Problems with firmware repository (unable to connect to polling engine)

July 12, 2018, 5:16 am

≫ Next: Using AD credentials passthrough for connection profiles

≪ Previous: Missing "Check-Box next to Upgrade Cisco IOS"

We have been having one heck of a time trying to get the firmware repository setup for NCM. We have one polling engine that is throwing an "unable to connect to polling engine" error every time we try to set this up. We opened a ticket with SolarWinds but they ultimately stated that this storage location has to be accessible from ALL polling engines (and then closed their support ticket). This is a bad design. At any rate, this particular engine being referenced is one related to PCI compliance so our first thought was that something on the network side was preventing access, but that's simply not the case. We can physically access the file server (storage location) from the polling engine itself, it's only when we use the web console to set the storage location that NCM thinks it can't. Does the primary polling engine reach out to the APE's to verify access? If so, there may be something between the primary engine and this APE that is being referenced...

Has anyone else seen this before? I'm open to any ideas or suggestions anyone may have.

↧

Using AD credentials passthrough for connection profiles

July 19, 2018, 9:11 am

≫ Next: Delay for Config Change Template

≪ Previous: Problems with firmware repository (unable to connect to polling engine)

Hi all,

Is it possible to use the logged in AD credentials a user has to get on solarwinds as a connection profile without manually entering the username and password each time a different user logs in. In other words can it pass through the credentials from AD login to a connection profile or in place of connection profiles?

Thanks

↧

Delay for Config Change Template

June 7, 2013, 7:49 am

≫ Next: Security issues

≪ Previous: Using AD credentials passthrough for connection profiles

Is there a way to set a delay between commands that are sent using a NCM Config Change Template? I am having an issue with NX-OS devices that prompt for "yes"s or file names, etc and it doesnt get the right command at the right time. A 5 second delay between commands would fix my issue, but I don't know how to add one. I see that it can be added to a command in the Device template, but I don't see how I can reference a command in a Config Change Template from the device template. I am currently running NCM 7.0.2. I need to use Config Change templates and not "execute script". Does anyone know a way to do this?

↧

Security issues

July 23, 2018, 10:37 am

≫ Next: How does one modify NCM's Firmware Upgrade Operation so it recognizes there is enough free space to proceed?

≪ Previous: Delay for Config Change Template

Dear, I have a query, my server Orion tells me that I have these security problems, someone has had these problems could tell me how to solve them a little more specifically

Non-Secure Session Cookies Identified	The website software running on this server appears to be setting session cookies without the Secure flag set over HTTPS connections. This means the session identifier information in these cookies would be transmitted even over unencrypted HTTP connections, which might make them susceptible to interception and tampering.	Contact the vendor of this web application and request the Secure flag be set on session cookies transmitted over HTTPS.
SSL Certificate is Self-Signed	This SSL certificate appears to be issued by a private Certificate Authority (CA). Users will likely receive a security warning if their client software (e.g., web browser) does not trust the issuer of the certificate.	If this certificate is associated with a service accessible to the general public, you may want to consider acquiring a certificate from a well-known CA. Please note the port associated with this finding. This finding may NOT be originating from port 443, which is what most online testing tools check by default.
jQuery Core rquickExpr variable with Cross-Site Scripting Vulnerability	jQuery is vulnerable to Cross-site Scripting (XSS) attacks because the Query() function does not differentiate selectors from HTML in a reliable way. In vulnerable versions, jQuery determines if the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility to build a malicious payload. This finding indicates that either the root domain url, sub-domain url, or an imported/sourced version of jQuery is below jQuery version 1.9.0. All three scenarios allow an attacker to execute cross site scripting attacks on the root domain. For details about which pages jQuery has been detected on, as well as detected jQuery script source paths, please refer to the evidence presented in the jQuery Script Detection finding (vulncode 30005875).	Upgrade jQuery to version 1.9.0 or higher. This includes versions of jQuery used on the root domain, subdomain, or imported/sourced libraries. For details about which pages jQuery has been detected on, as well as detected jQuery script source paths, please refer to the evidence presented in the jQuery Script Detection finding (vulncode 30005875).
jQuery Cross-Domain Asynchronous JavaScript and Extensible Markup Language Request Cross-site Scripting Vulnerability	jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Asynchronous JavaScript and Extensible Markup Language (AJAX) Request is performed without the dataType option, causing text/javascript responses to be executed. This finding indicates that either the root domain url, sub-domain url, or an imported/sourced version of jQuery is below jQuery version 3.0. All three scenarios allow an attacker to execute cross site scripting attacks on the root domain. For details about which pages jQuery has been detected on, as well as detected jQuery script source paths, please refer to the evidence presented in the jQuery Script Detection finding (vulncode 30005875).	Upgrade jQuery to version 3.0.0 or higher. This includes versions of jQuery used on the root domain, subdomain, or imported/sourced libraries. For details about which pages jQuery has been detected on, as well as detected jQuery script source paths, please refer to the evidence presented in the jQuery Script Detection finding (vulncode 30005875).

