Backup switch configuration with eSight failed

Publication Date:  2016-10-30 Views:  293 Downloads:  0
Issue Description

Customer has several switches running, and a few  are able to backup the configuration through Esight but most of them are failing. Software version:

eSight V300R005C00SPC303

Software switch: VRP5.16 V200R008C00SPC500 - stack of 3 S5700-28X-PWR-LI-AC

Alarm Information

The error that eSight returns is this one:

Handling Process

1. Since there are switches for which backup configuration it's working I decide to compare their configuration. SNMP and SSH configuration is identical.

snmp-agent local-engineid 800007DB0330D17E72A0D5
snmp-agent community write cipher %^%#.`i{*@VNS+n~y5Yut$9W-M3b*k)ON8nL;=H0&jF#<"=PVJ8d#:8FyV)SS_c)]GZnDI-_T%SRzn~8\2i6%^%#
snmp-agent community read cipher %^%#~D`3*c~*(#\ZgmG;ts%5vGku;7Yx8/C"W""xf"$N[N264j@egY0</8I.2Yq%|'D{!WSsO3^5cf0r>*|C%^%# mib-view iso-view
snmp-agent sys-info contact xxxxx
snmp-agent sys-info location xxxxx
snmp-agent sys-info version v2c
undo snmp-agent sys-info version v3
snmp-agent target-host trap address udp-domain params securityname cipher %^%#z;%PR!3kX-L,;w=~P:ISN!\Q<pTg$XCoumD1m]YW%^%#
snmp-agent target-host trap address udp-domain   params securityname cipher %^%#MRQ~0sLb\S%8^mXlG)yCf}T83Y/>X&oDj/TmjNL-%^%# v2c
snmp-agent mib-view included iso-view iso
snmp-agent inform timeout 5
snmp-agent inform resend-times 6
snmp-agent inform pending 7
snmp-agent trap enable
ssh server compatible-ssh1x enable
stelnet server enable
ssh authentication-type default password
ssh user xxxxx
ssh user xxxxx authentication-type password
ssh user xxxxx service-type stelnet
ssh client first-time enable

2. Next troubleshooting step was to change the transfer protocol, TFTP, SFTP and FTP return the same error message. This tell us that SNMP protocol should be checked further.

We decide to perform a debugging:

<R5_U28_S5700_ACC>debugging snmp-agent process 
<R5_U28_S5700_ACC>debugging snmp-agent header
<R5_U28_S5700_ACC>debugging snmp-agent event
<R5_U28_S5700_ACC>debugging snmp-agent packet
<R5_U28_S5700_ACC> t d
<R5_U28_S5700_ACC> t m

Start the backup task. Log the screen to collect the output.

To close debug:
<R5_U28_S5700_ACC>u t d                                                        
Info: Current terminal debugging is off.                                       
<R5_U28_S5700_ACC>undo deb al                                                  
Info: All possible debugging has been turned off.

3. From debugging we were unable to see any SNMP SET request packets reaching the switch to trigger the SNMP backup. So we decide to do a packet capture on eSight side.

Root Cause

The packet capture showed SNMP SET packets been generated by eSight. We can have a look.

but the community parameter is empty. This means SNMP write parameter was not configured on eSight, was set to blank. Write permission was not configured properly therefore switch didn't process the SNMP SET packets coming from eSight because the community string was not matching on both sides.

The solution is to set the same write community string on eSight and switch.

For this type of case, check the community string, and see if there is any NAT between network element that requires to be backup and eSight server.