4 Replies Latest reply on May 16, 2017 3:55 AM by matt_rees

    What needs to be preconfigured on a node to log into it via NCM?

    gheinly-phacil

      Okay, this is going to sound really entry-level but...I am, so apologies for coming in so naive.

       

      I was asked to figure out why our network engineer can't log into devices using NCM. He granted access through the firewall for SSH but trying to connect to the nodes themselves causes the system to error out every time, even with valid credentials. I tried a couple of logins myself but none of them were accepted either (including logging into Solarwinds itself via NCM). Clicking "Test" either errors out or times out but never establishes a connection.

       

      What, besides firewall permissions, do you need to have preconfigured on the endpoint in order for NCM to communicate and manage a device? I feel like we're missing something really obvious but it isn't coming together for me. Solarwinds NCM doesn't throw an error on attempt to explain what is off about the login so I don't know what the device is kicking back, if it even is.

       

      Apologies for vagueness, I'm just kind of confused. Any direction forward would be helpful right now.

        • Re: What needs to be preconfigured on a node to log into it via NCM?
          chad.every

          I'd first check if you can SSH into those devices using Putty on the SolarWinds server. Make sure it's working there.

           

          Then, another thing that I can think of is making sure the connection profile is using 'SSH Auto' instead of SSH1 or SSH2. This is a screenshot of editing a node and scrolling down to the very bottom. If yours doesn't show ssh suto then click 'Manage Connection Profiles' on the right, find the credential and save. Refresh the edit node page and test again. Include any screenshots of the errors that you see.

           

          2017-05-15 17_46_25-Edit Properties.png

          • Re: What needs to be preconfigured on a node to log into it via NCM?
            superfly99

            As mentioned, first check whether or not you can just log onto the device using a Telnet/SSH program. If that doesn't work, get that working first, then NCM will work fine.

            • Re: What needs to be preconfigured on a node to log into it via NCM?
              rschroeder

              NCM will do exactly as you do--so carefully document what you do to access a device via CLI.  Then ensure NCM is set up with the exact same credentials, and that it uses exactly the same commands you do.

               

              In a Cisco switch:

               

              1. Give your switch an IP address, a subnet mask, and a default gateway
              2. Configure the switch to allow remote access via a secure protocol like SSH.  This requires:
                1. A local account on the device (or use of TACACS or RADIUS--Google how to set them up if you have a TACACS or RADIUS server and AD accounts--this is the way to go for the long run on all your systems, for all your accounts, since TACACS and AAA ensure you know what's happening on your gear, who logged in, what commands they issued, etc.  Do NOT just use a local admin account on the switches or routers--it's OK for initial setup, but require a unique password from every user who logs into your network hardware).
                  1. Create a local account with priv level 15
                  2. Give the username a secret password
                  3. The account needs to have administrative privileges (priv 15 on Cisco)
                  4. Force your device to only use SSH version 2 or better.  No version 1 allowed!
                  5. Install a host name and a domain name on your switch (it needs this to generate a certificate for SSH access)
                2. SSH requires a security certificate be generated locally on the device (crypto key gen rsa modulus xxxx--you select how big the modulus is)
                3. Set the device to have a source address for SSH, like your local network administrative interface on it.  An SVI will do, or a Loopback port is even better.  You can even configure an out of band management address, if you have that port available and attached to an appropriate network connection.
                4. Configure your switch to use SSH on the incoming TTY lines:
                  1. Line vty 0 4
                  2. Transport input ssh
                  3. password 7
                5. Set the console for login
                  1. line console 0
                  2. logging synchronous
                  3. login local
                6. Protect your configuration password:  "service password-encryption"

               

              1. Verify you can ping the switch from your PC and from NCM.  Troubleshoot this if you can't ping it--routing has to work properly, or you'll never log into it.
              2. Ensure there are no access rules denying SSH from your IP address to the switch's management address.
              3. SSH to the device manually using your administrative user account created on it.  It should work perfectly.

               

              Now set up NCM to use the same credentials, ensure there are no firewall or local access control rules denying your NCM server's address from reaching the switch's Management address, and test.

               

              If it's not working, send us screen shots of what you're trying, and also the error messages shown in NCM when it fails.  We'll get you going.

              • Re: What needs to be preconfigured on a node to log into it via NCM?
                matt_rees

                You might need to add the Solarwinds IP address to the access-list, on the device you want to add; depending on your set up.

                 

                For example this is something similar we have to add in for Cisco devices:

                 

                access-list 3 permit 'SOLARWINDS_IP ADDRESS'