We have recently implemented Solarwinds on our network (majority 3750X stacks) and they are showing up as 37xx stacks in the end of support. We are trying to get a number list of all switches that will be end of support, but the list is wrapping all the stacks into single hostnames/IP's. This makes a stack of 4 seem like it is only one upcoming switch replacement.

Does anyone know a way for the list to see stacks of switches as individual switches? Thanks.

Hi,

This is not a big problem as the software installed and has been running fine for a few days now, but I got this warning when recently updating to Network Configuration Manager 7.7

Your environment does not meet the minimum CPU requirements for the following products: Network Configuration Manager 7.7. Performance may be slower than expected. Click for more details >>

Clicking on details produces:

CPU requirements

DISCOVERED: 11/13/2017 2:05:51 PM

DESCRIPTION: Your environment does not meet the minimum CPU requirements for the following products: Network Configuration Manager 7.7. Performance may be slower than expected.

RESOLUTION: For better performance ensure that you have more than 4 CPU cores that are faster than 3000MHz.

The VM specs running NCM are:

Could I get away with upping the core count to 8 or would I still receive warnings with future updates?

Thanks.

I would like to ask how do you handle Firmware upgrades for stacked switches. I found a workaround which is now satisfying in my case. My workaround is quite simple:

As you have the problem, that you cannot upgrade multiple stacked switches with the .bin-file within this firmware upgrade process, I´ve created a pseudo .bin-file to satisfy the SolarWinds process. This pseudo .bin-file is uploaded to the (master) switch by upgrading. The real upgrading process is triggered by the "archive download-sw" command using the .tar-file. Here is a screenshot how a template could look like:

So, my question now is, do you know if there is an official solution from SolarWinds for upgrading stacked switches?

Hi,

I have got some issues when I am trying to update my switch firmware through SCP/SFTP Server which is integrated on Solarwinds Network configuration Manager.

SSH is allowed between Solarwinds Server and Cisco devices. If you faced the same problem please guide me how can we solve this issue ?

I have enabled the SCP server and created one <user > without any password.

Copied the IOS image on X:/sftproot - Solarwinds Server.

Start SFTP server on Solarwinds Server.

Execute Command on switch  :

Router1#copy scp: flash:
Address or name of remote host []? 10.x.x.x
Source username [user1]? user
Source filename []? image_filename.bin
Destination filename [image_filename.bin]?

%Error opening scp://user@10.x.x.x/image_filename.bin (Undefined error)
Router1#

Saw this came out and took a look at the documentation.

Is there a special kind/level of Cisco account/access you need for this to work?

I have a Cisco.com account that is linked to my contracts (lets me download code, etc), but when I try to run the report it says "UserID is not valid".

Hi

That let you keep your cisco hardware as config backup file.

Very like that one Juniper

Using Compliance Reporting to Verify Juniper Alternate Slice Version

Good Morning all,  just curious if anyone else has had this same issue and have been able to resolve it..

I have a config change template that will update the image on our switch stacks.  This Config Change template is setup to use the

archive download-sw  command.  We do this because we only want the .bin file loaded and all of our switch deployments are stacks.

The Script in the Change Control Template is running and the stack will eventually upgrade but I am getting a completion far too early in the 'Transfer Status' screen.  When we see the Status of the transfer is complete and we click on the link for the 'Show Script Results'  This is all that is shown....

---

archive download-sw /imageonly /leave-old-sw tftp://10.164.7.248/c2960x-universalk9-tar.152-2.E5.tar

Loading c2960x-universalk9-tar.152-2.E5.tar from 10.164.7.248 (via Vlan14): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[OK - 26900480 bytes]

Loading c2960x-universalk9-tar.152-2.E5.tar from 10.164.7.248 (via Vlan14): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

examining image...

extracting info (109 bytes)

extracting c2960x-universalk9-mz.152-2.E5/info (786 bytes)

extracting info (109 bytes)

Stacking Version Number: 1.56

System Type:             0x00000000

  Ios Image File Size:   0x0144B200

  Total Image File Size: 0x019A7A00

  Minimum Dram required: 0x08000000

  Image Suffix:          universalk9-152-2.E5

  Image Directory:       c2960x-universalk9-mz.152-2.E5

  Image Name:            c2960x-universalk9-mz.152-2.E5.bin

  Image Feature:         IP|LAYER_2|SSH|3DES|MIN_DRAM_MEG=128

  FRU Module Version:    No FRU Version Specified

Old image for switch 1: flash:/c2960x-universalk9-mz.150-2.EX5

  Old image will be left alone

Old image for switch 2: flash2:/c2960x-universalk9-mz.150-2.EX5

  Old image will be left alone

Extracting images from archive into flash...

