Resetting ARN Site Manager "Community" 2

[brownmcse]

I have inherited an ARN router running rel/13.20/ with a missing Manager password, which I have since reset. The "Community" for the Site Manager was also "lost", so what I am looking for is the procedure for resetting the community from the TI. Can this be done?

 

[netmanrick]

Yes,with Site Manager or the TI interface,or you can Telnet to the box and do it.

Rick Harris
SC Dept of Public Safety-DMV
Network Operations

 

[brownmcse]

Thanks for the quick reply. I do NOT have access to the router through Site Manager because I do not have the correct "Community". So to other part of my question since the "Community" reset can be done from the TI what are the specific commands to reset or change a lost "Community" for the Site Manager? This is a production router so I cannot experiment until I get something to work. TIA

 

[Brat]

Hi, brownmcse

Do you have other Nortel Networks AN,ARN, ASN or BLN router it is quite simple:

1. Take flash card out of you booted and working ARN unit
2. Boot second router with known manager passwd /community string
3. Put your ARN card to working AN,ASN,BLN unit
4. Download config file using TFTP from flash card you just have installed in new router
5. if you have config file on your workstation you can find community string using standard text editor

On nortel BayRS routers community string is written in config file using plain text, so you can read it quickly.

Second method:
follow steps 1,2,3,4 as in first example

4. Using SiteManager tool open local config file
5. Change all desired options including community string
6. Upload it to your ARN flash card which should be installed in working AN, ASN, BLN router
7. Put card back to your ARN router
8. Reboot ARN, and you have an accessible router

Hope it helps

Brat

 

[brownmcse]

Thanks for all of your advice and the procedures…One major malfunction…, I do NOT have access to another Bay router.

You said the “Community” is written in plain text in the config…………I have access to the config through the TI is there a way to see read the files off the flashcard?
Gordon

 

[crazynoodle]

Try this at the TI to see what the community name is

get wfSnmpCommEntry.*.1

and again

get wfSnmpCommEntry.*.2

Good luck

~CN~

 

[brownmcse]

Thank you crazynoodle that worked as far as pulling the community however I still cannot gain access to the router and that I am quickly losing my patience over.... What I need to do is remove one route, remove a circuit and test, and then save the config file to the flash. I've tried starting BCC and I receive the error [1:TN]$ bcc
** Error ** Unable to load bcc command from file system.
Loadable Module: bcc.exe. Do you have a minute offline to talk or any other very helpful suggestions? Again TY for the above get command that worked.

 

[Brat]

Hi, brownmcse

Probably you don't have bcc.exe compiled in system kernel, or you don't have enough memory installed. BCC works only with 16MB and more.

Brat

 

[Jynxx]

Brownmsce, what do you mean that you can't get access to the router? You have the community string from the direct MIB get, and you have the Manager password...that's all you need. You can telnet to it and you can use Site Manager when you know both.

In terms of your BCC being unable to load, try loading bcc 4 or 5 times if it keeps failing. I know it sounds stupid, but i have that happen occassionally. It will fail to load, but if you try again, 9 times out of 10, it will work. I have also had it where I needed to reboot the router before I could get into BCC. It DOES have to ususally do with lack of memory. Generally, a carved image file will and turning off unneeded processes will due the trick, but not always. Sometimes you just need more memory.

If you do the following fromt he TI

Clearlog
bcc (then if it fails, due the following)
log -fftwid

That will show you the reason WHY it failed. If it doesn't say anything about memory, and after a reboot, BCC still doesn't work, call Nortel support.

However, noticing that you are trying to go into BCC to make settings...if you are not really familiar with Bay routers, you will get frustrated rather quickly. While it is like Cisco IOS in some ways, it's a bit more archaic. Your best bet, now that you know the community string, is to use Site Manager to change it.

 

[crazynoodle]

I can't remember the exact SNMP MIB but I am betting that someone set it to a specific IP address for Management - meaning that you will either have to remove this entry or at the very least find out what it is and configure your PC to use it. I dont have access to a Bay/Nortel router at the moment but at the TI type an "l" (list) -there will be a lot of information but find the mibs that start with

wfSNMP********** and copy and paste them into a post - once I see I might remember what MIB is and we can probably delete the entry.

Good Luck.

 

[brownmcse]

Crazynoodle, here are the mibs that started with wfSNMP.

wfSnmp = 1.3.6.1.4.1.18.3.5.3.5.1
wfSnmpCommEntry = 1.3.6.1.4.1.18.3.5.3.5.2.1
wfSnmpMgrEntry = 1.3.6.1.4.1.18.3.5.3.5.3.1
wfSnmpTrapEntityEntry = 1.3.6.1.4.1.18.3.5.3.5.5.1
wfSnmpTrapEventEntry = 1.3.6.1.4.1.18.3.5.3.5.6.1
wfSnmpViewEntry = 1.3.6.1.4.1.18.3.5.3.5.7.1


Thanks you have been a great help.

