|
Table Of Contents
Release Notes for CiscoWorks Network Compliance Manager, 1.3
Known Limitations and Problems
Accessing the CiscoWorks NCM Documentation Set
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for CiscoWorks Network Compliance Manager, 1.3
December, 2007
These release notes include important information regarding CiscoWorks Network Compliance Manager (NCM), Release 1.3. CiscoWorks NCM tracks and regulates configuration and software changes throughout a multivendor network infrastructure. It provides visibility into network changes and can track compliance with a broad variety of regulatory, IT, corporate governance, and technology requirements. CiscoWorks NCM helps IT staff identify and correct trends that could lead to problems such as network instability and service interruption.
CiscoWorks NCM includes integration with CiscoWorks—initially launchable from the CiscoWorks home page and interoperability with other CiscoWorks applications such as the LMS bundle through the CommonServices Device Credential Repository (DCR).
Note All documentation, including this document and any or all of the parts of the CiscoWorks NCM documentation set, might be upgraded over time. Therefore, we recommend you access the CiscoWorks NCM documentation set using the Cisco.com URL: http://www.cisco.com/en/US/products/ps6923/tsd_products_support_series_home.html
The Docs tab visible from within CiscoWorks NCM might not include links to the latest documents.
Contents
This release note contains the following sections:
• Caveats
• Accessing the CiscoWorks NCM Documentation Set
• Obtaining Documentation, Obtaining Support, and Security Guidelines
Features in This Release
CiscoWorks NCM Release 1.3 contains a number of new features and enhancements.
Automated Software Image Management
The Automated Software Image Manager dynamically downloads device images from Cisco.com in to CiscoWorks NCM. The Automated Software Image Manager utilizes custom integration with Cisco.com to dynamically download software images into CiscoWorks NCM for deployment. CiscoWorks NCM uses the following steps:
•CiscoWorks NCM queried Cisco.com for the OS versions that are available for the device.
•CiscoWorks NCM presents image choices within the UI.
•You select an image.
•CiscoWorks NCM downloads the software image and automatically populates the requirements for the software image, such as hardware and memory.
CiscoWorks NCM can analyze the Cisco devices, including hardware components and feature sets, and present you with the specific software images that Cisco recommends that you should use with the device, as well as all other valid options.
The Automated Software Image Manager feature requires a valid Cisco.com credential.
End of Sale/End of Life Report Tool
The End of Sale/End of Life Report tool retrieves information about the impacted devices and modules in your network, and the generates an End of Sale/End of Life Report that lists the devices that have reached their End of Sale or End of Life date. You can tell at a glance the status of a device: End of Sale information appears in yellow and End of life information appears in red.
The End of Sale information for a device refers to announcements made in Cisco.com regarding the ending of sales of a device or hardware.
The End of Life information refers to announcements made in Cisco.com regarding the ending of service and support of a device or hardware.
The End of Sale/End of Life Report feature requires a valid Cisco.com credential.
Software Image Synchronization
Software image synchronization ensures that you always have a backup of the OS images running in your network. You can ensure you always have a backup copy of the last "known good" software image. Archiving software images into CiscoWorks NCM from the network is completely automated. In the event you need to Request Material Authorization (RMA) an existing network device, you can use CiscoWorks NCM to deploy the original software image and its configuration files.
Interface Provisioning & Management
CiscoWorks NCM interface management capabilities enable you to search for interfaces on devices that match specific criteria. For example, you can now search and identify all interfaces on a device that are configured as "down." You can also select the specific interfaces and push a change directly to them without requiring any scripting.
Masked Variable Support for Advanced Command Scripts
With CiscoWorks NCM, you can now create sensitive information variables for input within advanced command scripts. The value of the variable is not displayed in the Session Log or when you enter the value. This protects sensitive information, such as passwords, when using command scripts.
Policy Manager and Compliance Enhancements
Until now, CiscoWorks NCM has automated policy compliance on an "as-configured" basis. However, devices can be configured in ways that the installed network interface cards do not support or they could be configured one way, but physically wired another. CiscoWorks NCM adds the ability to automate compliance on an "as-running" basis, as well as the traditional "as-configured" basis. "As-running" policy compliance ensures that not only is the network configured properly, but that it is running as expected.
CiscoWorks NCM introduces the diagnostic policy rule to ensure "as-running" compliance. This capability can be used in conjunction with configuration policy rules to achieve comprehensive network compliance. The ability to set policy on what the "as-running" state is useful in validating that configuration changes have not negatively impacted device operations.
Software Policy Compliance
In CiscoWorks NCM 1.3, Software Compliance is moved under the umbrella of the Policy Manager. You can now create more flexible, powerful software compliance rules to ensure network compliance. Software Compliance, where you could set software levels to be Gold, Silver, and so on is now referred to as Software Levels.
Conditional Logic In Policy Rules
Validating device configuration settings is typically dependent on a number of factors, such as what OS version is running on a device. In CiscoWorks NCM 1.3, you can now use conditional logic to setup policy rules. If, Then, and Else conditional clauses are fully supported. You no longer have to use regular expressions or PERL scripts. You can easily create conditional clauses.