--------------

At this point only the 'update' folder exist on the switch the extract process can take as long as 20 minutes or longer depending on the size of the stack.  I would expect that NCM would wait until the extract process is complete and then update the Transfer Status page with complete and have the text that is echoed back to the screen during the extract process in the script results link.  Has anyone else notices this or do I have my script setup with the wrong procedure?  My script portion is below.

-----------------------------------------

script UpgradeIOS (

                         NCM.Nodes @ContextNode,

                         string @IOS_FILENAME )

{

//lets generate the CLI command that will upgrade the switch from the info gathered.

string @CommandLine = 'archive download-sw /imageonly /leave-old-sw tftp://${StorageAddress}/' + @IOS_FILENAME

//Make sure there are no spaces in filename

if (@IOS_FILENAME contains ' ')

{}

else

// Make sure the switch doesn't already have the correct OS Version

if ( @ContextNode.OSVersion StartsWith '15.2(2)' )

{}

else

{

  foreach ( @node in @ContextNode )

  {

      if (@node.OSImage StartsWith 'C2960X-')

       {

        CLI

         {

          @CommandLine

     }

    }

   }

  }

}

When SSHing to devices, do you prefer Credentials-based authentication or Certificate-based authentication?

Does your network needs to be compliant with any of the official standards, internal standards only, or none?

While upgrading a cisco device using the Firmware Upgrade in NCM the files uploads and begins to verify when the process fails. Below is the following information.

Destination filename [c3560c405ex-universalk9-mz.152-2.E6.bin]?

Accessing tftp://192.168.8.12/c3560c405ex-universalk9-mz.152-2.E6.bin...

Loading c3560c405ex-universalk9-mz.152-2.E6.bin from 192.168.8.12 (via Vlan199): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[OK - 20617216 bytes]

20617216 bytes copied in 410.696 secs (50201 bytes/sec)

dir flash: ${SuccessRegEx:c3560c405ex-universalk9-mz.152-2.E6.bin}

Directory of flash:/

    2  -rwx        1716  Mar 29 2011 20:28:41 -05:00  vlan.dat

    3  -rwx    20617216  Nov 14 2017 08:47:59 -06:00  c3560c405ex-universalk9-mz.152-2.E6.bin

    4  -rwx        5144  Nov 14 2017 08:45:38 -06:00  multiple-fs

    7  -rwx       11604  Nov 14 2017 08:45:37 -06:00  config.text

    5  -rwx        2292  Nov 14 2017 08:45:38 -06:00  private-config.text

    6  -rwx    21568478  Aug 21 2014 11:16:41 -05:00  c3560c405ex-universalk9-mz.152-1.E3.bin

57931776 bytes total (15380480 bytes free)

Verifying uploaded image...

ERROR Connection Refused by 10.244.16.31

Any Ideas of why this is happening?

The connection can obviously establish, and only fails once it gets to the verification stage.

Message was edited by: Andrew Clark

Hello all,

     We recently brought on the NCM module and ran into an issue. Our Firewall team and our Network Device team are separate and do not overlap on authority. I have our devices automatically associate with a group based on what they are (aka, an ASA goes to firewall while a Catalyst goes to network device). My problem comes in separating out who gets what. I have 2 approves for network and 2 for firewall changes, how can I say if this device is a firewall only bob or sue can get the email and approve, but if a network device Jack or Jill gets the email and can approve? Any help on this would be greatly appreciated.

It seems I'm missing something in configuring Real-Time Change Detection and Notification with NCM 7.7.  I'd like to see the user name associated with the changes made, but I'm not:

Where do I adjust NCM 7.7 to show the user name associated with the changes detected?

