's application and maintenance modes should be the same.
•For a NAM card present in a Catalyst 6000 device running CatOS , ensure that you set auto logout to a value that is high enough to allow the copying of the new image.
This is because a NAM image is usually very large (nearly 65 MB), and it may take between 1 to 2 hours to copy this image during SWIM upgrade. We recommend that you set the auto logout to 0 to ensure that there is no auto logout while the image is being copied.
To set the auto logout value, use the CLI command, set logout 0.
For a NAM card present in a Catalyst 6000 device running IOS, ensure that you set exec timeout to a value that is high enough to allow the copying of the new image. We recommend that you set the exec timeout value to 0 (exec-timeout 0 0) on all the vty lines.
•Ensure that the htdocs directory under CSCOpx has enough space to stage the NAM image.
During the NAM upgrade, SWIM first copies the NAM image from the NMSROOT/CSCOpx/files/sw_images directory, to the NMSROOT/CSCOpx/htdocs/swimtemp directory and then copies the NAM image to the NAM card, using HTTP.
•Ensure that NAM is added with the correct Local User (root) and its password.
•Ensure that NAM is added with the correct SNMP read/write community strings.
•Ensure that the switch, which contains NAM, is added with the correct attributes.
Q. The image imported from Cisco.com (CCO) or from the device, is staged into a temporary staging area. However, the status of the import job is Pending for Import. Why is this so?
A. This is because information about some of the image requirements such as minRAM, minFlash, minBootRom etc., cannot be obtained from the image headers imported from Cisco.com (CCO) or from the device.
Therefore, you must enter this information before the check-in of these images into the Software Management library. To do this, click on the URL in the Import Job Results page.
Q. Is the SNMP read-write community string needed for Software Management to work?
A. 1900, 2820, VPN, 700, PIX, NAM devices do not need SNMP read-write commmunity strings for Software Management upgrades.
However, devices such as 2900XL, 3500XL, 2950, 3550, 2500,1600, 800, need SNMP read-write strings, for config update even though the Software Management upgrade is through Telnet.
For all other devices, read-write commmunity strings are mandatory for Software Management upgrade.
Troubleshooting Software Management
Use Table A-3 to troubleshoot the Software Management application.
Table A-3 Software Management Troubleshooting Table
Symptom
|
Probable Cause
|
Possible Solution
|
The approver cannot change the scheduled time for the Distribute Images job using Software Management.
|
Job Approval is enforced on the Distribute Images jobs.
|
Create a new job and submit it for approval.
When the Distribute Images job requires approval, Software Management does not allow you to change the scheduled time for the job from the Browse Jobs screen.
|
Cannot undo an upgrade on Microcom firmware and Catalyst devices.
|
Undoing a software upgrade is not supported on the devices.
|
Check the Supported Device Matrix in online help for the supported devices and software releases.
|
Distribute Images and Image Import jobs fail on a device.
|
Defective software is running on the device.
|
Go to Cisco.com and examine the software image. If it is deferred, contact your TAC representative.
If the software image is not deferred:
1. Select Resource Manager Essentials > Administration > Software Management > Edit Preferences.
2. Select Enable Debugging.
3. Rerun the job and then use the Mail or Copy Log File option to extract Software Management debugging information.
4. Send the information and a complete description of the problem to your TAC representative.
|
A job is in a pending state after the scheduled time.
|
The Essentials server is not functioning correctly, has been powered off, or has been rebooted before the scheduled time.
|
Software Management moves the job to an error state 1 hour after the scheduled time. Do not change the job while it is pending; the system will take care of it.
If necessary, create another job.
|
A job is running, but the Job Details report shows no progress.
|
The Essentials server is not functioning correctly, has been powered off, or was rebooted while the job was running, causing the job to stop.
|
Software Management moves the job to an error state 1 hour after the scheduled time. Do not change the job while it is pending; the system will take care of it.
If necessary, create another job.
|
While modem or CIP microcode images are being added to the Software Management library, the image type is displayed as Unknown. Software Management cannot retrieve attributes from images.
|
Images for the 3640 digital modems are not imported in an AS5300 format file.
|
Download a supported version of the software or firmware from http://www.cisco.com.
Check the Supported Device Matrix in online help for the supported devices and software releases.
|
The Microcode firmware image is not combined firmware/DSP code.
|
The CIP Microcode version is older than 22.0
|
Cannot schedule Distribute Images and Image Add jobs.
|
The at service is not running or is configured incorrectly.
|
If Essentials is running on a Windows system, select Start > Programs > Administrative Tools > Services and check that the service is running. If it is not, start it manually.