Usability Improvements for Policy Rule Creation
CiscoWorks NCM 1.3 reduces the need for regular expressions when building policy rules. The use of regular expressions is now optional. You can now specify that the lines in a rule must be unique in a given defined section. For example, specific SNMP community strings should be present, but no other SNMP community strings should be defined. There can be no other lines present within this block.
You can also leverage CiscoWorks NCM data model elements within rules, including standard and extended device custom data fields. For example, you can create a single rule that validates that all devices have their hostname formatted to company standards or validates the contents of a custom data field.
Searching Enhancements
You can now search extended device custom data fields in both the Search for Devices and Advanced Search pages. In addition, you can now search for devices using a specific Device Password Rule.
Search for Policies and Search for Compliance
CiscoWorks NCM 1.3 introduces two new search capabilities: Search for Policies and Search for Compliance. Search for Policies enables you to search for existing policies based on name, creation date, CVE number, and more. The Search for Compliance gives you granular searching ability on the compliant state of devices in the network. This enables you to easily create searches and reports that provide information such as:
•Which devices are out of compliance with this specific policy?
•Which devices are out of compliance with this specific rule?
•What policies is this device currently violating?
All standard searching capabilities are included with these new search features, including grouping resulting devices, running tasks against selected devices to remediate, and so on.
Reporting Enhancements
Administrators can now configure CiscoWorks NCM to generate commonly accessible Summary reports. This is only necessary in environments where View Partitions are enabled and Summary reports needs to be accessed by multiple users within one group. CiscoWorks NCM 1.3 also includes a new dashboard report that shows the number of devices in and out of compliance.
Device and Configuration Management Enhancements
CiscoWorks NCM 1.3 includes many enhancements to the device and configuration management features, including:
•Device Groups on the Device Groups page are now expandable and collapsible. The page will retain the expanded/collapsed state for each user.
•The ability to configure how many Device Password Rules CiscoWorks NCM attempts for each device before failing.
•The ability to dynamically group devices based on which Device Password Rule they are currently using.
•The ability to view which Device Password Rule a device is using on the device home page.
•The ability to save a device configuration to a text file with one click.
New Protocol Support - IPv6 and SNMPv3
CiscoWorks NCM 1.3 has added the IPv6 and SNMPv3 protocols to meet the needs of government, large enterprise, and security conscious customers. With IPv6 support, CiscoWorks NCM is able to manage devices in either a pure IPv6 or dual stack IPv4/IPv6 network. With SNMPv3, CiscoWorks NCM can securely communicate with devices via SNMP.
Horizontal Scalability Architecture
CiscoWorks NCM 1.3 has been expanded to provide a new horizontal scalability option as a deployment architecture. In a scenario where you need to increase CiscoWorks NCM application server performance, you can add additional application servers to distribute the load across servers, horizontally. This setting assumes there is no limiting factor in the database.
Enhanced Satellite Mesh Architecture
The Satellite architecture enables you to manage devices that are traditionally difficult to reach due to overlapping IP addressed networks and/or heavily NAT'd environments. CiscoWorks NCM 1.3 has extended the architecture to provide the following new capabilities:
•Software image caching to save time and bandwidth on device OS updates
•Real-time change detection via syslog
•Device management via FTP, TFTP, and SCP
Enhanced Multimaster Mesh Capabilities
CiscoWorks NCM 1.3 contains the following enhancements to the Multimaster Distributed System capabilities:
•Per core maximum concurrent task setting. Each core can now be configured with a max concurrent task setting applicable to that core only. For example, if Core A and B are connected by Multimaster, Core A can have a max concurrent task setting of 200 whereas Core B can have a max concurrent task of 50.
•Continuous real-time change detection via syslog in the event of core failure. You can now configure devices to send syslog messages to multiple cores in a Multimaster mesh without worrying that multiple cores will snapshot the device. CiscoWorks NCM will only snapshot the device once. The benefit of this enhancement is that if one core goes down, you do not need to update the configurations on all devices to issue syslogs to the (temporary) managing core.
Performance Enhancements
CiscoWorks NCM 1.3 includes numerous performance enhancements. You should notice these performance enhancements when:
•Running group tasks, especially group Snapshot tasks
•Performing batch edit operations across hundreds of devices
•Overall task throughput
API and CLI Enhancements
To make Web services integration easier, CiscoWorks NCM 1.3 now includes a WSDL file as a part of its SOAP API.CiscoWorks NCM 1.3 includes the following new API/CLI capabilities:
•Ability to enable and disable user accounts
•Ability to add, edit, and delete Device Password Rules
•Ability to list and show ACLs for a given ACL ID, handle or device ID
•Ability to list and show policies
•Ability to show compliant state for a give device ID
•Ability to list devices compliance state with a given policy
•Compliant state is now an output field in the list device and show device commands (API only)
•Ability to turn off pre and post snapshots when a command script is run
Installation Enhancements
You can now install CiscoWorks NCM updates and CiscoWorks NCM Driver packs using a CLI installer on Linux and Unix systems. X Windows is no longer required for CiscoWorks NCM installs on Linux or Unix.
System Requirements
This section includes the following:
Protocols and Ports
CiscoWorks NCM communicates with devices using a combination of the following protocols and ports as described in Table 1. If you use a given protocol, CiscoWorks NCM requires access to the corresponding port. Specifically, if CiscoWorks NCM communicates with devices protected by firewalls, these ports need to be opened.
