DX NetOps

Hi everyone,

This is a possible bug. I'm running Spectrum 10.2.3 on Windows 2012 Servers. 

For some reason, models which were "Cisco IOS SSH Capable" for years are spontaneously moving to the "Cisco IOS" device family. What's weirder is that the IOS versions and system description are supported as "Cisco IOS SSH Capable" (have K9 in description, and the IOS version is modern).  This occurs for different Cisco models, both routers and switches.

I've tried rediscovering these devices, but they stay in the Cisco IOS device family. I've also tried deleting these devices, waiting a couple of minutes, and then rediscovering them. Same deal.

Any ideas why this is? 

Creating a custom device family which captures all Cisco switches/routers doesn't seem to help since anything which is identified by an out-of-the-box device family can't be collected to a custom device family, and this wouldn't be an ideal workaround to begin with.

Thanks.

Hi Lilah,

To place a device into the Cisco IOS - SSH Capable family, the following conditions must be met:

• The device descriptor must indicate a firmware version of 12.2 (18) or greater.
• The feature set must contain letters "K9" indicating the device has the necessary encryption functionality that is needed for SCP.
• SSH access for the device must be unblocked at the time of discovery.

Note: If SSH access to the device is blocked (for example, with a firewall) at the time of discovery, put the device in the Cisco IOS device family. 

For example, a device with the following description is placed in the Cisco IOS - SSH Capable family:
Cisco IOS Software, 7200 Software (C7200-JK9S-M), Version 12.3(14)T6, RELEASE SOFTWARE (fc2)Technical

Support: http://www.cisco.com/techsupportCopyright (c) 1986-2006 by Cisco Systems, Inc.Compiled Thu 05-Jan-06 05:36 by dchih 

A device with the following description is placed in the Cisco IOS family and is not capable of obtaining configurations using SSH/SCP:

Cisco Internetwork Operating System SoftwareIOS (tm) C2600 Software (C2600-J1S3-M), Version 12.3(17a), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by cisco Systems, Inc.Compiled Mon 12-Dec-05 1 

Thanks,

Slivio

Hi Silvio,

1) These devices were already discovered correctly as "SSH Capable" and dynamically moved to "Cisco IOS", even though they met all demands for "SSH Capable".

2) As mentioned, they are modern versions of switches/routers with K9 in their software version. No firewall is blocking the relevant traffic.

Hi Lilah,

Are you able to establish a SSH (Secure Shell) connection through the OneClick Console to those problematic devices?

Thanks,

Silvio

Hi,

Yes, they are accessible to SSH via Oneclick Console and from permitted workstations. SSHv2 is enabled on the devices. 

Has the firmware version on these devices been upgraded? It appears Cisco may not be using K9 in the SysDesc any longer. Which could cause the device to fall out of the SSH Capable device family.

Best regards,

Bill

The firmware and software hasn't been updated in a long time for most of these devices. Many of these devices have been in the network for several years, and only the past few weeks we're seeing this automatic migration of devices to Cisco IOS.

Hundreds of devices, without any change to software version or configuration in the past couple of weeks, gradually decide to migrate to a different device family? Whilst other devices of the same software version and device type do not?

I've opened a ticket. I'm wondering if there is a way to debug the device family classification procedure so that I can see at what point it's decided that the devices do not qualify for SSH Capable. Any idea how I can see this in a log? 

Hi everyone,

The issue was resolved, the ncmservice.exe was disrupted by a security application. After being fixed, device family evaluation worked as expected.

Thanks for your efforts!