↧

How does one modify NCM's Firmware Upgrade Operation so it recognizes there is enough free space to proceed?

July 24, 2018, 1:47 pm

≫ Next: NCM's Firmware Upgrade takes seven hours to time out when transferring IOS to a node fails. What can I do to reduce that seven hours?

≪ Previous: Security issues

I'm trying to use NCM's Firmware Upgrade Operation to upgrade multiple Cisco ASA's.

Each device has sufficient free space to accept the incoming .bin file, but NCM doesn't correctly recognize this. It requires me to manually override the upgrade process every time before I can proceed.

Here's a screenshot of where the process breaks down, where I have to manually override every device's upgrade:

The first highlighted area shows there's 56,928,256 bytes available to receive incoming files.

The second highlighted area shows that the incoming file requires 30,763,008 bytes. NPM doesn't recognize this, and incorrectly pops up the error in the third highlighted area: "Not enough free space".

So the process fails on every node, and I must manually override the process every time.

I referenced the manual here: Perform a firmware upgrade operation

It shows the highlighted area that appears to suggest that the upgrade will only fail IF there is not enough free space.

Why doesn't NCM recognize there's enough free space?

How can I reconfigure it to make the right calculation to accurately determine the amount of free space versus the required free space?

↧

NCM's Firmware Upgrade takes seven hours to time out when transferring IOS to a node fails. What can I do to reduce that seven hours?

February 16, 2018, 11:06 am

≫ Next: IOS-XR Support for NCM

≪ Previous: How does one modify NCM's Firmware Upgrade Operation so it recognizes there is enough free space to proceed?

If NCM Firmware Upgrade's file transfer from NCM to the network node times out (using tftp), it takes NCM seven hours to decide the job has failed.

What can I do to NCM to shorten that time-out / failure discovery and get NCM to stop the job and let me troubleshoot it?

↧

IOS-XR Support for NCM

June 21, 2018, 5:22 pm

≫ Next: Cisco NCS6008: Configuration failing when entering 'admin' mode

≪ Previous: NCM's Firmware Upgrade takes seven hours to time out when transferring IOS to a node fails. What can I do to reduce that seven hours?

I am curious if anyone has managed to get NCM to successfully backup/restore both the regular and admin configurations for IOS-XR devices. If you have, what does your Device Template look like, as I'm trying to figure it out. I wasn't able to locate a pre-made template for this flavor of Cisco OS, so I'm currently creating a new one. My apologies if I missed a post about this somewhere, however I was not able to locate a related post for this.

The specific devices that I'm looking to backup are Cisco ASR 9906 and 9910 models, but this request should be applicable to any device that runs IOS-XR, not just the 9900 series.

Thanks for helping out!

↧

Cisco NCS6008: Configuration failing when entering 'admin' mode

July 24, 2018, 6:00 pm

≫ Next: NCM - backup F5 devices (UCS) - file saved in two places

≪ Previous: IOS-XR Support for NCM

Hello, I have an issue trying to develop the device template for Cisco NCS6K. There are two configurations in the router which needs to be backed up. These are IOS-XR and the Admin configuration. I know from the ISE that the commends being entered are:

terminal length 0

admin

It stops at the 'admin' which appears it does not like the change in prompt. Setting the prompt to # in the advance features does not help. Any ideas?

Device template

I have tried both these version, I am testing with the 'Admin Startup'

Version 1

<Command Name="Admin Startup" Value="${EnterAdminMode}${CRLF}${Running}${CRLF}${ExitAdminMode}${CRLF}" />

Version 2

<Command Name="Admin Startup" Value="admin${CRLF}show running${CRLF}$exit${CRLF}" />

Log of how to download NCS6K administration configuration

ISE Username:xxxxxxxxxx

Password:

RP/0/RP0/CPU0:hkth-core02#terminal length 0

Wed Jul 25 00:44:45.848 UTC

RP/0/RP0/CPU0:hkth-core02#admin

Wed Jul 25 00:44:50.430 UTC

c637614 connected from 127.0.0.1 using console on xr-vm

sysadmin-vm:0_RP0# show running-config

Wed Jul 25 00:45:03.135 UTC

fpd auto-upgrade disable

↧

NCM - backup F5 devices (UCS) - file saved in two places

September 19, 2017, 4:43 am

≫ Next: Policy Rule Creation - Blocks

≪ Previous: Cisco NCS6008: Configuration failing when entering 'admin' mode

Hi all,

NCM 7.6.

