Hello everyone,
Most of customers backup their configuration using eSight, but in some cases this is failing. I'll explain here how to troubleshoot this issue and share with you a possible solution.
Fault sympton: when you try to backup the configuration to eSight you notice the below error message on the S12704:
Aug 7 2017 15:29:44+02:00 DST HHS-WLC7001 %SNMP/4/SNMP_MIB_SET_FAILED(s)[8]:MIB node set failure. (UserName=eSight, SourceIP=x.x.4.222, Version=v3, RequestId=1722247848, ErrorStatus=12, ErrorIndex=3, hwCfgOperateType.20647=6, hwCfgOperateProtocol.20647=3, hwCfgOperateFileName.20647=[63.6f.6e.66.69.67.66.69.6c.65.2f.53.31.32.37.30.34.2f.31.34.35.2e.35.32.2e.33.32.2e.31.30.2f.32.30.31.37.30.38.30.37.31.35.32.39.34.34.53.2e.63.66.67 (hex)], hwCfgOperateServerAddress.20647=10.211.4.222, hwCfgOperateUserName.20647=[61.64.6d.69.6e (hex)], hwCfgOperateUserPassword.20647=******, hwCfgOperateServerPort.20647=31922, hwCfgOperateRowStatus.20647=4, VPN=VPN-CDI)
Version information:
-eSight V300R006C00SPC505
-s12700 v200r010sph003
Configuration script:
#
interface Vlanif32
description VPN-CDI Management Interface
ip binding vpn-instance VPN-CDI
ip address x.x.32.10 255.255.254.0
#
snmp-agent
snmp-agent acl 2001
snmp-agent local-engineid 3134352E35322
snmp-agent sys-info contact name
snmp-agent sys-info location name-WLC
snmp-agent sys-info version v3
snmp-agent group v3 km privacy write-view iso-view notify-view iso-view
snmp-agent group v3 admin privacy read-view iso-view write-view iso-view notify-view iso-view
snmp-agent group v3 cacti privacy notify-view iso-view
snmp-agent target-host trap address udp-domain x.x.4.222 vpn-instance VPN-CDI params securityname cipher %^%#/8#8S8%1rTNSbZBV
snmp-agent target-host trap address udp-domain x.x.4.222 params securityname eSight v3 privacy
snmp-agent mib-view included iso-view iso
snmp-agent usm-user v3 eSight
snmp-agent usm-user v3 eSight group admin
snmp-agent usm-user v3 eSight authentication-mode sha cipher %^%#OO%}%$*Za*M&8)I&4\E1"\=
snmp-agent usm-user v3 eSight privacy-mode aes128 cipher %^%#p865#-Yc)Kp5['*'5i[C;fBx;\WqU7=
snmp-agent trap source Vlanif32
snmp-agent extend error-code enable
snmp-agent trap enable
#
sftp server enable
stelnet server enable
ssh authentication-type default password
ssh user tenict
ssh user tenict authentication-type password
ssh user tenict service-type all
ssh client first-time enable
sftp client-source -a x.x.32.10
ssh server cipher aes256_cbc aes128_cbc
ssh server hmac sha2_256 sha1
ssh server key-exchange dh_group14_sha1
ssh client cipher aes256_ctr
ssh client hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
Alarm Information:The MIB object was set failed. ErrorStatus 12: Indicates an inconsistent Value.Error index indicates the index of a variable that fails to be set.
Aug 7 2017 15:29:44+02:00 DST HHS-WLC7001 %SNMP/4/SNMP_MIB_SET_FAILED(s)[8]:MIB node set failure. (UserName=eSight, SourceIP=x.x.4.222, Version=v3, RequestId=1722247848, ErrorStatus=12, ErrorIndex=3, hwCfgOperateType.20647=6, hwCfgOperateProtocol.20647=3, hwCfgOperateFileName.20647=[63.6f.6e.66.69.67.66.69.6c.65.2f.53.31.32.37.30.34.2f.31.34.35.2e.35.32.2e.33.32.2e.31.30.2f.32.30.31.37.30.38.30.37.31.35.32.39.34.34.53.2e.63.66.67 (hex)], hwCfgOperateServerAddress.20647=10.211.4.222, hwCfgOperateUserName.20647=[61.64.6d.69.6e (hex)], hwCfgOperateUserPassword.20647=******, hwCfgOperateServerPort.20647=31922, hwCfgOperateRowStatus.20647=4, VPN=VPN-CDI)
Handling Process:
1) First of all you need to check the output of the below debug to confirm the alarm received on the switch:
On switch:
<HUAWEI> terminal debugging
<HUAWEI> terminal monitor
<HUAWEI>debugging snmp
Test and collect the information!
<HUAWEI> undo terminal debugging
<HUAWEI> undo terminal monitor
2) Confirmed if the 'ssh client first-time enable' was applied on the Switch.
3)To backup the configuration of the S12700 device in eSight , and check the backup result. Check whether it backup success.
Configuration - Configuration File Management - Config Files
4) Confirm if the Write, Read, Notify communities are configured on the switch.
5)Confirm that the ping is working and that the backup is working through FTP. Both are working properly. Only SFTP didn't work.
6) Confirm if there is any firewall between eSight and Switch that could block the SFTP port (31922). You can test with the command: 'telnet vpn-instance VPN-CDI x.x.4.222 31922' and the connection was succesful.
7) Debug the connection between eSight and Switch :
debugging tcp packet src-port 22 dest-ip x.x.32.10
debugging tcp packet src-ip x.x.32.10 dest-port 22
debugging ssh server all all
After debugging the tcp and ssh packets we generated the below information:
Aug 17 2017 15:11:34.948.4+02:00 DST HHS-WLC7001 SSH/7/KEX_MATCH:No matching cipher found (client=aes256-ctr, server=aes128-ctr,aes128-cbc,3des-cbc)!
The client(switch) used aes256-ctr and the server(eSight) used aes128-ctr, aes128-cbc and 3des-cbc. The algorithms of the client and server didn’t match.
From switch configuration, you can see it clearly:
ssh client cipher aes256_ctr
ssh client hmac sha2_256
ssh client key-exchange dh_group14_sha1
For eSight, default algorithms is aes128-ctr. You can see your configuration on eSight.
Solution:
