Support

Table Of Contents

Troubleshooting Campus Manager

Topology Services

Frequently Asked Questions

Does VTP need to be enabled?

If there are multiple VTP servers in a VTP domain, which VTP server receives VLAN configuration changes?

Can VLANs in different VTP domains have the same name?

Can you move ports from a transparent switch into a VLAN in the parent VTP domain?

Will Topology Services display VLAN information for a switch that is in VTP transparent mode?

How can I tell what switch in a switch cloud is connected to a router in the LAN edge network view?

Why is there is no information about the LE Config Server in the summary of an ATM-VLAN?

Troubleshooting Suggestions

User Tracking

Frequently Asked Questions

How does the User Tracking's discovery process differ from that of the ANI Server?

How does the ANI Server's user and host acquisition process work?

Why isn't User Tracking performing ping sweeps on some subnets?

Why are outdated entries showing up in my User Tracking table?

How long does User Tracking maintain data?

Does User Tracking discover users and hosts connected to non-CDP discovered/managed devices?

How does User Tracking log errors?

Troubleshooting Suggestions

Path Analysis

Frequently Asked Questions

What are the most common operator errors?

What do the status bar and alert box messages mean?

What do the different kinds of lines and icons represent in Map View?

Can I have more than one Path Analysis window open and working at one time?

What are valid source and destination end-points?

Does Layer 2 path analysis support tracing virtual connections inside ATM clouds?

How can I resolve Web browser security issues?

Why do I have a Layer 2 path with some Layer 2 devices missing?

How can I troubleshoot a failed Layer 3 path trace?

If a previously-discovered end-user station becomes unreachable, how do I determine which switch port it is connected to?

Why does an end-user station that is known to User Tracking show as an unmanaged device in Path Analysis?

Troubleshooting Suggestions

Troubleshooting Campus Manager

---

This appendix provides information about troubleshooting Campus Manager applications. Each application section provides FAQs and a troubleshooting table. Information about these applications is listed in this appendix:

•Topology Services

•User Tracking

•Path Analysis

Topology Services

Use the information in the following topics to help you troubleshoot Topology Services:

•Frequently Asked Questions

•Troubleshooting Suggestions

Frequently Asked Questions

Use the information in these sections to answer some of your common questions:

•Does VTP need to be enabled?

•If there are multiple VTP servers in a VTP domain, which VTP server receives VLAN configuration changes?

•Can VLANs in different VTP domains have the same name?

•Can you move ports from a transparent switch into a VLAN in the parent VTP domain?

•Will Topology Services display VLAN information for a switch that is in VTP transparent mode?

•How can I tell what switch in a switch cloud is connected to a router in the LAN edge network view?

•Why is there is no information about the LE Config Server in the summary of an ATM-VLAN?

Does VTP need to be enabled?

Topology Services requires Virtual Trunk Protocol (VTP) to be enabled in order to create VLANs. For most predictable results, Cisco recommends having at least one switch configured as a VTP server and the remaining switches configured as VTP clients.

If there are multiple VTP servers in a VTP domain, which VTP server receives VLAN configuration changes?

If the two VTP servers are in the same domain and are connected by VTP trunks, it does not matter which switch the changes are made on. VTP ensures that the information on all VTP servers and clients in a single VTP domain are coordinated and share the same configuration.

If the servers are in different VTP domains, then they do not share VLAN states, and they are both known to Topology Services. You must select the VTP domain in which you want to make the VLAN changes, and the corresponding VTP servers will reflect those changes.

If there are two servers with the same VTP domain that are not connected by trunks the configurations managed by the two servers may diverge. This configuration is not supported by Topology Services, and it creates a discrepancy.

Can VLANs in different VTP domains have the same name?

You can have VLANs with the same name provided that other characteristics, such as VLAN index and SAID value are also identical. Discrepancies occur when there are identically named VLANs with other attributes that are different (such as index, and so on). If the two VLANs share identical definitions, no discrepancy is detected.

