Generic troubleshooting of SecureShore connectivity issues with an X-series device:
1. Verify in XOS configuration that web-server
is enabled and management-server address
is set to SecureShore NMS server IP address:
CBS# show web-server
Web Server Enabled (true/false) : t
CBS# show management-server
Management Server IP
2. Verify CPM access-lists. To allow communication between the SecureShore NMS server and the managed device, following TCP ports must be open:
TCP 18085 from the SecureShore server to the managed device
TCP 443 from the SecureShore server to the managed device
TCP 8443 from the managed device to the SecureShore server
You can use show access-list
and show running-config
to verify that access-lists assigned to CPM management interfaces allow this communication.
3. Verify that expected processes listen on ports 18085 and 5443 (cnmsd and java).
tcp 0 0 0.0.0.0:5443 0.0.0.0:* LISTEN 14493/java
tcp 0 0 0.0.0.0:18085 0.0.0.0:* LISTEN 11241/cnmsd
4. Verify that incoming HTTPS traffic to CPM IP addresses is redirected to port 5443 by iptables, for example:
[[email protected] admin]# tcpdump -ni eth2 host 192.168.200.100
REDIRECT tcp -- 0.0.0.0/0 192.168.135.60 tcp dpt:443 redir ports 5443
REDIRECT tcp -- 0.0.0.0/0 192.168.135.61 tcp dpt:443 redir ports 5443
5. If all above is correct, make sure there is no routing issue (like missing route to the SecureShore host). Run tcpdump on the CPM interface eth2 to observe packets between the CPM and the SecureShore server, for example:
It should display bidirectional communication on the above TCP ports. The initial connection from SecureShore is coming on the port 18085. You can also utilize ping to verify the basic network connectivity.