Linux Server Requirements
The following tables provide the recommended requirements when installing CiscoWorks NCM on a Linux platform. Keep in mind that the application server and the database server can be configured together or separately depending on the size of the network.
Note You must stop other network management applications, Web servers, databases, and Syslog/TFTP servers running on the same system before installing CiscoWorks NCM. Applications include anti-virus (during Setup only) and WWW Publishing Server applications.
Note When installing CiscoWorks NCM on a Linux platform, Nmap 3.81 is required for Nmap scanning when running the Detect Network Devices task.
Summary Reports
Summary reports are generated in the Microsoft Excel XLS format. Excel does not run on Linux. You can either run the Summary reports from a Windows client computer connected to your CiscoWorks NCM server or you can use one of the following products that run on Linux and can open Excel files:
•Open Office (www.openoffice.org)
•GNUmeric (www.gnumeric.org)
•Star Office (wwws.sun.com/software/star/staroffice)
Solaris Server Requirements
The following tables provide the recommended requirements when installing CiscoWorks NCM on a Solaris platform. Keep in mind that the application server and the database server can be configured together or separately depending on the size of the network.
Note On the Solaris platform, ensure that all standard utilities such as whoami are installed under /usr/ucb.
Note You must stop other network management applications, Web servers, databases, and Syslog/TFTP servers running on the same system before installing CiscoWorks NCM. Applications include anti-virus (during Setup only) and WWW Publishing Server applications.
Note When installing CiscoWorks NCM on a Solaris platform, Nmap 3.81 is required for Nmap scanning when running the Detect Network Devices task.
Summary Reports
Summary reports are generated in the Microsoft Excel XLS format. Excel does not run on Solaris. You can either run the Summary reports from a Windows client computer connected to your CiscoWorks NCM server or you can use one of the following products that run on Linux and can open Excel files:
•Open Office (www.openoffice.org)
•GNUmeric (www.gnumeric.org)
•Star Office (wwws.sun.com/software/star/staroffice)
Windows Server Requirements
The following tables provide the recommended requirements when installing CiscoWorks NCM on a Windows platform. Keep in mind that the application server and the database server can be configured together or separately depending on the size of the network.
Note You must stop other network management applications, Web servers, databases, and Syslog/TFTP servers running on the same system before installing CiscoWorks NCM. Applications include anti-virus (during Setup only) and WWW Publishing Server applications.
CiscoWorks NCM and LMS Co-residency Requirements
The following are the recommended requirements when you are enabling co-residency of CiscoWorks NCM and CiscoWorks LAN Management Solution (LMS):
•Operating System on the Application Server: Microsoft Windows 2003
•Server Hardware: At least a Xeon (or a Dual Core) Processor with 8 GB of RAM.
For detailed information on CiscoWorks NCM and LMS co-residency, refer to the Usage Notes for CiscoWorks Network Compliance Manager and LMS Co-residency.
Resolved Problems
Table 11 lists the problems that were resolved in CiscoWorks Network Compliance Manager, Release 1.3.
Caveats
Please read the following regarding usability issues before using CiscoWorks NCM 1.3.
Browser Certificate Information
When upgrading to CiscoWorks NCM 1.3, ensure you close any browsers, as the upgrade will generate a new browser certificate. If you do not restart your browser connection to the CiscoWorks NCM server after an upgrade, you will receive a message indicating that the browser certificate has an invalid signature.
Device Tasks Ignores User-defined enforce_save Device Variable
Device tasks that modify a device's configuration, such as the Deploy Password or Deploy Configuration tasks ignore the setting for the enforce_save device access setting. As a result, the current configuration is always saved to startup (via a mechanism such as write memory).
Workaround: The DeviceInteraction/EnforceConfigurationSave/ConfiguringModels configuration option in appserver.rcx can be set to false. This has the effect of disabling the save from running to startup configuration for all device tasks that reconfigure the device.
CiscoWorks NCM Core Gateways
You cannot configure redundant CiscoWorks NCM Core Gateways in the same CiscoWorks NCM Realm as a single CiscoWorks NCM Core.
Workaround: Edit the adjustable_options.rcx file and add the other CiscoWorks NCM Core Gateways' IP address(es):
<array name="rpc/allowed_ips">
<value>10.255.54.10</value>
</array>
Selecting Rlogin with FTP
When editing a device's connection information, if you select Rlogin for the connection method and FTP for the transfer protocol, Rlogin does not remain selected.
Workaround: Select Rlogin and Telnet for the transfer protocol. As a result, Rlogin remains selected.
Importing Policies that have does not contain Rules are Displayed Inaccurately
When importing a policy with a rule that includes a does not contain condition, it is displayed as contains in the CiscoWorks NCM UI. When the rule is processed, it is correctly processed as does not contain. However, it is displayed incorrectly in the CiscoWorks NCM UI.
Workaround: Edit the rule and change contains to does not contain and save the rule.
Configuration Management: Configuration Policy Verification
The Short Circuit In Rule Evaluation setting on the Administrative Settings > Configuration Mgmt page, under the Configuration Policy Verification, controls whether the short circuit preference should be allowed in logic evaluations. For example, if condition A is evaluated as false in expression A and B, condition B is not evaluated. If condition A is evaluated as true in expression A OR B, condition B is not evaluated.