I am attempting to use NCM to back-up configuration of our F5 devices, specifically the *.UCS backups, and have followed the instructions at

Back up the F5 UCS file in NCM 7.5 and other binary files such as .tgz and .tar - SolarWinds Worldwide, LLC. Help and Su…

The running config (SCF – single configuration text file) and startup config (UCS file) are being backed up successfully to <network share>\<devicename>\<date>\<device name>-Running.Config and <network share>\<device name>\<date>\<device name>-Startup.Config respectively.

This corresponds with the settings at Settings> All Settings > NCM Settings> Config Archive Folder Locations:

Enter a path for the archive directory on this main or additional polling engine NCM server:configured with <network share>

Specify a template that should be used for naming config files: configured with ${NodeGroup}\${Caption}\${Date}\${Caption}-${ConfigType}.Config.

However, I am also getting a copy of the UCS file (i.e. a file identical to <devicename>-Startup.Config referenced above) at the root of the network share, named <apparently random string>.config (note lower case 'c' in config), for example 93cf1641-7bc3-4fa0-acf2-6b5e421e9a13.config.

The same network share specified under Config Archive Folder Locations is also configured in the Binary Config Storage Settings under Settings> All Settings> NCM Settings.

The F5 device template I’m using is as follows:

<Configuration-Management Device="F5 Big IP VPR-C2400" SystemOID="1.3.6.1.4.1.3375.2.1.3.4.48">

<Commands>

<Command Name="RESET" Value=""/>

<Command Name="Reboot" Value=""/>

<Command Name="EnterConfigMode" Value=""/>

<Command Name="ExitConfigMode" Value=""/>

<Command Name="Startup" Value="ucs" IsBinary="true"/>

<Command Name="Running" Value="config file"/>

<Command Name="DownloadConfig" Value="tmsh -q show running-config"/>

<Command Name="UploadConfig" Value=""/>

<Command Name="DownloadConfigIndirect" Value=""/>

<Command Name="UploadConfigIndirect" Value=""/>

<Command Name="EraseConfig" Value=""/>

<Command Name="SaveConfig" Value=""/>

<Command Name="Version" Value="tmsh show /sys version"/>

<Command Name="Disconnect" Value=""/>

</Commands>

</Configuration-Management>

The F5 node has the following connection profile:

Global Connection Profile: <No Profile>
Login Credentials: Device
Username:   admin
Password:   ••••••••••••
Enable Level:   <No Enable Login>
Enable Password: •••••••••••••••••••••••
Execute Scripts Using: SSH2
Request Configs Using: SSH2
Transfer Configs Using: SCP
Telnet Port:   ${GlobalTelnetPort}
SSH Port:   ${GlobalSSHPort}

I would like to not have the <apparently random string>.config file generated (as it is not obvious which of our multiple F5 devices it comes from, and it is a duplicate anyway and so uses up disk space unnecessarily) but I can’t find what part of the NCM configuration is causing it to be generated and copied to that location.

Any thoughts/advice much appreciated.

Stuart

↧

Policy Rule Creation - Blocks

July 25, 2018, 9:44 am

≫ Next: NCM jumphost

≪ Previous: NCM - backup F5 devices (UCS) - file saved in two places

Hi all,

I've been trying to create a policy rule that would look for the presence of the following statements (Cisco Devices):

line aux o

access-class 22 in

line vty 0 4

access-class 22 in

The problem is that it's not recognizing access-class 22 in as a string that should exist at each block, it reports no violation as long as it finds it at least once in the config file and I'm not sure what I did wrong. I tried playing with the parenthesis but that didn't help, I tried multiple things, including the string matching that I'm showing in the attached image. I'd really appreciate your inputs!

↧

NCM jumphost

July 26, 2018, 9:32 am

≫ Next: RVRBD-STLHD-CXv8 - SNMP and SSH.xml

≪ Previous: Policy Rule Creation - Blocks

is there a what to have NCM use a jumphost server for SSH and telnet access to devices to download and upload configs?