 

[crazynoodle]

try this at the TI

g wfSnmpMgrEntry.*.1 if that doesnt work

try l -i wfSnmpMgrEntry <enter> (thats a l for List and -i for instances)

(this should list all instances of the SnmpMgrEntry - which in this case would be the IP address I am suspecting is set)

Post the output here when you can.

Good Luck.

 

[brownmcse]

[1:TN]$ g wfSnmpMgrEntry.*.1
get: The following number of objects do not exist or are not accessible: 11

[1:TN]$ l -i wfSnmpMgrEntry
inst_ids = 1.192.168.1.88
1.20x.xxx.xxx.163
1.20x.xxx.xxx.164

[1:TN]$
According to the last person to work on the ARN those numbers appear to be old numbers from a previous company. The number I use for TI is in the 20x.xxx.xxx.1xx range and access via TI is no problem. I just finished installing the SM on another NT machine and no luck.

 

[crazynoodle]

So you are able to telnet to the ARN using the 20x.xxx.xxx.1xx subnet - if this is true - I would say make sure you are 20x.xxx.xxx.163 or .164 because now you know the community name and now you know what addresses were allowed to manage the box via SNMP.

also I didnt know I couldnt put my email address here

 

[GTomte]

Hello!

First of all, try:
$ show snmp comm

SNMP's Valid Management Community Types:

Community Community
Name Access
--------------- -------------
public Read/Write

SNMP's Managers and their Respective Communities:

Manager Manager Trap Trap Community Community Circuitless
Address Name Port Type Name Access Trap
--------------- ------------ ----- -------- ----------- ---------- -----------
0.0.0.0 162 Generic public Read/Write Disabled


This gives you the name of all communities, and which Managers (IP addresses) that are allowed to access the router. It also says which access you have to the router (read only or read/write)

To change any of this parameters with the TI mib:
$ g wfSnmpCommEntry.3.*
wfSnmpCommEntry.wfSnmpCommName.1 = &quot;public&quot;

This says that the &quot;public&quot; community is with index &quot;1&quot;. To view the name with TI mib:
$ g wfSnmpCommEntry.3.*
wfSnmpCommEntry.wfSnmpCommName.1 = &quot;public&quot;

To change the name with TI mib:
$ s wfSnmpCommEntry.3.1 &quot;testing&quot;
$ commit

$ g wfSnmpCommEntry.3.*
wfSnmpCommEntry.wfSnmpCommName.1 = &quot;testing&quot;

To change the access level from read only to read/write:
$ s wfSnmpCommEntry.4.1 2 (The 4 is for &quot;wfSnmpCommAccess&quot;, the 1 is the index number for the communityname you are working with and the 2 is for changing the accesslevel to read/write.

$ commit

To add a manager, or change it, you can do this first:
$ g wfSnmpMgrEntry.1.*
wfSnmpMgrEntry.wfSnmpMgrDelete.1.0.0.0.0 = 1

This shows you all Managers that are configured. The 1 is the indexnumber for the community you are working with. If the Manager is something different from 0.0.0.0, you should do it like this:
$ s wfSnmpMgrEntry.1.x.0.0.0.0 1 (x is the indexnumber for the community)

$ commit

To create a new community with read/write, for all managers:

$ s wfSnmpCommEntry.3.10 &quot;jumbo&quot; (Sets the community name)

$ s wfSnmpCommEntry.4.10 2 (Sets the community to read/write)

$ s wfSnmpMgrEntry.1.10.0.0.0.0 1 (Adds manager 0.0.0.0 to the community, which means that all managers are allowed to access the router)

$ commit

$ show snmp comm


SNMP's Valid Management Community Types:

Community Community
Name Access
--------------- -------------
jumbo Read/Write

SNMP's Managers and their Respective Communities:

Manager Manager Trap Trap Community Community Circuitless
Address Name Port Type Name Access Trap
--------------- ------------ ----- -------- ----------- ---------- -----------
0.0.0.0 162 Generic jumbo Read/Write Disabled


Try this! Good luck!

If you need help with the static route via TI mib, just tell me, then:
$ g wfIpStaticRouteEntry.1.*
wfIpStaticRouteEntry.wfIpSrCreate.0.0.0.0.0.0.0.0.1 = 1

And so on.....

Regards
G. Tomte
Working with:
- Nortel Networks, Routers, switches
- Alteon
- CacheFlow
- Blue Coat

 

[brownmcse]

First, I want to say Thanks to the group for all of the responses. Several were extremely helpful and got me on the correct path to eventually resolving the ARN access issues completely.

I apologize for the late update; family health issues have taken a front seat for a while.

Again, Thanks to all.
Gordon