If Essentials is running on a Solaris system, make sure the /usr/bin/at command is present. Also make sure that the at.deny file in the /usr/lib/cron directory does not contain the casuser username.
|
Essentials cannot upload images from a device.
|
Essentials needs read-write SNMP access to the device.
|
Configure the read-write SNMP string on the device.
|
The Mail or Copy Log File function does not mail log files.
|
The e-mail address is incorrect.
|
Enter the correct e-mail address in the Mail or Copy Log File options.
|
Software Management does not recognize the Mica/Microcom/CIP cards on an AS5x00 or 7x00 device.
|
The devices are running an unsupported version of IOS system software.
|
Check the Supported Device Matrix in online help for supported devices and software releases.
|
Rcp is not being used to transfer software images between the Essentials server and devices.
|
The device does not support rcp protocol. (Only Cisco IOS devices support rcp.)
or
Rcp is not properly configured on the Essentials server.
|
1. Make sure your device is IOS-based.
2. Make sure that rcp is defined as the preferred protocol.
3. Select Resource Manager Essentials > Administration Inventory > System Configuration to make sure that an rcp username is configured.
|
If Essentials is running on a Windows system:
1. Verify that the CRMrsh service is running correctly using Start > Programs > Administrative Tools > Services.
2. If the service is stopped, start it manually.
3. Launch the Event Viewer from the Administrative Tools group to make sure that the service has started properly.
|
If Essentials is running on a Solaris system, make sure that the home directory for the rcp user account has an .rhosts file in it and that the user casuser has write privileges.
|
The options to Browse Bugs by Device and Locate Devices by Bugs result in the internal error:
Can't resolve address for proxy.
|
The proxy or DNS configuration is incorrect.
|
1. Make sure the proxy URL is set up correctly. Select Resource Manager Essentials > Administration > Inventory > System Configuration.
2. If you configure a hostname for the proxy URL, check for the DNS configuration on the Essentials server.
3. Make sure that you are not required to enter a login each time you access the system. Multiple logins are not supported.
If none of the previous steps correct the error:
1. Run your Internet browser on the server where Essentials is installed.
2. Configure the proxy in the browser.
3. Check to see if you can access www.cisco.com.
4. Call TAC and tell them the actions you have taken to troubleshoot the error and the results.
|
The Schedule Synchronization Job report is not mailed.
|
Incorrect e-mail address.
|
Correct the e-mail address in the Schedule Synchronization Job option.
|
The SMTP server is not configured.
|
Configure the SMTP server by selecting Resource Manager Essentials > Administration > Inventory > System Configuration.
|
Unable to download IOS (error 4151).
|
The /var/tmp file has insufficient space to accommodate the IOS image.
|
Increase the /var/tmp space.
|
The CCO Upgrade Analysis screen and the Recommend Image Upgrade screen time out.
|
The connection to Cisco.com from the Essentials server is slow.
|
Configure Cisco.com filters or select fewer numbers of devices and then retry the operation.
If these actions do not work, follow the instructions specified for the symptom: The Browse Bugs by Device and Locate Devices by Bugs options result in the internal error: Can't resolve address for proxy.
|
The Cisco.com server is down.
|
The Cisco.com filters are not configured correctly.
|
The upgrade failed.
|
Software Management does not allow an upgrade from version 4.0 software to version 4.2 X.25 software on the Cisco 700 series.
|
Upgrade the device to version 4.1 (any feature set), and then upgrade to version 4.2 X.25 software image.
|
Syslog Analysis
Syslog Analysis FAQs
Why am I not getting syslog messages for my devices?
Why does the syslog window appear to lock up when daily syslog messages are being retrieved?
Where does Essentials keep syslog messages?
Where can I get the description of the error messages?
Q. Why am I not getting syslog messages for my devices?
A. You might not be getting syslog messages for one of the following reasons:
•The device is not managed by Essentials.
•The syslog parameters are not enabled correctly on the device.
•Too many messages are being received by the syslog program. On Windows systems, logging for the PIX firewall has a tendency to lock the syslog function due to the massive number of messages from the firewall.
•Filters might be applied to incoming syslog messages. By default, Link Up/Down, PIX, Severity 7, and IOS Firewall Audit Trail messages are filtered out.
Q. Why does the syslog window appear to lock up when daily syslog messages are being retrieved?
A. The query program used by syslog generates large (1.5 MB and greater) HTML pages in table format, and some HTML programs have problems viewing pages this large. It might take a little longer to display large syslog reports.
Q. Where does Essentials keep syslog messages?
A. For the location of the log file that contains syslog information, check the Message Source field in the Change Storage Options dialog box. (To invoke the Change Storage Options dialog box select Resource Manager Essentials > Administration > syslog Analysis > Change Storage Options.) Essentials uses only the syslog file for local7 to get information for the network devices.
Q. Where can I get the description of the error messages?
A. To get the description of the error messages follow either of these procedures:
Procedure 1
Step 1 Select Resource Manager Essentials > Syslog Analysis > Standard Reports.
Step 2 Select the views and devices of the report you want then click Next.
The Select Dates and Report Type dialog box appears.
Step 3 Select the report type and the dates for the report.
Step 4
