Before You Begin
Unless you configure certain options and features on your server and in your network, Performance Monitor cannot operate as designed. This chapter explains what you must do, and what we recommend that you do, so that you can use all the features Performance Monitor provides.
Table 2-1 High-level Tasks
|
|
Step 1 |
Configure supported devices for access. You must configure your devices so that Performance Monitor can validate, poll, and monitor them. See Bootstrapping Devices. |
Step 2 |
Either import or add devices. Performance Monitor cannot monitor a device until it has a local record of important device attributes. See Using the Importing Devices Wizard to Import or Add Devices. |
Step 3 |
Validate devices. See Validating Devices. Note During device validation, Performance Monitor sets all validated devices to a managed state by default — meaning that polling is enabled. If you choose to move a device to an unmanaged state, you must move it back to the managed state manually before you can monitor its health or performance. To set your devices to a managed state, see Enabling or Disabling Device Monitoring, page 11-6. |
Step 4 |
Configure email settings. Your server cannot send event notifications or distribute scheduled reports through email until you configure it for that purpose. See Setting Common Services to Use Email. |
Step 5 |
Configure SNMP. See Receiving SNMP Traps. |
Step 6 |
Configure the polling time out. Performance Monitor stops polling all devices if even a single device fails to respond within the polling time out, which is 30 seconds by default. You might need to increase this value if you are polling over slow WAN links. See Configuring the Polling Time Out. |
After you complete the required high-level tasks, you can monitor your devices and perform device operations. For example, you can:
•
Organize your devices in groups. See Managing Device Groups, page 11-9.
•
View populated reports. See Chapter 10, "Using Trend Reports."
Tip
We recommend that you set a firewall filter to secure your network any time you enable an insecure protocol such as SNMP.
Bootstrapping Devices
You must set up devices so Performance Monitor can validate, poll, and monitor them, as described in the following topics:
•
Setting Up SSL Services Modules
•
Setting Up Routers
•
Setting Up Catalyst 6500 Switches
•
Setting Up ASA Appliances, PIX Devices, and Firewall Services Modules
•
Setting Up VPN 3000 Concentrators
•
Setting Up IPSec VPN Shared Port Adapters (VPN SPA)
Setting Up SSL Services Modules
The following table shows the required setup procedures for SSL services modules. For detailed documentation of Catalyst 6500 switches and SSL services modules, see Cisco.com.
Table 2-2 Setup Procedures for SSL Services Modules
|
|
Step 1 |
Generate an RSA key and enable SSH on the services module. • Confirm that an administrative user account exists on the SSL module. • Configure the enable password on the SSL module. • To generate an RSA key pair and enable SSH, use the following commands: – ssl-proxy(config) # ip ssh rsa keypair-name ssh-key – ssl-proxy(config) # crypto key generate rsa general-keys ssh-key • To verify that SSH is configured correctly, enter: ssl-proxy# show ip ssh The following message is displayed: SSH Enabled - version 1.5 |
Setting Up Routers
The following table shows the required setup procedures for supported Cisco routers. For detailed documentation of Cisco routers, see Cisco.com.
Table 2-3 Setup Procedures for Routers
|
|
Step 1 |
Enable SNMP and set up community strings. SNMP is required for validation, polling, and monitoring Enter configuration mode, then enter snmp community community_string ro, where community_string is the read-only community string that you assign.
Caution
SNMP is not a secure protocol. We recommend that you create a firewall filter to secure SNMP traffic.
|
Step 2 |
(Optional) Set the system name, contact, and location variables. In Performance Monitor, these variables will be visible in the View Device Detail window. Enter configuration mode, then use the following commands. • To set the system name, enter hostname name. • To set the system contact, enter snmp contact contact. • To set the location, enter snmp location location. |
Step 3 |
Enable SNMP traps. Enter configuration mode, then use the following commands: snmp-server host ip_address version 2c public ipsec isakmp snmp where ip_address is the actual numeric IP address of the server on which you installed Performance Monitor.
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
|
Step 4 |
Enable HTTPS. Enter configuration mode, then enter ip http secure-server. Performance Monitor can monitor Easy VPN and DMVPN sessions only if you enable HTTPS. |
Setting Up Catalyst 6500 Switches
The following table shows the required setup procedures for Catalyst 6500 switches in which IPSec VPN services modules or CSM services modules are running. For detailed documentation of Catalyst 6500 switches and IPSec VPN or CSM services modules, see Cisco.com.