The Short Circuit evaluation for OR conditions, such as A OR B, returns a wrong evaluation result. Do not use the Short Circuit setting when using OR conditions.
CLI Help Information is Inaccurate for the Import Command's Append Option
The import CLI command includes an append option that controls whether CiscoWorks NCM appends or overwrites the log file specified by the log option. The CLI Help incorrectly documents the append option. The append option does not affect the data that is imported. Only the log file generated by the import process is affected.
Downloading Software Images from Cisco.com
You can download software images from Cisco.com for devices that are not currently in your CiscoWorks NCM system. However, to be able to successfully deploy the software image, you may need to modify the driver and/or model information.
Workaround:
1. From the Devices menu, select Device Tools and click Software Images. The Software Images page opens.
2. In the Action column, click Edit for the software image you want modify. The Edit Software Image page opens.
3. In the Image Set Requirements field, modify the driver and/or model information to be compatible with the device in CiscoWorks NCM.
4. Click Save Software.
Pagination does not work on the Event Notification and Response Rules page
If there are more than 25 Event Rules, CiscoWorks NCM paginates the list of Event Rules, but only displays the first page.
Workaround: Set Display results in groups of to All in the lower right-hand corner of the Event Notification and Response Rules page. As a result, pagination is turned off and all Event Rules are displayed.
CiscoWorks NCM Upgrade does not Restore CiscoWorks NCM Multimaster Distributed System Settings
During the CiscoWorks NCM upgrade process, the distributed.rcx file is not restored. This file is used for the CiscoWorks NCM Multimaster Distributed System. As a result, you must manually restore the distributed.rcx file after upgrading CiscoWorks NCM.
Workaround: Copy the distributed.rcx file from the ReplicationScriptToolBundle of the upgraded version of CiscoWorks NCM to the CiscoWorks NCM server at <NCM_HOME>/jre.
Multimaster Distributed System: Importing Devices
If you import two devices with identical IP addresses into two separate CiscoWorks NCM Cores at approximately the same time, there is currently no way to detect the possibility of a duplicated device.
Workaround: Manually run the Deduplication task after importing devices if you have imported two devices with identical IP addresses into two separate CiscoWorks NCM Cores at approximately the same time. The duplicated devices will be set to Inactive. (Refer to Chapter 7, Scheduling Tasks, in the CiscoWorks NCM 1.3 User's Guide for information on running the Deduplication task.)
Multimaster Distributed System on SQL Server
If you see a conflict for which the reason_text field does not reference a constraint name, it is possible that CiscoWorks NCM automatically resolved the conflict. However, you might have to manually resolve the conflict. In the former case, simply delete the conflict. In the latter case, make the appropriate corrections and then delete the conflict. The following is an example of a reason_text field from a conflict that does not reference a constraint name:
reason_text A row insert at 'red-dalmssql102.ds2880db2' could not be
propagated to 'RED-DALMSSQL101.ds2880db1'. This failure can be caused by a
constraint violation. The merge process was unable to synchronize the row.
All changes made by myself in the last 48 hours Report Shows Zero Changes
When running the All changes made by myself in the last 48 hours report, the report shows zero changes, despite the fact that there are changes shown when viewing the report on the CiscoWorks NCM server.
Workaround: Create a new All changes made by myself in the last 48 hours report using the same search criteria as the report on the CiscoWorks NCM server.
1. Click Reports > Search For > Configurations. The Search For Configuration page opens.
2. In the Date field, select Since from the left-hand drop-down menu. Then, select 48 hours ago from the right-hand drop-down menu.
3. Enter your username in the Changed By field.
4. Scroll down to the Search Scope field and select the radio button for the Search all configurations option.
5. Click Search. The Configuration Search Results page opens.
6. Enter a report name in the Save search as a user report named: field.
7. Click Save.
Use of the Dollar Sign ($) in Perl Code
If you convert a Telnet/SSH Proxy session that contains a dollar sign ($) to Perl (such as a script that puts a $ in the banner), CiscoWorks NCM does not properly escape the dollar sign ($) in the generated Perl code.
Workaround: Edit the script and put a backslash (\) in front of the dollar sign ($).
ACLs with the Same Name, but Different Case in CiscoWorks NCM, is not Recommended
CiscoWorks NCM supports case-sensitivity in ACL names. As a result, you can have two ACLs with the same name, but different case. If you delete one of those ACLs, however, all ACLs with the same name are deleted, regardless of the case. Cisco does not recommend multiple ACLs with the same name, but differing case in CiscoWorks NCM.
Detect Network Devices Task
The CiscoWorks NCM system prevents you from inadvertently running more than one Detect Network Devices task concurrently. Although the Detect Network Devices task generates only a minimal level of traffic, CiscoWorks NCM provides this protection to help minimize additional traffic when running duplicate or additional Detect Network Devices tasks simultaneously. If a second or third Detect Network Devices task is scheduled while an earlier Detect Network Devices task is running, CiscoWorks NCM will place the new task(s) in the Waiting state. The task(s) will run individually after the first Detect Network Devices task has completed.
Batch Editing Parent Device Groups or Device Groups with No Devices Results in Invalid Error Message
When you batch edit parent device groups or device groups/partitions that have no devices, an invalid error message is displayed: You do not have Modify Device Permission for any of the devices you selected.
Workaround: To batch edit all devices in a parent device group, do a batch edit against each child group in the parent device group.
Diagramming
CiscoWorks NCM applies an absolute value for the text height attribute for interface and port labels shown in Visio diagrams. When the Visio VDX file is loaded, Visio assigns an incorrect formula to the text height attribute. As a result, when you have more than two lines of annotated text (i.e. a label) for an interface or port and you attempt to copy and paste, the label of the new interface or port is displayed improperly and could hide the interface or port icon.
Workaround: Click the Text Tool option on the Visio tool bar and move the label so as to expose the interface or port icon.
Command Line Interface: connect Command
The connect command in the CiscoWorks NCM Proxy now accepts a device ID. This is needed because device IP Addresses are no longer required to be unique. If you pass an invalid device ID via the connect command, (i.e., something that is not a number), the CiscoWorks NCM Proxy session is abruptly terminated.
Workaround: Reconnect to the CiscoWorks NCM Proxy and enter a valid device ID.
Passing Your CiscoWorks NCM Password to Advanced Scripts
When using advanced scripts, $tc_user_password$ does not work.
Workaround: Use $Password$ instead of $tc_user_password$. Note that $Password$ can only be used in the Parameters part of the advanced script, so you'll need to add code to your script to get the password from the command line arguments when the script runs.
Multimaster Distributed System External Authentication
When using external authentication in a Multimaster Distributed System environment, the External Authentication Type, for example TACACS+ or Active Directory, is global (i.e., shared between all CiscoWorks NCM Cores). Specific authentication server information is CiscoWorks NCM Core specific.
Workaround: Set the External Authentication Type to None on the Administrative Settings > User Authentication page. Configure each CiscoWorks NCM Core individually with authentication server information or Active Directory setup. After all CiscoWorks NCM Cores have been configured, set the External Authentication Type on any CiscoWorks NCM Core. The External Authentication Type setting is replicated to all CiscoWorks NCM Cores.
Multimaster Distributed System Performance
When running a Distributed System, if you are deleting many objects simultaneously, the system may take a while to push transactions for large delete operations.
Duplicate IP Addresses with Multiple Sites
If your system is configured with multiple Sites in different Realms, you could see duplicate IP addresses if you select the Multiple Devices/Groups option on a New Task page when browsing the Inventory Group using the Device Selector.
Workaround: Using the Device Selector, browse to devices using the specific Site Group.
Unresponsive Script Warning Message in Mozilla Firefox 1.5
When uploading a software image (New/Edit Software Image Set page) or any CiscoWorks NCM page that requires file uploading, if you are using Mozilla Firefox 1.5 and the file size is relatively large, you could see a warning message during uploading that indicates a script may be busy or has stopped responding.
Workaround: Click Continue. If you want to avoid this warning message in the future:
1. Enter about:config in Firefox's address bar.
2. Scroll down to the DOM.* section.
3. Locate the value for dom.max_script_run_time.
4. Edit the default value 5 to something higher, for example 20.
Juniper Devices with SCP Enabled do not Capture Running Configurations
If your Juniper device has SCP enabled, the copied configuration may not be the one running on the device.
Workaround: Always use CiscoWorks NCM to manage configuration changes or save the configuration on the Juniper device.
RADIUS External Authentication
When setting up a user to authenticate using RADIUS, if the RADIUS server does not respond, CiscoWorks NCM still authenticates the user against the CiscoWorks NCM local password, even if you instruct CiscoWorks NCM not to fail-over on external authentication.
Scripts: Output Results in HTML Format
When executing an advanced script or a Run External Application task, any text that the advanced script or external application writes to stdout is stored in CiscoWorks NCM as the task result. Typically, this output is treated and displayed as plaintext. As a result, before CiscoWorks NCM displays the task results, it will escape any characters that would affect the HTML rendering, for example converting < to <.
However, you may want to create an advanced script that outputs its results in HTML format. In this case, none of the output characters would be escaped, so the results displayed would include any applicable HTML formatting. To indicate to CiscoWorks NCM that your script outputs HTML results, the first item that your script writes to stdout must be <html>. If your script output begins with anything other than <html>, the script results will be treated as plaintext.
Nmap Scanning
Careful consideration should be taken when identifying the network range you are going to scan. Some network topologies can result in very long scans. In addition, it is recommended that you do not scan Internet addresses. If you think your Nmap scan will take more than a few minutes, you can use several Nmap options, for example --max_scan_delay <milliseconds>, setting <milliseconds> to a value between 1 and 1000. Nmap will throttle up to 1000ms max as packets are dropped.
Keep in mind that Nmap settings can be changed using the Administrative Settings option under Admin on the menu bar, and selecting the Device Access option. Please refer to the Nmap documentation at www.insecure.org for detailed Nmap information.
Cisco Catalyst Switches
Cisco has recently reported an issue with their Catalyst switches running CatOS 8.3(3). Cisco has found that these devices could crash when you connect to them via SSHv2 (for example from an SSH client, such as SecureCRT or Putty). By default, CiscoWorks NCM uses SSHv2 as the primary access method to network devices. Therefore, there is a substantial risk that a Catalyst switch running 8.3(3) could be reset when managed by CiscoWorks NCM.
