Troubleshooting SecureShore connectivity issues

book

Article ID: 167960

calendar_today

Updated On:

Products

XOS

Issue/Introduction

How to troubleshoot connectivity issues between SecureShore and X-series.SecureShore NMS server cannot re-connect to a replaced CPM module on an X-series chassis. The Diagnostic reports following error message:

Unable to discover device 'NAME': java.rmi.RemoteException: The device has rejected a management request made by this server. 
Please verify that the device has been configured to allow management by this server.


Tcpdump shows a short communication on TCP port 18085 between the CPM and SecureShore closed by the CPM.

Cause

Generic troubleshooting of SecureShore connectivity issues with an X-series device:

1. Verify in XOS configuration that web-server is enabled and management-server address is set to SecureShore NMS server IP address:

CBS# show web-server
Web Server Enabled (true/false) : t
(1 row)
 
CBS# show management-server
Management Server IP
192.168.200.100
(1 row)

 
2. Verify CPM access-lists. To allow communication between the SecureShore NMS server and the managed device, following TCP ports must be open: 
  • TCP 18085 from the SecureShore server to the managed device 
  • TCP 443 from the SecureShore server to the managed device 
  • TCP 8443 from the managed device to the SecureShore server 
You can use show access-list and show running-config to verify that access-lists assigned to CPM management interfaces allow this communication.


3. Verify that expected processes listen on ports 18085 and 5443 (cnmsd and java).

[[email protected] admin]# netstat -tnap | egrep "5443|18085"
tcp        0      0 0.0.0.0:5443            0.0.0.0:*               LISTEN      14493/java
tcp        0      0 0.0.0.0:18085           0.0.0.0:*               LISTEN      11241/cnmsd


4. Verify that incoming HTTPS traffic to CPM IP addresses is redirected to port 5443 by iptables, for example:

[[email protected] admin]# iptables -t nat -L -n | grep 443
REDIRECT   tcp  --  0.0.0.0/0            192.168.135.60     tcp dpt:443 redir ports 5443
REDIRECT   tcp  --  0.0.0.0/0            192.168.135.61     tcp dpt:443 redir ports 5443


5. If all above is correct, make sure there is no routing issue (like missing route to the SecureShore host). Run tcpdump on the CPM interface eth2 to observe packets between the CPM and the SecureShore server, for example: 

[[email protected] admin]# tcpdump -ni eth2 host 192.168.200.100

It should display bidirectional communication on the above TCP ports. The initial connection from SecureShore is coming on the port 18085. You can also utilize ping to verify the basic network connectivity.


Resolution

This specific case was caused by a missing configuration file /crossbeam/etc/nms.cf. This file should exist and contain the IP address of the SecureShore NMS server configured in the XOS CLI. The file likely wasn't properly created during the import of the XOS configuration on the replaced CPM. The file can be restored by refreshing the management-server statement in the XOS CLI: 

CBS# configure no management-server 192.168.200.100
CBS# configure management-server 192.168.200.100
CBS# copy running-config startup-config


The content of the file can be verified in the Unix command line:

CBS# unix su
[[email protected] admin]#
cat /crossbeam/etc/nms.cf 
server 192.168.200.100

To activate the change, the cnmsd process needs to be restarted:

[[email protected] admin]# service cnmsd restart
Stopping cnmsd daemon:                                     [  OK  ]
Starting cnmsd daemon:                                     [  OK  ]

Connection from SecureShore NMS server should re-establish automatically. 

Workaround

N/A