It is usually best to use the default names that Topology Services creates for each VLAN.

Can you move ports from a transparent switch into a VLAN in the parent VTP domain?

Yes, but you must first create the VLAN (with identical attributes) on the transparent switch. To create a VLAN that exists on both the VTP server and all the transparent switches in a VTP domain, you can select the Create VLAN on all Transparent Switches check box when creating the VLAN.

Will Topology Services display VLAN information for a switch that is in VTP transparent mode?

Topology Services will attempt to correlate information from VTP transparent switches with the VTP server in the same domain. It will check the ISL index, VLAN name, and VLAN type for each VLAN, if the VLANs are identical, then they will be displayed

How can I tell what switch in a switch cloud is connected to a router in the LAN edge network view?

The Aggregate Link Attributes option is available when you right-click on a link in the LAN Edge network view. The Aggregate Link Attributes window shows the list of links between a switch cloud and a router. This cannot be indicated in the map itself because individual links are not shown, there can be more than one link between a router and the devices in a switch cloud.

Why is there is no information about the LE Config Server in the summary of an ATM-VLAN?

LE Config Servers do not belong to a specific ATM-VLAN. Different LANE components could be going to different LE Config Servers (based on neighboring LS1010 registry info) to join the same ATM-VLAN.

Troubleshooting Suggestions

Use the information in the Troubleshooting Topology Services table to troubleshoot the Topology Services application.

Table A-1 Troubleshooting Topology Services

Symptom	Probable Cause	Possible Solution
Links that appeared correctly earlier, now show as dashed lines.	If you move a port, ANI cannot determine if a link has been removed or the link is down by looking at the CDP cache. It marks the link notInNetwork instead of removing it.	If you have changed the port for this link, and the link should no longer appear, delete the link. At the next discovery, it should no longer appear.
After initial discovery, not all of the devices are discovered, and many devices are unreachable.	If devices are not discovered by Topology Services, it is likely that community strings are not entered correctly in the ANI Server.	Check the community strings on the devices and in the ANI Server Admin application. Then verify that the devices appear in the network view.
Topology Services will not launch, when attempts are made to launch Topology Services an error message states that Topology Services is already running.	If you close the windows that appear when the application is starting up, and then try to relaunch the application, you will receive this error.	Wait for a reasonable amount of time, and then attempt to launch the application. Do not close the message windows that appear when the application is launching.

User Tracking

Use the information in the following topics to help you troubleshoot User Tracking:

•Frequently Asked Questions

•Troubleshooting Suggestions

Frequently Asked Questions

Use the information in these sections to answer some of your common questions:

•How does the User Tracking's discovery process differ from that of the ANI Server?

•How does the ANI Server's user and host acquisition process work?

•Why isn't User Tracking performing ping sweeps on some subnets?

•Why are outdated entries showing up in my User Tracking table?

•How long does User Tracking maintain data?

•Does User Tracking discover users and hosts connected to non-CDP discovered/managed devices?

•How does User Tracking log errors?

How does the User Tracking's discovery process differ from that of the ANI Server?

User Tracking is an ANI client application. ANI provides several types of global discoveries, including:

•Device and physical topology discovery, resulting in baseline network information such as device identity, module and port information, and physical topology. This type of discovery is required for logical, user, and path discovery.

•User discovery, resulting in information about users and hosts on the network.

The ANI Server stores this information in the ANI database. User Tracking discovers the host and user information in the ANI database, correlates this information, and displays it in the User Tracking table.

How does the ANI Server's user and host acquisition process work?

Before collecting user and host information, ANI first must complete a global discovery. During global discovery, ANI generates a device list to determine which switches and routers it should look at to obtain Media Access Control (MAC) and Internet Protocol (IP) address information.