Workaround: Upgrade your Cisco Catalyst to CatOS 8.3(4). If this is not possible, edit your Catalyst devices running 8.3(3) in CiscoWorks NCM to use only SSHv1 or Telnet for device access.
SecurID Software Token Software, Version 3.0.5
If the CiscoWorks NCM server is installed with the 3.0.5 SecurID token software, turn off copy protection when exporting SecurID software token keys on the RSA server. Otherwise, CiscoWorks NCM reports an error when accessing SecurID software tokens. A patched version of the SecurID software is available at RSA's website http://www.rsasecurity.com.
SecurID Device Access
If you are using SSH to access devices, SSH connectivity will not work if a software token is in Next Token mode. Be sure to reset your software tokens to Normal mode before attempting SSH connectivity to devices.
Canceling or Deleting Tasks
Some CiscoWorks NCM tasks will spawn external processes to run PERL or Expect scripts, or to run user-provided executables or shell scripts. Under certain circumstances, CiscoWorks NCM may not be able to kill these external processes when the spawning task is cancelled or deleted. This could include scripts that spawn sub-processes or processes that are coded to catch kill signals.
Workaround: Manually stop the external process on the CiscoWorks NCM server.
Deploy to Startup Config and Reboot not Supported via SNMP
CiscoWorks NCM can deploy a configuration file to the startup configuration and reboot the device via command line only. If the device is configured for SNMP access only (see the CiscoWorks NCM 1.3 Device Driver Reference), deploy startup and reboot will fail.
Software Center: Deploying Software
When deploying software to a device, it is possible for the configuration file currently on the device to no longer be acceptable to the device. This is more likely during an OS downgrade. (OS upgrades are usually handled via upwards compatibility.) It is always a good idea to test the functionality of a given OS version before deploying it on a production network. When downgrading OS versions, the device configuration file may need to be manually updated. It is very important to make this change before rebooting the device, otherwise the device could attempt to use the invalid configuration file and become unresponsive.
For the Aironet 1100, if you deploy software with the Reboot option, the Aironet 1100 might not restart correctly. In fact, the Aironet 1100 might be left inaccessible and the Deploy Software task could continue running for up to an hour. This can also occur when manually deploying software.
Workaround: Turn the device off and back on to restore connectivity. Alternatively, you can avoid the problem by turning the radio off before deploying software.
CiscoWorks NCM does not support BayRS software downgrades from 15.x to 14.x. Although the software update will function, the device configuration file after the reboot is not valid for the new software image. The device will need to be rebooted, and the configuration file saved with the new code via a console connection.
Workaround: You can pre-deploy a valid configuration file for a software update. The configuration file should be built by SiteManager for the particular version of code you are deploying.
Software Center: Downgrading Nortel OS and Rebooting Could Leave Device Inaccessible
When you deploy an earlier version of an OS to a Nortel device, you could experience unexpected results, including the device becoming inaccessible. This occurs because commands and configuration methods might have changed, and these might not work correctly for the earlier OS when downgrading.
Be sure to review the configuration file before downgrading and possibly test the procedure in a lab before migrating the change to your production network. You should also configure out-of-band access via a console port before downgrading a device OS.
Software Center: Cisco IOS devIces
Software Center does not support 11.x drivers for Cisco IOS 11.x. Although it is possible to downgrade a Cisco device from 12.x to 11.x, it is not possible to upgrade from 11.x to 12.x. In addition, if you try to perform a software upgrade, the existing image on the device can be deleted, and the software update task will fail. Consequently, there is no way to upload an image to the device.
Workaround: Use a TFTP server to manually recover the lost image to the device.
Batch Insert ACL Line Option
When using the Batch Insert ACL Line option (Devices > New Device Task > Batch Insert ACL Line), the Task Options section on the New Task- Run Command Script page does not contain script content. While the Command Script to Run field correctly displays Cisco IOS Insert (or Remove) Line into (or from) ACL by handle, it does not present the script or script variables for execution until a device or device group for which the script supports is selected.
Software Center: Reboot Option
The Software Center reboot option is not supported when a BayRS device is configured to receive its configuration file from the network. The BayRS device returns an error message when CiscoWorks NCM attempts to reload the device.
[1:TN]$ boot - 1:config
Configuration source is network - override allowed only when source is local.
Workaround: Configure the BayRS device to use the locally stored configuration file.
Software Center: Cisco IOS 2500
There is a problem with the Cisco IOS 2500 that can affect the CiscoWorks NCM Software Update Center. With a Cisco IOS 2500, running Version 12.3(3) (distributed as c2500-i-l.123-3.bin), some file systems are inconsistently reported. The Software Update Center is not able to retrieve a list of files on devices running this software version. Additionally, the Software Update Center cannot deploy software to the Cisco IOS 2500 running Version 12.3(3) because the Software Update Center cannot query the device for the available locations (dir ? does not return flash: and copy tftp ? does not list flash:).
Workaround: Although the Software Update Center cannot execute a software upgrade to the Cisco IOS 2500 running Version 12.3(3) by specifying a single device (the missing flash: slot information prohibits it), you can perform a software upgrade by creating a device group that contains only the Cisco IOS 2500, and then execute a software upgrade to that group.