Table 2-4 Setup Procedures for Catalyst 6500 Switches
|
|
Step 1 |
Enable SNMP and set up community strings. SNMP is required for polling and monitoring. Enter configuration mode, then enter snmp community community_string ro, where community_string is the read-only community string that you assign.
Caution
SNMP is not a secure protocol. We recommend that you create a firewall filter to secure SNMP traffic.
|
Step 2 |
(Optional) Set the system name, contact, and location variables. In Performance Monitor, these variables will be visible in the View Device Detail window. Enter configuration mode, then use the following commands. • To set the system name, enter hostname name. • To set the system contact, enter snmp contact contact. • To set the location, enter snmp location location. |
Step 3 |
Enable SNMP traps for CSM services modules. Enter configuration mode, then use the following commands.
snmp-server enable traps slb real.
snmp-server enable traps snmp.
snmp-server host ip_address traps version 2 public casa slb snmp,
where ip_address is the actual numeric IP address of the server on which you installed Performance Monitor. |
Step 4 |
Enable SNMP traps for IPSec VPN services modules. Enter configuration mode, then use the following commands:
snmp-server host ip_address version 2c community_string ipsec isakmp snmp
where ip_address is the actual numeric IP address of the server on which you installed Performance Monitor, and where community_string is the read-only community string you assigned.
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
|
Setting Up ASA Appliances, PIX Devices, and Firewall Services Modules
The following table shows the required setup procedures for ASA appliances and PIX firewalls, and for Catalyst 6500 switches in which firewall services modules are running. For detailed documentation of these devices and technologies, see Cisco.com.
Table 2-5 Setup Procedures for Firewalls
|
|
Step 1 |
Specify the Performance Monitor server as the SNMP host for firewall appliances, devices, and modules. Enter this command at the firewall command line: snmp-server host inside ip_address, where ip_address is the actual numeric IP address of the server on which you installed Performance Monitor.
Caution
SNMP is not a secure protocol. We recommend that you create a firewall filter to secure SNMP traffic.
|
Step 2 |
Specify the Performance Monitor server as the HTTP host for polling. Enter this command at the firewall command line: http ip_address netmask if_name, where: • ip_address is the numeric IP address of the server on which you installed Performance Monitor. • netmask is the 32-bit address mask used in IP to indicate the bits of the IP address that are being used for the subnet address. • if_name is the name of the interface—for example, inside. You can use netmask to specify an entire subnet as the HTTP host. For example, to specify 171.69.74.0 as the HTTP host, you would enter: http: 171.69.74.0 255.255.255.0 inside |
Step 3 |
Enable HTTPS polling. Enter this command at the firewall command line: http server enable. Note Although you use the http server enable command, the device enables its secure HTTPS server. |
Step 4 |
Configure Syslog. Messages are sent to all configured server hosts. We recommend that you log errors in production environments only. To disable Syslog logging from the firewall command line, enter this command: no logging on. • To enable Syslog logging from the firewall command line, enter logging on. • To set the clock on the firewall, enter clock set hh:mm:ss { day month | month day} year. • To enable timestamps in Syslog messages, enter logging timestamp. • To set the logging level, enter logging trap level, where level is the least significant severity level that concerns you; for example, enter logging trap error to log all messages with severity levels between error (level 3) and emergency (level 0). (Syslog messages have the following severity levels. 0: Emergency; 1: Alert; 2: Critical; 3: Error; 4: Warning; 5: Notification; 6: Informational; 7: Debugging.)
Note Firewall performance might become degraded if you set the logging level too low, because a low setting triggers many messages. We recommend that you use the error severity level.
• To set the Syslog server host as the server on which you installed Performance Monitor, enter logging host if_name ip_address, where if_name is the name of the interface (for example, dmz) and ip_address is the numeric IP address of the server on which you installed Performance Monitor, (for example, logging host dmz 10.1.20.111). You can configure more than one server host for Syslog. |
Setting Up VPN 3000 Concentrators
The following table shows the required setup procedures for VPN 3000 Concentrators.