With these device lists in place, the User Tracking service module of ANI performs the following steps:

Process	Description
Performs ping sweeps	Pings every IP address on all known subnets, as long as you have ping sweeps enabled (the default). This updates the switch and router tables before User Tracking reads those tables, ensuring that User Tracking displays the most recent information about users and hosts.
Obtains MAC addresses from switches	Reads the bridge forwarding table from switches. The bridge forwarding table provides the MAC addresses of end stations, and maps these MAC addresses to the switch port where each work station resides.
Obtains IP and MAC addresses from routers	Reads the ARP table in routers to obtain the IP and corresponding MAC addresses.
Obtains host names	Performs a Domain Name System (DNS) look-up to obtain the host name for every IP address.
Obtains user names	Attempts to locate the users currently logged-in to the hosts and tries to obtain their user name or login ID.
Records discovered information	Records the discovered information in the ANI database.

Refer to the ANI online help for further information about ANI Server discovery.

Why isn't User Tracking performing ping sweeps on some subnets?

The criterion for whether or not User Tracking performs ping sweeps on a subnet is the number of hosts in the subnet.

•If a subnet has 256 or fewer hosts, User Tracking performs ping sweeps on that subnet.

•If a subnet has more than 256 hosts, User Tracking does not perform ping sweeps on that subnet.

If ping sweeps are not performed, User Tracking still obtains information from the router and switch mapping tables during a discovery. See the section on Enabling Ping Sweeps for more information.

Why are outdated entries showing up in my User Tracking table?

Outdated entries result when:

•A user or host is assigned to new VLAN/port/VTP domain.

•There has been a power failure.

•A workstation has been turned off, or removed from the network.

User Tracking does not automatically delete outdated end-user host entries. To delete these entries:

•Manually delete them.

Schedule User Tracking to remove them at specified time intervals.

How long does User Tracking maintain data?

Indefinitely, until you delete the information.

Does User Tracking discover users and hosts connected to non-CDP discovered/managed devices?

User Tracking discovers all users and hosts in the network from the list of devices known to ANI. Refer to the Getting Started with the CiscoWorks2000 Server for more information about ANI discovery.

How does User Tracking log errors?

User Tracking uses the ANI Server error log. Refer to the Getting Started with the CiscoWorks2000 Server for more information about ANI discovery.

Troubleshooting Suggestions

Use the information in Table A-2 to troubleshoot the User Tracking application.

Table A-2 Troubleshooting User Tracking

Symptom	Probable Cause	Possible Solution
User Tracking cannot discover any users or hosts.	There may be no information in the ANI database. You must have valid ANI seed device(s) and run ANI discovery prior to running a User Tracking discovery.	See the ANI online help for further information.
User Tracking cannot discover some users or hosts.	The ANI Server might not have discovered one or more devices to which users and hosts are connected.	Check the CiscoWorks2000 topology for the missing devices, make sure that CDP and SNMP are enabled on the devices, rediscover these devices, and verify that they appear on the topology map.
User Tracking table is missing hostname, IP address, and subnet information for some hosts.	User Tracking is not finding the most recent network information. Network changes are not currently reflected in ARP information (routers) or bridge tables (switches).	Enable ping sweeps when User Tracking performs discovery. Ping sweeps are enabled by default.
You made changes to the network and then ran User Tracking discovery, but the changes are not showing in the User Tracking display.	A complete ANI discovery has not finished since you added your changes.	User Tracking discovery is not a full network discovery; it discovers only the user and host data in your network. Changes that you make to your network might not appear after a User Tracking discovery. Try running a complete ANI discovery.

Path Analysis

Use the information in the following topics to help you troubleshoot Path Analysis:

•Frequently Asked Questions

•Troubleshooting Suggestions

Frequently Asked Questions

Use the information in these sections to answer some of your common questions:

•What are the most common operator errors?

•What do the status bar and alert box messages mean?

•What do the different kinds of lines and icons represent in Map View?

•Can I have more than one Path Analysis window open and working at one time?

•What are valid source and destination end-points?

