Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

FW 16.01.0006 and PCM C 03.20.1741 = SNMP V2 Problem

JoeDassin
Frequent Visitor

FW 16.01.0006 and PCM C 03.20.1741 = SNMP V2 Problem

Hi everybody,

We decided to update all our switches, here is a little list of the "newer" ones :

2530 : YB 15.18.0007 > 16.01.0006

2620 : RA 15.18.0007 > 16.01.0006

2920 : WB 15.18.0007 > 16.01.0006

For the older ones (2610, 2510...), updates aren't the same (not aruba rebranding) and there is no problems.

We got some switchs dedicated to tests, to manage our switch we use Procurve Manager Plus V3 C.03.20.1741, it's old but I haven't the control to change it for now and the licenses are OK up to 2024 or something like that. Plus it worked well since now.

To manage switches we use SNMPv2 with passwords and manager use.

The problem with the 16.XX updates is that the Aruba re-branding FW must have changed something in the SNMP because we can't use the "Write SNMP acces", so we can't use the scan function in PCM for example. When we do "Test communication parameters from PCM" it says the SNMP Write acces is Restricted. It worked with the older firmware 15.18. We verified the configuration and nothing changed, the name of communities are OK, the "rules" are OK. On the CLI it seems ok too. When we revert back to 15.18 the SNMP works again.

We reflashed but nothing change, moreover it happens with every switch/model with 16.01.0006.

We searched in the docs but didn't find something about an incompatibility with PCM and the newer firmwares, I know PCM is old (and SNMPv2)  but we can't change it for the moment.

Does someone got an idea of what changed and if there is a solution ?

Also, there is a "bug" only for the 2530 FW 16.01.0006, when we tries to set a "rate-limit icmp", with every option the result is "Commit failed", so nothing changes. (The only difference with others switches in our tests was that our 2530 didn't have a "rate-limit icmp" configuration before the new firmware, whereas our 2620 and 2920 did have a config with rate-limite icmp before flashing).

EDIT : Since my message my coworker found that there is a new version 16.01.0007, the release note doesn't seems to have fixes about our problem but we are going to test them. Also we tried to watch the logs of PCM when we tested the "scan' function but in every file/folders of PCM (in agent and in server) we couldn't found the right file of the results (we based our searches on the time of the last modification). If someone know if there is a log file of this ?

EDIT 2 : The firmware 15.18.0011 witch is also new seems to works well, so I think it's about a feature of the new functionnalities of the Aruba re-branding 16.01 firmwares.

Thanks you for your attention, and sorry for my language mistakes.

Have a good day.

6 REPLIES
TerjeAFK
Respected Contributor

Re: FW 16.01.0006 and PCM C 03.20.1741 = SNMP V2 Problem

PCM has been end-of-life for a couple of years, and I have also noticed a few things that have stopped working. For me (PCM version 4 and firmware 16.01.0006) scan works for 2530 switches, but not for 2920. We also cannot download the new software list from HP in PCM. Time to move to another management system (IMC or Airwave).

 

JoeDassin
Frequent Visitor

Re: FW 16.01.0006 and PCM C 03.20.1741 = SNMP V2 Problem

Hi and thanks for your answer.

We made some tests, and we got SSH problem now with the 15.18.0011 on 2530 and 2920

In "Test communication parameters", it says that the SSH credentials of operator and manager are incorrect. But they are correct. The problem is the same about my first post, but for SSH in this firmware. The older FW was ok too.

Is there any solution ? It works with putty but it's not very practical !

In some logs of procurve client in AccessMgr... .txt (something like that) I can see "VT is not supported on "IP ADDRESS".

EDIT in another file :

DM_DevMgr...txt VTConnector: Failed to negotiate a transport component [diffie-hellman-group-exchange-sha1][ [diffie-hellman-group14-sha1][unkown cause]

It seems that a 15.18.0011 something modified cypher or something ??