For detailed documentation on VPN 3000 Concentrators, see Cisco.com. For detailed documentation on the VPN 3000 Concentrator Series Manager application, see VPN 3000 Series Concentrator Reference Volume I: Configuration and VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.
Table 2-6 Setup Procedures for VPN 3000 Concentrators
|
|
Step 1 |
Enable HTTPS for the VPN 3000 Concentrator Series Manager (4.01 and earlier releases). Although the VPN 3000 Concentrator Series Manager supports both HTTP and HTTPS connections, as a best practice, we recommend that you use HTTPS. An HTTPS connection requires an SSL certificate. 1. Open a browser from a PC or workstation in the same private network as the VPN concentrator. 2. In the browser Address or Location field, enter https://address, where address is the IP address of the private interface on the concentrator (for example, https://10.10.147.2), then press Enter. 3. If you do not see the VPN 3000 Concentrator Series Manager login prompt in your browser, telnet to the concentrator (or access it directly). From the CLI menu, select Configuration > System > Management Protocols > HTTP / HTTPS. Select Enable HTTPS. Save and apply your changes. |
Step 2 |
Enable HTTPS for the VPN 3000 Concentrator Series Manager (4.1 and later releases). You can enable HTTPS on the concentrator in either of two ways—using your browser or the concentrator CLI. Note that an HTTPS connection requires an SSL certificate. • To enable HTTPS through your browser, log in to the VPN 3000 Concentrator Series Manager through a standard HTTP session, then select Configuration > Tunneling and Security > SSL > HTTPS. Select the Enable check box and click Apply. • To enable HTTPS through the CLI, telnet to the concentrator (or access it directly) and, from the CLI menu, select Configuration > Tunneling and Security > SSL > HTTPS > Enable/Disable HTTPS. Then select Enable HTTPS and save your changes. |
Step 3 |
Enable HTTPS management sessions for the VPN 3000 Concentrator Series Manager (4.1 and later releases). 1. Open a browser from a PC or workstation in the same private network as the VPN concentrator. 2. In the browser Address or Location field, enter https://address/admin, where address is the IP address of the concentrator, then press Enter. 3. When you see the VPN 3000 Concentrator Series Manager login prompt, enter the administrative username and the case-sensitive password (which displays as a series of asterisks), then click Login. 4. Select Configuration > Interfaces, then click the name of an interface. 5. The interface that you select should be the one whose IP address you plan to enter in the Importing Devices wizard. See Using the Importing Devices Wizard to Import or Add Devices. 6. Click the WebVPN tab, then select the Allow Management HTTPS Sessions check box. 7. Click Apply. |
Step 4 |
Enable SNMP. 1. Login to the VPN 3000 Concentrator Series Manager, as described elsewhere in this table. 2. (Optional) If no community string is configured, select Configuration > System > Management Protocols > SNMP Communities, then click Add. 3. Enter a community string, click Add, then click Save Needed. 4. Select Configuration > System > Management Protocols > SNMP. 5. Select the Enable check box, then click Apply.
Caution
SNMP is not a secure protocol. We recommend that you create a firewall filter to secure SNMP traffic.
|
Step 5 |
Enable the XML interface. You must enable the XML interface for at least one VPN concentrator in every remote access VPN cluster. It is not necessary to enable the XML interface on any concentrator that is not part of a cluster. 1. Login to the VPN 3000 Concentrator Series Manager (as described elsewhere in this table), then select Configuration > System > Management Protocols > XML. 2. Select the Enable check box, then click Apply. |
Step 6 |
Configure linkup and linkdown traps. 1. Login to the VPN 3000 Concentrator Series Manager (as described elsewhere in this table), select Configuration > System > Events > Classes, then click Add. 2. From the Class Name list, select IP. 3. From the Severity to Trap list, select 1-3, then click Add. 4. Select Configuration > System > Events > Trap Destinations, then click Add. 5. In the Destination field, enter the IP address of the server on which you installed Performance Monitor. 6. From the SNMP Version list, select SNMPv2, then click Add. |
Step 7 |
Configure Syslog. The User Session Report feature under the Reports tab can operate only if you enable Syslog on your VPN concentrators. 1. Login to the VPN 3000 Concentrator Series Manager (as described elsewhere in this table), select Configuration > System > Events > Classes, then click Add. 2. Select AUTH from the Class Name list, then select the Enable check box. 3. From the Severity to Syslog list, select 1-5, then click Add twice. 4. Select IKE from the Class Name list, then select the Enable check box. 5. From the Severity to Syslog list, select 1-5, then click Add. 6. Click Save Needed, then click OK. 7. Select Configuration > System > Events > Syslog Servers, then click Add. 8. In the Syslog Server field, enter the IP address of the server on which you installed Performance Monitor, then click Add. 9. (Optional) To improve performance in the Performance Monitor application itself if it is the only application to which the concentrator will send Syslog messages, select Configuration > System > Events > General, select None from the Severity to Syslog list, then click Apply. 10. Select the Enable check box, then click Apply. |
Setting Up IPSec VPN Shared Port Adapters (VPN SPA)
The following table shows the required setup procedure for VPN SPA.
Table 2-7 Setup Procedure for VPN SPA
|
|
Step 1 |
Enable HTTPS. Enter ip http secure server. |
Using the Importing Devices Wizard to Import or Add Devices
Performance Monitor requires information about your devices in order to communicate with them. Use the Importing Devices wizard to import devices or to manually enter the IP addresses, hostnames, and read-only community strings for supported devices in your network. Importing is a mechanism by which you transfer a descriptive list of device attributes (and sometimes device group membership lists) from an outside inventory to Performance Monitor.
Options in the Importing Devices wizard enable you to import device attributes from a comma-separated value (CSV) file or from the Device Credentials Repository (DCR) on a Common Services-based server, or you can add device attributes manually. For general information about using wizards, see Using Wizards, page 3-10.
You cannot add, import, or validate:
•
Any usupported device type. For a list of supported devices, see Supported Devices and Software Versions for Cisco Security Manager.
•
Any device when the MCP process has stopped. See MCP Process Maintenance, page 3-16.
•
Any device that uses a dynamic IP address or lacks configured SNMP values.
•
A VPN 3000 Series concentrator, unless you specify the correct SNMP and XML credentials, HTTPS is enabled, and the VPN 3000 Concentrator Series Manager is running.
Before You Begin
Make sure that you have the correct privileges to import or add devices. See Understanding User Permissions, page 3-2.
Procedure
Step 1
Select Devices > Importing Devices, then click Import.
Step 2
Select one of the following methods to add devices, then click Next.
•
From CSV File, to use a comma-separated values file that contains the devices.
You can import device attributes from a comma-separated value file in CSV 2.0 format only. To display a valid CSV example, click See sample CSV file in the next step. Note that Performance Monitor cannot import and validate SSL services module attributes from a CSV file.
Before you can import devices from a CSV file, you must find or generate a CSV file of device attributes information and upload it to the server on which you installed Performance Monitor. Many element management systems enable you to export device inventory information. See your EMS software documentation to learn how to export inventory information in a CSV file. Performance Monitor has no default upload directory or configuration directory.
•
Manually Add New Devices, to enter specific device information directly.
•
From Device Credentials Repository, to import devices from the Common Services Device Credentials Repository (DCR). You must already have populated the DCR on this or another server to import the devices. Also, the DCR server must be configured as a master server. To learn how to configure a master DCR server, see the Common Services online help.
Step 3
If you selected From CSV File, complete the following procedure; otherwise, continue with the next step.
a.
Enter the complete local (on your server) pathname of the CSV file to upload, then click Next.
For example, you might enter c:\temp\devicelist.csv. You can include or exclude any combination of devices you find in the CSV file.
b.
Select the check boxes for one or more devices to mark device attributes for import. To select all of the devices, select the check box in the column heading row.
c.
To save your selections, click Next.
d.
To review a list of the devices whose attributes you selected, click Next.
Step 4
If you selected Manually Add New Devices, complete the following procedure; otherwise, continue with the next step.
a.
From the Device Type list, select the relevant device type.
When you add multiple devices simultaneously, they must all be of the same device type. Otherwise, Performance Monitor queries during polling are inappropriate and polling results are unreliable. You must complete this step each time you manually add a different kind of device.
b.
To specify the IP addresses or DNS names of the devices you plan to add, enter one or more IP addresses or DNS names in the Device Names/IP Addresses text box. Separate multiple address entries with a space or a comma.
c.
