DX NetOps

Expand all | Collapse all

"Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

Jump to Best Answer
  • 1.  "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

    Posted 03-07-2019 03:57 AM

    Hi everyone,

     

    This is a possible bug. I'm running Spectrum 10.2.3 on Windows 2012 Servers. 

     

    For some reason, models which were "Cisco IOS SSH Capable" for years are spontaneously moving to the "Cisco IOS" device family. What's weirder is that the IOS versions and system description are supported as "Cisco IOS SSH Capable" (have K9 in description, and the IOS version is modern).  This occurs for different Cisco models, both routers and switches.

     

    I've tried rediscovering these devices, but they stay in the Cisco IOS device family. I've also tried deleting these devices, waiting a couple of minutes, and then rediscovering them. Same deal.

     

    Any ideas why this is? 

     

    Creating a custom device family which captures all Cisco switches/routers doesn't seem to help since anything which is identified by an out-of-the-box device family can't be collected to a custom device family, and this wouldn't be an ideal workaround to begin with.

     

    Thanks.



  • 2.  Re: "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"
    Best Answer

    Broadcom Employee
    Posted 03-07-2019 06:08 AM

    Hi Lilah,

     

    To place a device into the Cisco IOS - SSH Capable family, the following conditions must be met:

    • The device descriptor must indicate a firmware version of 12.2 (18) or greater.
    • The feature set must contain letters "K9" indicating the device has the necessary encryption functionality that is needed for SCP.
    • SSH access for the device must be unblocked at the time of discovery.

    Note: If SSH access to the device is blocked (for example, with a firewall) at the time of discovery, put the device in the Cisco IOS device family. 

    For example, a device with the following description is placed in the Cisco IOS - SSH Capable family:
    Cisco IOS Software, 7200 Software (C7200-JK9S-M), Version 12.3(14)T6, RELEASE SOFTWARE (fc2)Technical

    Support: http://www.cisco.com/techsupportCopyright (c) 1986-2006 by Cisco Systems, Inc.Compiled Thu 05-Jan-06 05:36 by dchih 

    A device with the following description is placed in the Cisco IOS family and is not capable of obtaining configurations using SSH/SCP:

    Cisco Internetwork Operating System SoftwareIOS (tm) C2600 Software (C2600-J1S3-M), Version 12.3(17a), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by cisco Systems, Inc.Compiled Mon 12-Dec-05 1 

     

    Thanks,

    Slivio



  • 3.  Re: "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

    Posted 03-07-2019 07:54 AM

    Hi Silvio,

     

    1) These devices were already discovered correctly as "SSH Capable" and dynamically moved to "Cisco IOS", even though they met all demands for "SSH Capable".

    2) As mentioned, they are modern versions of switches/routers with K9 in their software version. No firewall is blocking the relevant traffic.



  • 4.  Re: "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

    Broadcom Employee
    Posted 03-07-2019 08:08 AM

    Hi Lilah,

     

    Are you able to establish a SSH (Secure Shell) connection through the OneClick Console to those problematic devices?

     

    Thanks,

    Silvio



  • 5.  Re: "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

    Posted 03-07-2019 09:37 AM

    Hi,

     

    Yes, they are accessible to SSH via Oneclick Console and from permitted workstations. SSHv2 is enabled on the devices. 



  • 6.  Re: "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

    Broadcom Employee
    Posted 03-07-2019 03:00 PM

    Has the firmware version on these devices been upgraded? It appears Cisco may not be using K9 in the SysDesc any longer. Which could cause the device to fall out of the SSH Capable device family.

     

    Best regards,

    Bill



  • 7.  Re: "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

    Posted 03-08-2019 12:50 PM

    The firmware and software hasn't been updated in a long time for most of these devices. Many of these devices have been in the network for several years, and only the past few weeks we're seeing this automatic migration of devices to Cisco IOS.



  • 8.  Re: "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

    Posted 03-08-2019 01:03 PM

    Hi Doron,

     

    In this case something changed on that device to not meet the requirements for the SSH family.

    You can open a ticket with support so we can take a closer look at it.

     

    Thanks,
    Matt



  • 9.  Re: "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

    Posted 03-08-2019 05:32 PM

    Hundreds of devices, without any change to software version or configuration in the past couple of weeks, gradually decide to migrate to a different device family? Whilst other devices of the same software version and device type do not?

     

    I've opened a ticket. I'm wondering if there is a way to debug the device family classification procedure so that I can see at what point it's decided that the devices do not qualify for SSH Capable. Any idea how I can see this in a log? 



  • 10.  Re: "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

    Posted 03-07-2019 03:30 PM

    As Bill mentions here, Broadcom has identified that the issue is that Cisco is now bundling the K9 feature set within the IOS and its no longer an add on.

    This removes "K9” from the System Description.

     

    Spectrum currently looks for K9 in the sysDescr attribute on the device to note that it supports it.

     

    This will be fixed in 10.3.2 which is due out the first half of 2019.

     

    Meanwhile, there is a feature in 10.3.1 we are calling "NCM Self Certification” that should help in the meantime for these devices.

     

    https://docops.ca.com/ca-spectrum/10-3-1/en/managing-network/network-configuration-manager/network-configuration-manager-self-certification

     

    Pretty cool feature actually!

    You can execute device commands.

     

    So in Cisco case, you would have the "show running-config” in the list.

    These families are SSH only and cannot be configured to use TFTP or SNMP.

     

    Hope that helps for now!  10.3.2 will resolve these particular devices from Cisco though.



  • 11.  Re: "Cisco IOS SSH Capable" devices migrating automatically to "Cisco IOS"

    Posted 03-10-2019 08:26 AM

    Hi everyone,

     

    The issue was resolved, the ncmservice.exe was disrupted by a security application. After being fixed, device family evaluation worked as expected.

     

    Thanks for your efforts!