This document is Cisco centric.  I haven't had the opportunity to try this with other devices like Brocade, Extreme or HP

The ‘Firmware Upgrade’ menu choice is not an option that we can use.  When we perform an IOS upgrade very rarely will we upgrade a standalone switch or even use the ‘copy’ command.  Unfortunately, this is how the ‘Firmware Upgrade’ menu choice in Orion works.  When we are upgrading our IOS switches they are always in stacks of 2 or more and we are usually  interested in upgrading just the .bin file and our goto command is the ‘archive download-sw’ command.  The 'archive download-sw' command uses the .tar file and the file respository for the ‘Firmware Upgrade’ menu choice will not recognize a .tar file.  Additionally when you use the ‘Copy’ command and the task is to upgrade a stack of switches you need to ‘Copy’ the .bin file to each switch in the stack individually, however,  when you use the ‘archive download-sw’ command the .bin file will be extracted to all switches in the stack as well as the boot variable updated for the entire stack with one command.

The NCM Config Change Template script at the end is our work-around  for the limitations of the ‘Firware Upgrade’ Menu choice.  So far I have only tested this with Cisco IOS stacks that are the 2960S and the 2960X and roughly around 51 switch stacks have been upgraded...

There is one other NCM limitation that you will need to keep in mind if you use a script like this to upgrade IOS devices in your environment.  That second limitation is NCM will disconnect from the switch if there is no response after a short period of time.  Anyone who has done an image upgrade on a switch stack before knows that this procedure can take some time. Lots of time, it’s 20 or 30 minutes, or possibly longer depending on the size of the stack.  When this happens, you will  receive a completed successfully message in the NCM  ‘Transfer Status Screen’ however the upgrade is far from over as you can see in the scripts result window once you open it up.

A example of the script results window when NCM disconnects before end of upgrade is below.

The work around is to max out the settings under the CLI.  (The CLI settings can be found in All Settings -> Product Specific Settings -> CLI).  I need to mention here that these settings ARE NOT recommended by SolarWinds and could potentially lead to other problems if left this way.  Once the upgrade is complete these settings need to be restored to their original values. I have pasted a screen shot of the CLI settings below:…

Now when the script below is run NCM will not disconnect early and the results are displayed more accurately in the ‘Transfer Status’ Page.  A screen shot of the transfer status is pasted below when using the CLI settings above:…

With the screen shots above its easy to see what is missed when NCM disconnects too early.  When NCM disconnects early the follow up commands are not executed.  This includes the 'write mem' command at the end of the script.  If jthe write mem command isn't executed then a reload of the switch could result in a failed upgrade of the stack.

I used this procedure on few dozen switch stacks and all have completed successfully.  Remember I need to stress that the CLI settings I have shown above ARE NOT recommended by SolarWinds and need to be reset when the upgrades are done or are not being performed to avoid other problems.  For me this is not a big deal we just open the CLI settings make the adjustments and start the upgrade process.  When all nodes are complete we simply set the settings back again.   So far the largest group of nodes I have selected for an upgrade was 15 and the largest stack size in that group was 4. Total time to run through 2 groups of 15 was just about 7.5 hours.  If I upgrade one switch stack with 3 switches it usually takes 55 minutes.

My choices for the IOS upgrade script...

Script for IOS upgrade…..

script UpgradeIOS (

                         NCM.Nodes @ContextNode,

                         string @IOS_FILENAME )

{

//lets generate the CLI command that will upgrade the switch from the info gathered.

string @CommandLine = 'archive download-sw /imageonly /leave-old-sw tftp://${StorageAddress}/' + @IOS_FILENAME

string @Enter = '${CRLF}'

//Make sure there are no spaces in filename

if (@IOS_FILENAME contains ' ')

{}

else

// Make sure the switch doesn't already have the correct OS Version

if ( @ContextNode.OSVersion StartsWith '15.2(2)E5' )

{}

else

{

  foreach ( @node in @ContextNode )

  {

      if (@node.OSImage StartsWith 'C2960X-')

       {

        CLI

         {

          @CommandLine

         }

        CLI

         {

          @Enter

          @Enter

          Show boot

          @Enter

          @Enter

         }

        CLI

         {

          dir

          @Enter

          @Enter

         }

        CLI

         {

          wr me

          @Enter

         }

       }

  }

}

}

As joepoutre commented on Cisco STIGs:

Some say he is the one true font of knowledge for all search engines,

and that electrons are actually shaped like his head.