Click Next.
You can specify SNMP information and Telnet login credentials (if applicable) for devices you add, but validation and polling for a device take more time to complete if the number of SNMP retries or the SNMP timeout period is greater than the default.
d.
Enter the read community string in the Read Community text box.
The read community string is a password that allows read-only access to the specified devices. A single entry in the Read Community text box can apply to multiple devices, provided all of the read community strings are identical on all devices. The default entry on most devices and in Performance Monitor is public. If the community strings on your devices differ from the default, you must specify the correct community strings before validation can begin and before you can configure the devices.
e.
Select a value from the SNMP Timeout list.
This is the number of seconds Performance Monitor waits for a response from the device before it asks again for a response. The minimum is 1 second and the maximum is 60 seconds. The default is 3 seconds.
f.
Select a value from the SNMP Retries list.
This is the number of attempts Performance Monitor makes to communicate with the device before declaring that the device has timed out. The default is 1.
g.
Do one of the following:
•
If you are using the local username database on the device or an external AAA server, such as TACACS, enter the administrative username in the Username field. As you enter the username, the labels of the fields beneath it are changed to User Password, and Confirm User Password respectively. Enter the administrative password in the User Password field, then in the Confirm User Password field.
Note
The User Password and Confirm User Password fields toggle between the Enable Password and Confirm Enable Password fields, depending on whether you are using local database or an external AAA server, or enable password authentication.
•
If you are using enable password authentication, leave the username blank, enter the enable password in the Enable Password text box, and then confirm it in the Confirm Enable Password field.
The enable password activates the privileged enable mode on a device when you access the device through a remote Telnet connection. Certain privileged operations can take place only when a device is running in enable mode.
h.
Enter the HTTPS port number that the device uses for secure communication with Performance Monitor. The default port 443 is displayed in this field if you do not modify it.
The security appliance can support both SSL VPN connections and HTTPS connections for Performance Monitor sessions simultaneously on the same interface. Both HTTPS and SSL VPN use port 443 by default. Therefore, to enable both HTTPS and SSL VPN on the same interface, you must specify a different port number for either HTTPS or WebVPN. An alternative is to configure SSL VPN and HTTPS on different interfaces.
i.
To save your selections and move to the next step, click Next.
Performance Monitor lists the devices whose attributes you added, so you can review your entries before validation occurs.
Step 5
If you selected From Device Credentials Repository, complete the following procedure; otherwise, continue with the next step.
a.
Enter the following required information:
•
Host—The IP address or hostname of the DCR server. If you populated the DCR inventory on the same server as Performance Monitor, you can use the loopback IP address 127.0.0.1.
•
Port—The port number on which the DCR server receives HTTPS requests. The port by default is 443.
•
Username—The username of any user with authority to export and import devices.
•
Password—The password associated with the username.
b.
Click Next.
c.
Select the check boxes for one or more devices to mark device attributes for import. To select all of the devices, select the check box in the column heading row.
d.
To save your selections and review a list of the devices whose attributes you selected, click Next.
Performance Monitor lists the devices so you can review your entries before validation occurs.
Step 6
To complete the process, click Finish. A one-time validation job starts immediately after you add or import devices. To learn about validation, see Validating Devices.
Tip
If you imported device attributes from a CSV file, delete that file now to prevent unauthorized use of the confidential information that it contains. The unencrypted file contains important device credentials information. Its availability puts the security of your network at risk.
Validating Devices
When you validate a device of any kind, you confirm that it exists and is reachable, has the required features and interfaces enabled, has the correct credentials, uses a static (non-dynamic) IP address, and has configured SNMP values. Device validation also confirms that a VPN 3000 Series concentrator uses the correct XML credentials, has enabled HTTPS, and has enabled the VPN 3000 Concentrator Series Manager.
During device validation, Performance Monitor sets all validated devices to a managed state by default — meaning that polling is enabled. If you choose to move a device to an unmanaged state, you must revalidate it before you can monitor its health or performance.
By default, device validation occurs automatically once every day, at midnight. It occurs also at other times and intervals that you specify. You can perform an immediate, one-time validation at any time.
Performance Monitor cannot validate:
•
Any usupported device type. For a list of supported devices, see Supported Devices and Software Versions for Cisco Security Manager.