We use HPNA(HP Network Automation) with a bastion host configuration to do it today but want to move to NCM to replace HPNA

↧

RVRBD-STLHD-CXv8 - SNMP and SSH.xml

July 26, 2018, 8:24 pm

≫ Next: RVRBD-STLHD-CXv8 - User Access.xml

≪ Previous: NCM jumphost

↧

RVRBD-STLHD-CXv8 - User Access.xml

July 26, 2018, 8:24 pm

≫ Next: Regex expressions for sting matching

≪ Previous: RVRBD-STLHD-CXv8 - SNMP and SSH.xml

↧

Regex expressions for sting matching

July 26, 2018, 3:03 pm

≫ Next: Are you compliant?

≪ Previous: RVRBD-STLHD-CXv8 - User Access.xml

Hello,

I'm new to regex and solarwinds. I'm trying to come up with a policy rule that checks GigabitEthernet0/2 - 0/45 for the command "switchport mode trunk" and alert me if it finds it on any of those specified ports.

I have been unable to get anything to work. The best I've gotten is

interface GigabitEthernet0\/([2-9]$|[1-3][0-9]$|4[0-5])\n\s*\S+\s\S+\s\S+\s\S+\n\s*switchport mode trunk

This finds the interface line for the specified ports, skips the next line, and then checks the switchport mode line for trunk vs access.

interface GigabitEthernet0/44

switchport access vlan 20

switchport mode access

switchport voice vlan 40

spanning-tree portfast edge

spanning-tree bpduguard enable

Solarwinds searches the config (I made sure the downloaded config was current first) and says this:

Below is a screenshot of my rule in solarwinds:

Any help would be appreciated.

Thanks,

Drew

↧

Are you compliant?

January 20, 2015, 3:20 am

≫ Next: Overall Running vs. Startup Config Conflicts

≪ Previous: Regex expressions for sting matching

Does your network needs to be compliant with any of the official standards, internal standards only, or none?

↧

Overall Running vs. Startup Config Conflicts

February 7, 2011, 11:51 pm

≫ Next: How do you SSH to your devices?

≪ Previous: Are you compliant?

I've tried to understand those NCM main page graphs like "Overall Running vs. Startup Config Conflicts" and "Overall Configuration Changes Snapshot". What means the state "unknown"? I have nearly 100% of devices as unknown, as the matter of fact, they have always been like that! Not very much usefull information... I don't understand what is the meaning of possible state "unknown". Configs have the conflict of they don't have it, simple! Yeah, I understand that if system doesn't see the situation for some reason, it puts it as unknown. But if my every backup scripts are working fine, and everything else in NCM seems to be ok, why these reports are showing unknown? What should I change to make it show the real situation?

↧

How do you SSH to your devices?

March 26, 2015, 4:22 am

≫ Next: Who is the Network Stig?

≪ Previous: Overall Running vs. Startup Config Conflicts

When SSHing to devices, do you prefer Credentials-based authentication or Certificate-based authentication?

↧

Who is the Network Stig?

December 21, 2016, 7:04 am

≫ Next: Firmware Upgrades for stacked Cisco switches

≪ Previous: How do you SSH to your devices?

As joepoutre commented on Cisco STIGs:

Some say he is the one true font of knowledge for all search engines,

and that electrons are actually shaped like his head.

All we know is, he's not the Stig but the Stig's uber-geek cousin, Network Stig.

But who can he (or she?) be?

↧

Firmware Upgrades for stacked Cisco switches

October 11, 2017, 12:52 am

≫ Next: NCM - Generate Backup

≪ Previous: Who is the Network Stig?

I would like to ask how do you handle Firmware upgrades for stacked switches. I found a workaround which is now satisfying in my case. My workaround is quite simple:

As you have the problem, that you cannot upgrade multiple stacked switches with the .bin-file within this firmware upgrade process, I´ve created a pseudo .bin-file to satisfy the SolarWinds process. This pseudo .bin-file is uploaded to the (master) switch by upgrading. The real upgrading process is triggered by the "archive download-sw" command using the .tar-file. Here is a screenshot how a template could look like:

So, my question now is, do you know if there is an official solution from SolarWinds for upgrading stacked switches?

↧

NCM - Generate Backup

January 13, 2015, 12:39 pm

≫ Next: Do you need Network Automation?

≪ Previous: Firmware Upgrades for stacked Cisco switches

Hello Everybody,

I would like to know, Is Possible generated backup hourly on NCM module? I do not found the option.

Thanks for your help.

↧