All we know is, he's not the Stig but the Stig's uber-geek cousin, Network Stig.

But who can he (or she?) be?

Hello, we are trying to eliminate our network devices' violations little by little and we're running into an issue with one category. For disable reverse telnet, we are entering the command line under the console and aux ports "transport input none", but many or the violations are not being removed. We've updated our policy reports and still the majority of the disable reverse telnet violations are there.

Is there another way to refresh the policy reporting, or maybe we're missing another Cisco command for this violation...?

Thank you for any help and assistance that you can provide!

Wayne

We currently use NCM for realtime configuration change detection with our ASA firewalls. We use this to compare configs and show the changes for audit and change control purposes. We are now in the process of replacing ASAs with Firepower Next Gen firewalls. Is there anything in the works for configuration management with these new models?

Thanks Jeff

Can somebody please tell me how to find the schedules for the Configuration Backups on NCM.

I have added some new nodes and they're not downloading configs automatically when they've changed. i can force a manual download, which works okay, but I was running a schedule to compare all node configs at midnight and midday.

This seems to be running for the original nodes, but isn't running for new nodes.

My system was upgraded a few months back and I can't now find where the configuration is to check this

Many thanks

Neil

After seeing multiple Cisco switches (2960S, 2960XR, 3850, and 6509-VSS) devices showing up as "Undefined" in NPM's Hardware Health Overview, I opened a Support Case with Solarwinds.  I'm not used to seeing ANY nodes "Undefined", and I rely on this view as a quick check to see that all power supplies & fans, etc. are in good working order.

The Solarwinds engineer remoted into one of my APE's and ran the local MIB walk tool against a switch that is "Undefined".  The local MIB walk tool bypasses the SW Orion SQL database info, and it was unable to MIB walk multiple newly-Undefined Hardware switches on my network.  This had worked properly pre-IPAM / UDT installation / NPM 12.2 upgrade.

He decided the problem wasn't with NPM, but was with the switches.

So I opened a TAC case with Cisco for a 6509 that was showing up as "Undefined" in NPM.  Their analysis showed no problems with the switch.

So I updated SW Support, and it's in there hands now.  I initially thought this might be associated with too many snmp queries and my new UDT or new IPAM, but having disabled both of those, the issue remains.

SW Support has escalated this, and I'm moving away from IPAM or UDT as a possible cause.

If you see nodes that were previously showing "Up" in the NPM Hardware Health Overview, and are now showing "Undefined", I'd be interesting in learning about your environment and its changes immediately prior to the nodes going "Undefined".

Message was edited by: Richard Schroeder

Heloo,

on NCM v7.4, I see that NCM cisco inventory reports do not show serial numbers of Nexus devices, as well as ASA & Wireless Controller devices !!   Did Solarwinds resolved this issue yet ?

The documentation for both the "TFTP Server Settings" and "SCP Server Settings" web pages (found by going to Settings > NCM Settings in your Orion Web Console, provided you own NCM of course) is quite sparse.  It isn't clear what we are configuring exactly.

When I go to the SCP Server Settings page (seen in the screenshot below) it lists all of my polling engines and has a Username and Password field for each one, along with a place to put a SCP Server IP and the Config Transfer Directory.  I don't understand why there are separate entries for each polling engine.  What do the polling engines have to do with setting up the SCP Server Settings?  Is it intended that we setup a SCP server on each polling engine?  If so, why?  That sounds like a pain in the **** as well as completely unnecessary. 

What we've done is setup a SCP server on our NTA Database server.  So our SCP server doesn't live on any of our polling engines. 

Since we are just using one SCP server, how should I setup the screen below?  Do I just put in the same Username/Password combo along with the same SCP Server address and Directory under each polling engine's section on here?  If so, that is what I tried, however I don't know what to put in the config transfer directory box.  If I put anything other than "/" in it, it won't validate, even though I can successfully transfer stuff to/from the directory via SCP and I've validated that the Windows permissions to that folder allow Everyone to access it (for now while I'm testing it.  I'll tighten that up once I get it working).  The Root directory on our SCP server is "E:\SFTP_Root".  If I put that in on the TFTP Server Settings page, that works, but if I put it in here, it doesn't.  Only "/" works.  I'm so confused why this doesn't work and it just isn't clear what I'm supposed to do...