•
Any device when the MCP process has stopped. See MCP Process Maintenance, page 3-16.
•
Any device that uses a dynamic IP address or lacks configured SNMP values.
•
A VPN 3000 Series concentrator, unless you specify the correct SNMP and XML credentials, HTTPS is enabled, and the VPN 3000 Concentrator Series Manager is running.
The following topics explain how to schedule device validations, review the results of completed validation tasks, and run unscheduled validations.
•
Scheduling Device Validations
•
Viewing Historical Validation Tasks
Scheduling Device Validations
You can specify that device validation tasks occur at times of your choosing and recur at intervals of your choosing, or you can run an immediate, one-time validation.
Before You Begin
Make sure that you have the correct privileges to use this option. See Understanding User Permissions, page 3-2.
Procedure
Step 1
Select Devices > Importing Devices.
Step 2
In the Device Validation Tasks page, click Revalidate, then select options from the lists in the Start Time area.
Tip
The Start Time lists signify these values in this order from left to right: Month, calendar date, year, hour, and minute.
Step 3
(Optional) To repeat validation at a specific interval:
a.
Select the Repeat check box.
b.
Enter a numeral in the Every text box.
c.
Select an interval type (for example, hours) from the list.
Step 4
Do one of the following:
•
To save and implement your changes, click Apply.
•
To discard your changes, close the Schedule Validation Task page, and return to the Device Validation Tasks page, click Cancel.
Tip
To run an unscheduled validation once, immediately, click Run Now.
Viewing Historical Validation Tasks
You can display the results of past device validations.
Before You Begin
Make sure that you have the correct privileges to use this option. See Understanding User Permissions, page 3-2.
Procedure
Step 1
Select Devices > Importing Devices.
Performance Monitor lists the 15 most recent validation tasks and describes their status.
Step 2
Click a radio button in the Device Validation Tasks list, then click Details.
The Validation Task Details window displays the historical validation results.
Step 3
Do one of the following:
•
To update the Validation Task Details window if you believe that its displayed values are out-of-date, click Refresh.
•
To close the Validation Task Details window, click OK.
Validation Status
Historical task status messages are as follows.
|
|
Success: The task was completed in t sec. |
Variables are as follows: • t — Count of the number of seconds that the specified validation required. • x — Count of the number of devices that Performance Monitor was unable to validate. This count excludes devices for which validation was partially successful. • y — Count of the number of devices that Performance Monitor tried to validate. A partially successful validation is one in which Performance Monitor is unable to gather cluster information for one or more devices. This happens when XML credentials are entered incorrectly in Performance Monitor or when the XML interface is disabled on a device. |
Failed: x of y devices were not imported. The task was completed in t sec. |
Partial Success: Some of the VPN 3000 Series Concentrator clusters failed to be validated. The task was completed in t sec. |
Validation Details
There is only one kind of task detail message for a successful validation:
The device DNS name | IP address was imported successfully.
That message applies to any and every successful validation, regardless of service type or device type.
Historical validation task detail messages for validation failure vary by service type. Validation failure messages are as follows. (Generic messages might apply to the types of services and devices named in this table, or to other supported devices and services, such as IPSec VPN services modules or load-balancing services provided by CSM services modules.)
|
|
(Generic) |
The device DNS name | IP address could not be imported because the SNMP request timed out. |
The device DNS name | IP address could not be imported because the object identifier is not supported. |
The device DNS name | IP address could not be imported. Either HTTPS was not enabled or the credentials are not correct. |
The device DNS name | IP address could not be imported. The device name could not be resolved into an IP address.
Tip
Verify that the device has a static IP address. Performance Monitor does not support dynamic IP addressing.