Tasks: A task Scheduled for the 31st Might Run on the 1st
If you schedule a monthly recurring task for the 31st of every month and that task runs during a month that contains fewer than 31 days, CiscoWorks NCM will run the task on the 1st, 2nd, or 3rd day of the next month depending on how many days less than 31 the previous month contains. For example, if you schedule a task in February (with 28 days) for the 30th, the task will actually run on March 2nd. If you want to run the task on the last day of the month, you must set the date correctly.
Inventory: Data from Device Overwrites Manually Entered Values
Certain data on the Device Details page (and other pages) is auto-populated. If you manually change the data, CiscoWorks NCM overwrites the values when the next snapshot occurs. The device-specific values are listed in the CiscoWorks NCM Device Driver Reference per device.
The automatically populated data includes:
•Domain Name
•Host Name
•Model
•Serial Number
•Location
•Vendor
Tasks: Running External Application Tasks Presents a Possible Security Risk
All Run External Application tasks run the application with root (UNIX) or system (Windows) privileges. This is a potential security risk that should be acknowledged by the System Administrator before using the Run External Application feature. Contact Technical Support to learn how to run CiscoWorks NCM without root/system privileges.
Console Server: SSH access is not Supported
CiscoWorks NCM does not support console server access via SSH. If you use a console server to access a device, you must use the Telnet connectivity. In other words, on the New Device page/Edit Device page, if Use to access device is checked in the Console Server Information section, you should make sure that the Telnet option in the Connection Information section is also checked.
Extreme Devices: Configuration Comments can Cause Misconfiguration
On Extreme devices, adding inline comments between multi-line commands, such as user account commands or set banner commands, can cause serious problems if the resulting configuration is deployed.
Workaround: Do not add inline comments between multi-line commands. Add comments on the line above the start of a command.
Diagnostics: When to Run Icmp Tests
Use ICMP tests only to verify connectivity occasionally or after a change. They are not a replacement for monitoring software. You should schedule ICMP tests no more than once per 10 minutes.
Scripts: Cannot Save Template or Command Scripts with a Period in the Name
Command Scripts, Templates, and Custom Diagnostics cannot have a period in the name. Use underscores or dashes in place of a period.
Scripts: Cannot Save Command Scripts with Quote Marks in the Name
Do not use quote marks when naming command scripts. If you do, you will not be able to select and run the command script.
Reports: Checkpointing can Cause Reports to be Inflated
The Make Snapshot a Checkpoint option on the Snapshot Task page (Task > New Task > Take Snapshot), stores the configuration file regardless of whether it changed. However, even if there is no change, the snapshot still appears as a configuration change on the Home page, Summary reports, Configuration Change search results, and so on. As a result, the number of configuration changes includes the check-pointed configurations, and therefore these counts may not be accurate.
Syslog Messages
Certain Syslog messages (compliant with the Syslog RFC) sent from devices could have the same sender IP address as the IP address in the Syslog messages. In this case, CiscoWorks NCM does not process the Syslog messages or schedules events. As a result, change detection will not work as expected on these devices.
Banner Handling Strings Require Device-specific Passwords
If you enter banner handling strings Devices > Inventory > Edit > Show Device Access Settings (device-specific settings) > Setting > Banner skip regex option and enter common prompt strings, such as password or username, you cannot apply network-wide Password Rules to the device. If you do, the banner handling fails without generating any errors, and the device does not work with CiscoWorks NCM device drivers. Tasks such as Snapshot and Driver Discovery do not work.
Workaround: Always use device-specific passwords on the Edit Device page.
Sending Reports to External Email Addresses
Even though you may have properly configured CiscoWorks NCM to contact your SMTP server, for network security reasons your SMTP server might have been configured to reject messages from the CiscoWorks NCM server address. In this case, you would see the following error message, and any CiscoWorks NCM messages would not be delivered.
Error occurred when sending email. Please check the email address and/or your SMTP server settings.
If this occurs, you will need to configure the SMTP server to enable the CiscoWorks NCM server to relay email messages through it.
NetScreen Devices
NetScreen devices could timeout during the discovery process. This does not occur on all platforms, however.
Workaround: Edit the NetScreen device information and set the standard_timeout device variable to five seconds. This will enable the NetScreen device to discover via the Command Line Interface (CLI).
When monitoring NetScreen devices, for CiscoWorks NCM to detect that the device's interfaces are administratively down, the interface must be configured as down using the set interface untrust ident-reset command.
Search for Policies Page
When searching for policies on the Search For Policies page, do not select the Device Group checkbox. This search criterion is currently unavailable.
Scripts: Command Scripts and Templates for Cisco Aironet VxWorks Devices
CiscoWorks NCM supports command scripts and templates for Cisco Aironet wireless access points running VxWorks software (for example OS versions 11.23T & 12.01T1). Because scripts and templates are deployed differently to Cisco Aironet devices, CiscoWorks NCM uses TFTP to deploy a file containing the script to the device. Some OS versions on Cisco Aironet devices accept only a limited size file via TFTP. In these cases, any excess commands are ignored and will not be run on the device. However, the script will still report successful execution. Devices exhibiting this behavior will accept no more than approximately 130 lines of text and ignore the rest without reporting an error.