Thanks.

parnassus
Honored Contributor

Re: FW 16.01.0006 and PCM C 03.20.1741 = SNMP V2 Problem

What's about trying WB.16.01.0007 (Firmware release posted June, 9th)? Edit: ops...I read that you know that yet, there are no particular fixes about your supposed issue.

It looks like your SSH client is trying to negotiate the SSH session with the SSH Server (the updated Switch) and both can't agree on a common criteria about the key exchange algorithm (your SSH Client seems to be able to chose only diffie-hellman-group-exchange-sha1 while the SSH Server seems able to chose diffie-hellman-group14-sha1 only, which differs from diffie-hellman-group-exchange-sha1 of the Client)...so no agreement is reached for the SSH session.

The WB.16.01.0006 reports correctly a cipher mismatch because the CR_0000189525 states:

"CR_0000189525 Added audit log message to the system logging for the following events:

  • termination of a secure session
  • failure to negotiate the cipher suite due to cipher mismatch for SSL and SSH sessions"

Maybe you can try to force your SSH Client to use the supported cipher with (as example):

# ssh -c diffie-hellman-group14-sha1 ip-address-of-the-switch

and see what happens.

JoeDassin
Frequent Visitor

Re: FW 16.01.0006 and PCM C 03.20.1741 = SNMP V2 Problem

Hi and thanks you for your answer !

Very interesting, I didn't know that the second parameter of the DM....txt ( [][*][] ) log could be the cipher used by the switch, I throught it was a second test with an other cipher !

But I'm not sure the Procurve Manager console client is able to change it's cipher since we searched everywhere in the menus.

We tested the connexion with putty and the SSH connexion works, but anyway we are continuing the tests with PCM :)

We came back to the 15.18.0007 and everything works on this FW, we are testing a lot of configurations also.

An other question (yes there are many, sorry !), is it normal that the SSH connexion to the login prompt is a bit long (between 7-12s) ? It happens only with our procurves, Alcatels login prompts are immediate too. Maybe is it a negociation thing too ?

Thanks again and have a good day !

 

parnassus
Honored Contributor

Re: FW 16.01.0006 and PCM C 03.20.1741 = SNMP V2 Problem

Very interesting, I didn't know that the second parameter of the DM....txt ( [][*][] ) log could be the cipher used by the switch, I throught it was a second test with an other cipher !

I think this would be interesting to read and, very likely, related to the issue you're experiencing.

But I'm not sure the Procurve Manager console client is able to change it's cipher since we searched everywhere in the menus.

We tested the connexion with putty and the SSH connexion works, but anyway we are continuing the tests with PCM :)

We came back to the 15.18.0007 and everything works on this FW, we are testing a lot of configurations also.

I've no direct experience with HP ProCurve Client Manager (PCM) V3 or V4 to be of any help...I suppose you're using the HP PCM V3 and it looks a little bit old (End of 2013), isn't it?

An other question (yes there are many, sorry !), is it normal that the SSH connexion to the login prompt is a bit long (between 7-12s) ? It happens only with our procurves, Alcatels login prompts are immediate too. Maybe is it a negociation thing too ?


Generally speaking, if you're referring to a generic SSH Client like PuTTY or ssh (on GNU/Linux or other similar platform), I think a time window of 7-12 seconds represents a lot of time!

I've a little HPE 1920-8G which provides the SSH Login prompt (asking for Password) in less than 1,5 seconds (I don't use Switch FQDN when invoking the SSH session, just the Switch IP Address...and I'm within the same Subnet so no routing between the SSH Client and the Switch...that's just to give you an order of idea).

If you do a ssh -vv ip-address-of-the-switch you will be able to see SSH Client/Server negotiations.

JoeDassin
Frequent Visitor

Re: FW 16.01.0006 and PCM C 03.20.1741 = SNMP V2 Problem

Hi and thanks for your answers !

Yes your link is very interesting for my research thanks you for finding it !

Yes PCM is getting old but for the moment it's the only solution on my company, some coworkers are working to get a newer one but I don't have any power there...

I will try your CMD to see if I can see something.

Thanks and sorry for my language mistakes.