Ciscoworks help

[Pantlegz]

working on my final project and I can't get cisco works to pick up any devices, does anyone have experience with it? so far I've verified that cdp is on and working, both cisco works and the routers are using snmp version 2c, the community strings are the same on both ends. I have set the snmp host address on the routers, sending both traps and informs and they're all using udp port 162. The server running ciscoworks is able to ping all the routers.

I'm honestly 100% lost here, both me and my instructor have been working on it and we're not having any luck. any ideas?

trying to get it to talk to 2811's for now, if it matters.

 

[spidey07]

Make sure there is no firewall in the way. Look at the snmp counters on the routers/switches to see if it's receiving the SNMP GETs. Other than that the most common is mismatched community strings, or possibly an access list specified on the router for snmp to restrict it to certain hosts. For example snmp-server community mycomm string RW 120, that says only accept SNMP from ACL 120.

Most times with ciscoworks you can add a seed device and run discovery from there. Also double check all device credentials, you can run a report to see what devices aren't able to be fully managed and what credentials are wrong.

 

[spidey07]

Make sure there is no firewall in the way. Look at the snmp counters on the routers/switches to see if it's receiving the SNMP GETs. Other than that the most common is mismatched community strings, or possibly an access list specified on the router for snmp to restrict it to certain hosts. For example snmp-server community mycomm string RW 120, that says only accept SNMP from ACL 120.

Most times with ciscoworks you can add a seed device and run discovery from there. Also double check all device credentials, you can run a report to see what devices aren't able to be fully managed and what credentials are wrong.

 

[Pantlegz]

thanks for the response spidey, I'll check it out after lunch. I know the credentials/community strings are ok on both sides, but how do I check the snmp counters on the routers? I tried to 'debug snmp packets' and didn't get anything. There are no ALC's on any of the routers yet, they're very basic want to get everything working then I'll throw the ACL's up.

 

[spidey07]

Show snmp will give you the counters. Debugging would be even better, just remember to be careful with it - like don't do any debugging where you would expect a ton of messages.

Debug and other messages by default won't be sent to terminal lines (vty - your telnet). Turn on terminal monitoring to see any debugs with command "term mon"

 

[Pantlegz]

Chassis: FTX1031A53R
0 SNMP packets input
    0 Bad SNMP version errors
    0 Unknown community name
    0 Illegal operation for community name supplied
    0 Encoding errors
    0 Number of requested variables
    0 Number of altered variables
    0 Get-request PDUs
    0 Get-next PDUs
    0 Set-request PDUs
    0 Input queue packet drops (Maximum queue size 1000)
30 SNMP packets output
    0 Too big errors (Maximum packet size 1500)
    0 No such name errors
    0 Bad values errors
    0 General errors
    0 Response PDUs
    19 Trap PDUs

SNMP logging: enabled
    Logging to 192.168.2.10.162, 0/10, 19 sent, 0 dropped.

SNMP Manager-role output packets
    0 Get-request PDUs
    0 Get-next PDUs
    0 Get-bulk PDUs
    0 Set-request PDUs
    11 Inform-request PDUs
    4 Timeouts
    0 Drops
SNMP Manager-role input packets
    0 Inform request PDUs
    0 Trap PDUs
    7 Response PDUs
    0 Responses with errors

SNMP informs: enabled
    Informs in flight 0/25 (current/max)
    Logging to 192.168.2.10.162
        8 sent, 0 in-flight, 3 retries, 1 failed, 0 dropped

I'm also going to throw my running config up there, just to make sure there isn't something simple I missed...

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

hostname KC

boot-start-marker
boot-end-marker

enable secret 5 $1$r1mF$J5cSZ4Zok3aCJ/OIecEXv1

aaa new-model

aaa authentication login default group radius local none

aaa session-id common

resource policy

memory-size iomem 15
ip subnet-zero

ip cef

ip rcmd remote-host admin 192.168.2.10 admin enable
ip rcmd remote-host admin 192.168.2.10 brad enable

voice-card 0
 no dspfarm

username KC password 7 140713181F13253920
username brad privilege 15 secret 5 $1$lI29$BDSRh14jHXQFICNDPgbdp1

interface FastEthernet0/0
 ip address 192.168.4.2 255.255.255.0
 duplex auto
 speed auto

interface FastEthernet0/1
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto

interface Serial0/2/0
 ip address 192.168.6.1 255.255.255.252

interface Serial0/2/1
 ip address 192.168.7.1 255.255.255.252
 encapsulation ppp
 ppp authentication chap
 ppp chap hostname PHO
 ppp chap password 7 140713181F13253920

router ospf 50
 log-adjacency-changes
 network 192.168.3.0 0.0.0.255 area 0
 network 192.168.6.0 0.0.0.3 area 0
 network 192.168.7.0 0.0.0.3 area 0
 default-information originate

ip classless
ip route 0.0.0.0 0.0.0.0 192.168.4.1

ip http server
no ip http secure-server

snmp-server community public RO
snmp-server community topsecret RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps gatekeeper
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps wlan-wep
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bstun
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dial
snmp-server enable traps dlsw
snmp-server enable traps dsp card-status
snmp-server enable traps dsp oper-state
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls vpn
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps stun
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vsimaster
snmp-server enable traps vtp
snmp-server enable traps director server-up server-down
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ccme
snmp-server enable traps srst
snmp-server enable traps voice
snmp-server enable traps dnis
snmp-server host 192.168.2.10 inform version 2c public
snmp-server host 192.168.2.10 version 2c public

radius-server host 192.168.3.2 auth-port 1812 acct-port 1813 key 7 122E0C19200A080D3F38

control-plane

gatekeeper
 shutdown

line con 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 password 7 1454110A1F172F392B2460

scheduler allocate 20000 1000
ntp clock-period 17179986
ntp master 4
ntp server 199.240.130.1

end

there is my show snmp, looks rather slim for running for a few hours but I'm not sure what I'm looking for, or show much.

I didn't even think about debug messages not being sent over vty but still not getting anything there... I'll give it a while since it looks like only 8 snmp packets have been sent in the last few hours..

 

[Pantlegz]

so, if I manually enter the devices it works, or seems to work. I just had to manually enter the user names/passwords as well as the ip and both community stings. Seems like for 6k+ they would have a product that would at least discover their own devices...

 

[ciscoman]

so, if I manually enter the devices it works, or seems to work. I just had to manually enter the user names/passwords as well as the ip and both community stings. Seems like for 6k+ they would have a product that would at least discover their own devices...

Common Services will perform a discovery. You HAVE to put in seed devices for an auto discovery to work. Seed devices tell CiscoWorks where to start looking for devices. You'll need to tell it what all of the default SNMP and telnet/ssh credentials are so CiscoWorks can access the devices once it finds them. CiscoWorks uses CDP to see what a devices neighbors are, and then tries to access those devices via SNMP and/or telnet/SSH. For that to work, you'll need all of your devices to be configured the same. Also, the discovery works best in a LAN situation. If you've got a bunch of WAN links, then you'll likely have to have a seed from every remote location. The discovery doesn't work well over WANs.

CiscoWorks requires lots of hands-on massaging to get it to work well and to use all of the functionality. I don't think ANYONE has EVER called CiscoWorks easy.

 

[RadiclDreamer]

Just a side note, its not a good idea to use password 7 passwords. They are easily cracked since they use reversable encryption. I see this is a test lab so pointing out your passsword is #casserol3 shouldnt be an issue 😉