•Does Layer 2 path analysis support tracing virtual connections inside ATM clouds?

•How can I resolve Web browser security issues?

•Why do I have a Layer 2 path with some Layer 2 devices missing?

•How can I troubleshoot a failed Layer 3 path trace?

•If a previously-discovered end-user station becomes unreachable, how do I determine which switch port it is connected to?

What are the most common operator errors?

These are two of the more common errors:

•Incomplete subnet to VLAN/ELAN mapping information. See the "Subnet to VLAN/ELAN Mapping" section in "Tracking Packet Flow Using Path Analysis" for information about providing subnet mappings for VLANs.

•Invalid community strings (SNMP passwords) for managed devices. See the Getting Started with the CiscoWorks2000 Server guide for information about setting community strings for managed devices.

What do the status bar and alert box messages mean?

The following are informational status messages:

•"Trace Completed" means that the trace succeeded.

•"Trace Stopped" means that you intervened to stop the trace prematurely.

•"Trace Running" means that the trace is still in progress and has not encountered any problems.

All other status bar or alert box messages indicate that an error has occurred. See Table A-3 for definitions to the status bar messages and for definitions to the alert box messages.

Table A-3 Status Bar Messages 

Message	Probable Cause	Severity	Possible Solution
`From' field contains bad source endpoint	Invalid string entered for path trace destination.	Low	Confirm From field is a valid IP address or DNS name.
`To' field contains bad source endpoint	Invalid string entered for path trace source.	Low	Confirm To field is a valid IP address or DNS name.
Source and Destination Endpoints are on same device	Not possible to trace path between two IP addresses on one device.	Low	Make sure the To and From entries are not for the same device.
Trace Running	Trace has not yet completed.	N/A	—
Trace Aborted	Error or anomalous situation prevented successful path trace.	Variable	—
Trace Timed Out	Trace attempt exceeded the timeout value (default 4 minutes). Path traces can take up to several minutes to complete.	Variable	Select Edit > Options... and increase the default trace timeout value.
Trace Stopped	User stopped trace.	N/A	—
Trace Completed	Trace completed successfully.	N/A	—
Could not determine first hop	No known hops. The information to determine the first hop is incomplete or inconsistent.	High	1. Make sure the source is within the managed domain and is accessible through SNMP. 2. Verify all community strings. Refer to Getting Started with the CiscoWorks2000 Server. 3. Make sure any end-stations are not multihomed (containing multiple network adapter cards). Path Analysis does not support this configuration.
Could not complete trace	One or more layer 3 hops were determined, but path trace did not reach the destination. Typical causes are: •Trace is being attempted across a firewall. •Access list issues. •Router is configured to block source-routed IP packets.	Variable	1. Choose another destination that is on the same side of the firewall as the source. 2. Verify the access lists on the routers between the source and destination devices, and correct any problems. 3. Check the router configuration on all routers between the source and destination. Make sure none of these routers have source-routed IP packets blocked. (Router configuration should not contain the no ip  source-route statement.)

Table A-4 Alert Box Messages

Message	Definition	Severity	Possible Solution
Could not reach source	No IP connectivity between Path Analysis server and source.	High	Run a path trace between the CiscoWorks2000 server and the source to analyze IP connectivity.
Could not complete trace	One or more Layer 3 hops determined, but trace did not reach destination. Typically results from firewall rules, access lists, or blocked source-routed packets.	Variable	1. Choose a destination on the same side of the firewall as the source. 2. Verify access lists along the path and correct any problems. 3. Confirm that no routers along the path block source-routed IP packets.
Could not determine first hop	No known hops. Information to determine first hop is incomplete or inconsistent.	High	1. Confirm source is in managed domain and SNMP-accessible. 2. Verify community strings. 3. Confirm end-user stations are not multi-homed (containing multiple NICs). Path Analysis does not support this configuration.

What do the different kinds of lines and icons represent in Map View?