|
The device DNS name | IP address could not be imported. The chassis does not contain any supported services modules. Note Performance Monitor cannot validate a Catalyst 6500 switch unless the switch contains at least one supported services module. |
SSL |
The device DNS name | IP address could not be imported. Either the version of SSL is not supported or the IP address is not for an SSL module. |
The device DNS name | IP address could not be imported because the SSL module credentials are unknown. |
The device DNS name | IP address could not be imported because Performance Monitor could not communicate with the SSL module. |
The device DNS name | IP address could not be imported because the SSL login credentials are not correct. |
Firewalls |
The device DNS name | IP address could not be imported. Either the firewall HTTPS interface was not enabled or the credentials are not correct. |
The device DNS name | IP address could not be imported. The device must be imported using the Admin context IP address or DNS name. |
Routers |
The device DNS name | IP address could not be imported because this router does not support the IPSec MIB. |
RAS VPN |
The device DNS name | IP address import was partially successful. To monitor the cluster clustername, you must import the device IP address. |
The device DNS name | IP address import was partially successful. To monitor the cluster, you must enable the XML interface or enter the correct login credentials. Note You might then see this message: An error occurred when the Router MC group was being created. |
The device DNS name | IP address could not be imported. Performance Monitor cannot establish an HTTPS connection with the VPN 3000 Concentrator Series Manager. Please verify that HTTPS is enabled. |
The device DNS name | IP address could not be imported. Performance Monitor cannot validate the device credentials against the VPN 3000 Concentrator Series Manager. Please verify that you entered the correct device credentials. |
The device DNS name | IP address could not be imported. Performance Monitor cannot establish an HTTPS connection with the VPN 3000 Concentrator Series Manager: HTTP < HTTPCode > - < HTTPResponse >. Please verify that Management HTTPS sessions are allowed. |
Adaptive Security Appliances |
Some of the ASA Series clusters failed to be validated. Note This message cannot be displayed unless you use ASA clustering. |
Performance Monitor displays these additional RAS VPN validation details if at least one device has been validated or if at least one cluster was not validated: • x devices were imported successfully. • Some of the VPN 3000 Series Concentrator clusters failed to be validated. You must enable the XML interface for at least one VPN concentrator in every remote access VPN cluster. See Bootstrapping Devices. • y devices failed to be imported. To monitor these devices, you must import them again. |
Setting Common Services to Use Email
You must configure Common Services to use an email server before Performance Monitor can send notifications of events or distribute scheduled reports through email.
Before You Begin
To complete this procedure, your user role must be either System Administrator or Network Administrator. See Understanding User Permissions, page 3-2.
Procedure
Step 1
From the https://<server_name>/cwhp/cwhp.applications.do page on the server where you installed Performance Monitor, select Common Services > Server > Admin.
A new browser window opens to the Admin page in Common Services.
Step 2
In the TOC, click System Preferences, then do the following:
a.
In the SMTP Server field, enter localhost, or specify the IP address or fully qualified DNS name of a different mail server to use, such as: mailserver.example.com.
b.
In the CiscoWorks Email ID field, enter the fully qualified email return address, such as: admin@example.com.
Step 3
Click Apply.
Receiving SNMP Traps
Note
For a list of the SNMP traps that Performance Monitor can process, see Working with Notifications, page 12-1.
If any other application on your server receives SNMP traps through UDP port 162, your installed copy of Performance Monitor will not receive any SNMP traps or display any information about events that are based on SNMP traps. In such cases, you must configure the conflicting application to forward its traps to another port and you must configure Performance Monitor to listen for traps on a different port.
Procedure
Step 1
To open a DOS prompt window, select Start > Run, enter cmd, then click OK.
Step 2
Enter the following at the command line: $NMSROOT\bin\perl.exe $NMSROOT\mcp\bin\modifyTrapReceiverPort.pl port
where port is the identifying number of the UDP port at which Performance Monitor should receive its SNMP traps, and $NMSROOT is the directory in which you installed Performance Monitor, for example, C:\Program Files\CSCOpx.
Step 3
Press Enter.
Configuring the Polling Time Out
Performance Monitor stops polling all devices that are enabled for monitoring even if one device takes more than 30 seconds to return results. When Performance Monitor tries to retrieve the output of show commands from devices using HTTPS, retrieval of a single show command on a device might take more than 30 seconds, causing stoppage of polling. This problem might occur if Performance Monitor polls the device over a very slow WAN link.
The polling time out period for CLI commands is set by default to 30 seconds in the device.properties file available in the NMSROOT\mcp\conf\devices directory, where NMSROOT is the directory in which you installed Performance Monitor. If polling a device takes a long time, change the time out value by modifying the following line in the device.properties file:
Polling.CLIQuery.Timeout=timeout_value
where timeout_value is the polling time out period in seconds.