Comware Based
1748280 Members
3846 Online
108761 Solutions
New Discussion юеВ

Re: TFTP for cisco switches with non-default VRF

 
SOLVED
Go to solution
Buuuka
Occasional Visitor

TFTP for cisco switches with non-default VRF

Hi,

I am trying to backup Cisco switches.

The connection is done via MGMT vrf.

The default VRF doesn't hve a route to IMC.

iMC PLAT 7.3 (E0605P06)

I'm missing "configuration center - options - vpn-instance" setting here. Cannot find it in my version.

Is there any way to change VRF for TFTP command for particular devices?

6 REPLIES 6
jguse
HPE Pro

Re: TFTP for cisco switches with non-default VRF

Hello,

The Configuration Center Options "VPN Instance" page requires that you add the devices to the list and then set the instance, but I guess in your case the Cisco device is not in the list, right?

Unsupported devices are filtered automatically, so I suspect the respective scripts for the device do not support VRF. This is a bit surprising if it's Cisco switches, as these normally support VRF out of the box.

Here is a sample from the CisocIOSGeneric adapter's backup_startup_config_tftp.tcl script:

	set cmd_vrf "copy $startupConfig tftp:"

	if { $VpnName != "" } {
	append cmd_vrf " vrf $VpnName" 
	}
	send "$cmd_vrf\r"
	

 

Can you share the SNMP SysOID of your Cisco switches to check? This is what IMC uses to determine which scripts to use.

Best regards,
Justin

Working @ HPE
Accept or Kudo
jguse
HPE Pro

Re: TFTP for cisco switches with non-default VRF

By the way, VPN Instance in general should exist on IMC E0605P06, or at least I have not seen any issues related to it missing . If that's the case, you could try re-deploying the Configuration Center. This will wipe the database and any settings related to Config Center, so make sure you have a DBMAN backup first.

Open DMA and right-click on Intelligent Configuration Center in the Deploy list. Select Undeploy, answer the prompts and wait for it to finish undeploying. This will wipe the DB for ICC. Then you can re-deploy and upgrade the ICC component back to E0605P06. This should 'repair' the ICC component and its DB by setting it back to defaults.

Best regards,
Justin

Working @ HPE
Accept or Kudo
Buuuka
Occasional Visitor

Re: TFTP for cisco switches with non-default VRF

Hi Justin,

Thank you for the promt reply.

I've found the devices. I've looked for Config center -> Option in the wrong place.

The problem still here. 

For some reason I have the following error when trying to run backup: 

%SSH-5-SSH2_SESSION: SSH2 Session request from 10.8.2.15 (tty = 1) using crypto cipher '', hmac '' Failed
.Aug 28 15:18:08.705 WST: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.8.2.15 (tty = 1) for user '' using crypto cipher '', hmac '' closed

Pings are working ok from both sides.

 

I have the very same switches with successful backup, but with default VRF configured.

jguse
HPE Pro
Solution

Re: TFTP for cisco switches with non-default VRF

Hello,

It sounds like there is an SSHv2 negotiation issue. Does the backup work when using Telnet instead of SSH?

You can test the SSH access settings on the Device Details page, on the Configure menu using SSH Settings "Test" button. Does that work for the affected device?

clipboard_image_0.png

 

You could also trace the packets with Wireshark - at least the initial SSH packets can be inspected.

Best regards,
Justin

Working @ HPE
Accept or Kudo
Buuuka
Occasional Visitor

Re: TFTP for cisco switches with non-default VRF

Hi Justin,

Thank you!

It seems the SSH settings were incorrect as well.

Although when I clicked "Test" the output was success, I reapplied our standard template and now backup is working perfectly fine.

Appreciate your support.

Problem solved.

jguse
HPE Pro

Re: TFTP for cisco switches with non-default VRF

Hello,

Welcome, glad to hear it works now. I notice you are running IMC 7.3 E0605P06 - this version is affected by a known issue where credentials from SNMP/Telnet/SSH templates were sometimes reverting to default.

You could do an upgrade to 7.3 E0703 to resolve it, but the upcoming 7.3 E0705 version should only be a few weeks away from release by now, so it may be better to wait for now, as it will fix a number of new issues discovered with E0703.

If you need to fix the template bug but don't want to go to E0703 yet, there is also a hotfix E0605H09 (not published to the website) that I could send you on an FTP via PM as well, which includes the fix for the template issue. Let me know if you'd prefer that.

IMC Downloads: https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE

Best regards,
Justin

Working @ HPE
Accept or Kudo