Workaround: Use scripts smaller than 100 lines, or use multiple scripts to deploy larger sets of configuration commands to the device. If possible, upgrade the device to a newer version of code, ideally a version of IOS (12.2).
BayRS device can lose ability to provide snapshot
Occasionally, the BayRS device can enter a state in which it cannot provide a snapshot. Snapshot tasks fail with the following error message:
File retrieval error
Workaround: Rebooting the BayRS device restores the normal state on the device.
OS Analysis Task
When using CiscoWorks NCM in an environment with overlapping IP addresses, the OS Analysis task is not supported for devices behind remote Realm gateways. OS Analysis tasks run on devices in the locally reachable network. This could result in an image recommendation being incorrect for devices behind the gateway. Keep in mind that CiscoWorks NCM will report OS recommendations for a device in the default Realm instead of a remote Realm if they share an IP address.
Email Report Task
When scheduling an Email Report task, if you select a report other than Summary Reports in the Reports to run field, the task is reported as failed. However, the report is successfully emailed to the recipient. Please disregard the error message.
Recent Changes Report
When using the CiscoWorks NCM proxy agent to make a change to a device, after the change has been detected by a Take Snapshot task, the View Session link is absent from the Action column in the Recent Changes report on the Home page.
Known Limitations and Problems
This section contains information about the limitations and problems known to exist in the CiscoWorks NCM 1.3 product.
CSCse09644—The cwncm_import script does not parse the hostname as present in the CSV file.
Description: When exporting some devices from DCR into the CSV file using dcr_export.sh or from Device Management UI of LMS, the cwncm_import script does not parse the hostname (present) in the CSV file; instead, it substitutes the IP Address as the hostname for all these imported devices.
Workaround: You can manually change the Hostname by looking up the corresponding name in the CSV file. This issue will be fixed in a future release.
CSCse11820— Installation hangs if you provide incorrect Database credentials.
Description: Oracle is installed successfully and you proceed with CiscoWorks NCM installation. If you provide any incorrect database credentials (port number, DB name, or password) while configuring the CiscoWorks NCM Database, then CiscoWorks NCM hangs while trying to connect to the database.
Workaround: Stop the installation using the Windows task manager. Restart the installation and enter the correct credentials.
CSCse16848—Duplicate entries are seen in the software updates report.
Description: When adding more than one image set from Devices > Device tools > Software Images, the weekly report incorrectly reports two successful updates when this is not the case.
Workaround: There is no known workaround for this issue.
CSCsh28136—Installer fails to copy licenses from a directory whose name has spaces.
Workaround: Make sure that the directory and directory path where the license files are being copied do not have spaces in their names. If you must use directory and directory path names containing spaces, make sure to quote the entire path.
CSCsk09371—Exception while getting software upgrade recommendation.
Description: From Inventory, select a Cat6503 device. Navigate View > Device Details > Software Upgrade Recommendation. The following error message is displayed :-
SWIM1027: Error while fetching inventory information. Module details unavailable for this device.
Workaround: There is no known workaround at this time.
CSCsk95754—SNMPv3 Engine Id check is not needed.
Description: For a device which has SNMP-v3 configured, from Inventory, select the device. Navigate View > Device Details > Software Upgrade Recommendation. Select any image to launch the details. Following warning message will be displayed in the details :-
SWIM1094: SNMP-V3 parameters is incorrect or not available for the device. Check whether the SNMP-V3 password, SNMP-V3 algorithm, and SNMP-V3 engine ID is configured for the device.
Workaround: Ignore the message if the SNMP-V3 password and SNMP-V3 Algorithm are configured correctly.
CSCsl33419—Snapshots for large number of devices fail and CiscoWorks NCM crashes.
Description: On occasion, collecting Snapshot for a large number of devices fails and results in CiscoWorks NCM crashing. This is due to too many files being open.
Workaround: Increase the number of file descriptors and enable the Perl Server.
CSCsl38283—Snapshot fails if banners are present on the device on the Linux platform.
Workaround: Removing the banner on the device should solve the problem.
CSCsl39839—Detect Network Devices will not detect devices with SNMPv3 configuration.
Description: Devices configured with SNMPv3 parameters will not be discovered when you perform the Detect Network Devices task.
Workaround: Configure SNMPv2 parameters on devices to discover them using the Detect Network Devices task.
Accessing the CiscoWorks NCM Documentation Set
You can access the entire CiscoWorks Network Compliance Manager documentation set from the following Cisco.com URL:
http://www.cisco.com/en/US/products/ps6923/tsd_products_support_series_home.html
From here you can navigate to any documentation for CiscoWorks NCM 1.3 you will need.
Tip To cut and paste a two-line URL into the address field of your browser, you must cut and paste each line separately to get the entire URL without a break.
Note All documentation, including this document and any or all of the parts of the CiscoWorks NCM documentation set, might be upgraded over time. Therefore, we recommend you access the CiscoWorks NCM documentation set using the Cisco.com URL: http://www.cisco.com/en/US/products/ps6923/tsd_products_support_series_home.html
Note The Docs tab visible from within Network Compliance Manager might not include links to the latest documents.
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
Posted: Mon Dec 3 10:40:17 PST 2007
All contents are Copyright © 1992--2007 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.