The different kinds of lines and shapes in Map View are visual clues, and each has a specific meaning. See the Path Analysis online help for detailed information about interpreting these lines and shapes.

Can I have more than one Path Analysis window open and working at one time?

Yes. Path Analysis supports multiple, concurrent path traces from a single computer.

What are valid source and destination end-points?

There are strict selection criteria for Path Analysis end-points. See the "Valid Trace End Points" section in "Tracking Packet Flow Using Path Analysis," for more details.

Does Layer 2 path analysis support tracing virtual connections inside ATM clouds?

Yes, but only for LANE (LAN emulation).

How can I resolve Web browser security issues?

If you encounter security errors from Microsoft Internet Explorer 5 while launching or running Path Analysis, you might consider making your CiscoWorks2000 server a trusted host. To do this:

1. In Internet Explorer, select Tools > Internet Options....

2. Select the Security tab.

3. Select the Trusted sites icon.

4. Click the Sites... button.

5. Enter the IP address of your CiscoWorks2000 server in the "Add this Web site to the zone" field.

6. Click Add.

7. Click OK.

8. The CiscoWorks2000 server is now listed among your trusted sites.

Why do I have a Layer 2 path with some Layer 2 devices missing?

Two common reasons a Layer 2 path exists with some Layer 2 devices missing are:

•On a Layer 2 path, only CDP devices that are known to Topology Services are shown. Hubs or non-Cisco devices are not shown.

•If there has not been a successful VC trace, the Layer 2 path only includes the LANE devices on the edges of the ATM cloud, not ATM switches inside the ATM cloud.

How can I troubleshoot a failed Layer 3 path trace?

Do the following:

•Determine the meaning of the status bar message. See Table A-3.

•Ping the source and/or destination.

•Perform a traceroute on the source and/or destination device.

If a previously-discovered end-user station becomes unreachable, how do I determine which switch port it is connected to?

View the User Tracking entries for the unreachable end-user station.

Alternatively, you can run a path trace from anywhere else on the network to this end-user station. The last hop appears in Map view as a dotted line (best guess).

Why does an end-user station that is known to User Tracking show as an unmanaged device in Path Analysis?

Path Analysis only uses User Tracking entries that have been discovered in the last 48 hours. If you want to use this end-user station as a source or destination for a path trace, you must perform a User and Node Acquisition in User Tracking or run Discover All in Path Analysis.

Troubleshooting Suggestions

Use the information in Table A-5 to troubleshoot the Path Analysis application.

Table A-5 Troubleshooting Path Analysis 

Symptom	Probable Cause	Possible Solution
Path Analysis client does not launch.	Path Analysis could take up to several minutes to launch because there are many JAR files that must be loaded and processed from the server. There is a problem with the server.	1. Make sure you allow enough time for Path Analysis to load and process the JAR files from the server. You might want to use Internet Explorer, because typically, it performs this operation faster than other browsers. 2. Make sure you have specified the correct URL. 3. Make sure the server is up and running. 4. Select CiscoWorks2000 Server > Administration > Process Management > Process Status to confirm that all required services on the server are up and running. If any required services are not running, start them. Refer to the Getting Started with CiscoWorks2000 Server guide. 5. Reboot the server.
Path Analysis client launches, but error message displays.	Server processes are not running normally.	Select CiscoWorks2000 Server > Administration > Process Management > Process Status to confirm that the ANI server, ANI DB engine, Gatekeeper, EDS-TR, and EDS services are running on the server. If any processes are not running, start them.
Start a path trace and get "undefined seed" error message.	Seed device was not specified in ANI.	Select CiscoWorks2000 Server > Setup > ANI Server Admin > Discovery Settings to define a seed device.
Start a path trace and get "Initial discovery in progress" error.	After the ANI server process has begun network discovery, it takes several minutes (or hours depending on the size of the network) to complete the discovery. When ANI discovery concludes, then user and host acquisition begins. No path trace is possible until both of these processes are complete.	Wait until ANI discovery, User Tracking ping sweeps, and user and host acquisition have completed before starting a path trace. You can monitor the progress of the discovery process in Path Analysis, which gives an indication of all three processes.
Intermittent or recurring Path Analysis performance lag.	You have a misconfigured or non-functional DNS server. Your network is congested. One or more of your devices is too busy to respond to SNMP queries.	Confirm that your DNS servers are operational and properly configured.
Path is discovered, but does not seem to function as shown.	An ACL (access control list) is allowing traffic from your CiscoWorks2000 server to the destination end-point, but is blocking traffic between your source and destination end-points.	None.
No Layer 2 path for a given layer 3 hop.	Layer 2 analysis is possible only when both ends of the Layer 3 hop are managed Cisco devices known to Topology Services or end-user stations known to User Tracking. A question mark icon on either end of the Layer 3 hop indicates that these prerequisites have not been met. Refer to Path Analysis Concepts for more information about prerequisites for performing Layer 2 path analysis.	1. Enable CDP for all Cisco devices. 2. In Topology Services, verify that all devices on this subnet are discovered and SNMP-accessible. If they are not, then verify their community strings and run ANI Discovery again. 3. Verify that end-user stations are listed by User Tracking. If they are not, then run user and node acquisition again, preferably with ping sweeps enabled. 4. If there are VLANs or ELANs associated with this subnet, verify that the subnet mappings are correct for each Layer 3 hop and confirm that Topology Services has complete and accurate VLAN/ELAN information for all interfaces.
Not all Layer 2 devices in the physical path are shown.	Path Analysis displays only those Layer 2 Cisco devices known to Topology Services and end-user stations known to User Tracking. It does not include intervening hubs or non-Cisco or non-CDP devices.	No action required.
No Layer 2 shortcutting (multilayer switching) is shown on the Map view.	Layer 2 shortcuts are supported on Catalyst 5000 switches (including the RSM module). Shortcut information only appears if you have specified the correct write community string. The Catalyst 5000 creates shortcuts on the first few packets in a flow, but they can be aged out. It is possible that a shortcut might not be present when you run a path trace. You can create a shortcut by having the source generate a few packets towards the destination before running a path trace.	If you do not see shortcut information on a Catalyst 5000 device, it might be because a shortcut does not exist or you do not have the correct write community string specified. Select CiscoWorks2000 > Setup > ANI Server Admin > SNMP Settings to confirm that you have the correct write community string specified. (The write community string is used to query the MLS MIB; not to configure the device.)
A LANE segment appears in the Layer 2 trace, and shows connectivity between two LANE clients on either side of an ATM cloud, but does not show the intervening ATM switches.	There was no data-direct virtual channel between the two LANE clients during the trace. There are unsuppored software revisions on ATM switches and LANE cards in the ATM cloud.	See the Cisco documentation available on CCO. Select Cisco Product Documentation > Network Management > CiscoWorks2000 > Campus Manager/CWSI Campus > Supported Devices.
Path Analysis did not find a complete Layer 3 path between the source and the destination devices.	There could be many possible causes.	Check the status bar for messages and check for alert box messages. See Table A-3 and Table A-4.
Table view does not contain the full set of information on Layer 3 interfaces.	Path Analysis collects this information about Cisco devices that are SNMP-reachable and on non-Cisco routers as long as they are SNMP-reachable and are within a subnet that is known to be within the organizational domain. The organizational domain comprises the subnets listed in the Subnet to VLAN/ELAN mapping table.	1. Check the community strings and correct them if necessary. 2. Select Topology Services > View > Display View and confirm Cisco devices are SNMP-accessible (green icon). 3. Check the Subnet to VLAN/ELAN mapping table and make sure that the subnet of the device is listed. Refer to the "VLAN/ELAN Subnet Mapping Table and Layer 2 Tracing" section.