CS1000 Rel 6.0 MGC issue (SEC0027 account locked up)

[ktse1210]

Hi there,
I am setting up and going to upgrade a Rel 3.0 system to a Rel 6.0. The system is made up of 2x standalone CPPM CS (VxWorks and HA system), 2x CPPM SS (Linux-based) and 5x MGCs (VxWorks)

I am able to get Primary Security Server setup. Got UCM up and running. Deployed the EM+SS+NRS. I managed to get the CPPM CS to join the security domain. I did earlier successfully get the first 3x MGCs (out of the 5x MGCs as stated above) to join the security domain too. Why 3x as you might ask? Well, as I am staging this in my office lab, I do not have enough cabinets to go around.

Anyway, somehow I made a booboo and deleted off the 3x MGCs off the UCM Element's list. Now, I am trying to re-add them in by going into the MGCs' OAM prompt and guess what?

The UCM (centralized authentication) login and password does not work. I tried with the default login and password (of a non-centralized authentication) and it failed too.
So, I tried using "resetPWD" at the OAM prompt with the MGC.
After that, it did let me use the new PWD2 or PDT2 login and password BUT it does not give me the prompts and just got stuck there.
When I rebooted the MGCs, I can see the SEC0027 error message appearing "Failed to load the account database, all system accounts are locked out."

I have looked up the Nortel website and tried the below and still failed. (It worked for the CPPM CS but NOT the MGCs):




Solution Detail


Unable to login into vxWorks devices

--------------------------------------------------------------------------------

Problem Description
The customer cannot login to vxWorks Devices, such as the Call Server CS), Media Gateway Controller (MGC), or Media Card 32 Secure (MC32S). Devices registered with the sec domain should use the login/password created in Unified Communications Manager
(UCM). Devices not registered with the sec domain should use login/password previously used for that database (admin1/admin2).

Cause of Problem
The device is unregistered from the security domain and accounts have been locked out.
Problem Resolution
If access if not successful using the login/password created in UCM or the previous admin1/admin2, the following command can be used to recover.

Note: A technician must be on site with the installation media.

pdt> resetCAUTH

Follow the prompts which include inserting the installation media for the CS. This disables the centralized authentication and enables the user to login using the admin1/admin2 that was previously configured for that database. The device should then be ready for sec domain registration.
Affected Products
Enterprise VoIP Core CS 1000E 6.00D
Enterprise VoIP Core CS 1000E 6.00H
Enterprise VoIP Core CS 1000E 6.00L
Enterprise VoIP Core CS 1000E 6.0B
Enterprise VoIP Core CS 1000M Chassis/Cabinet 6.00D
Enterprise VoIP Core CS 1000M Chassis/Cabinet 6.00H
Enterprise VoIP Core CS 1000M Chassis/Cabinet 6.00L
Enterprise VoIP Core CS 1000M Chassis/Cabinet 6.0B
Enterprise VoIP Core CS 1000M Half Group 6.00H
Enterprise VoIP Core CS 1000M Multi Group 6.00D
Enterprise VoIP Core CS 1000M Multi Group 6.00H
Enterprise VoIP Core CS 1000M Multi Group 6.00L
Enterprise VoIP Core CS 1000M Multi Group 6.0B
Enterprise VoIP Core CS 1000M Single Group 6.00D
Enterprise VoIP Core CS 1000M Single Group 6.00H
Enterprise VoIP Core CS 1000M Single Group 6.00L
Enterprise VoIP Core CS 1000M Single Group 6.0B



Is there anyone who knows how I can totally clear the MGCs so that I can re-configure them again please? Getting desperate now.

Regards,
Kelvin

 

[dasan64]

Hi Kelvin

use CLI and type ctrl+ldb

then


1: mgcIPClear
2: diskFormat
3: reboot -1

MGC Card should be set to factory default.

regards

Andreas

 

[dasan64]

sorry,

before ctrl+ldb you have to login to MGC

 

[ktse1210]

Hi Andreas,
I have tried logging into the MGC and it failed, hence this problem I am addressing now.

I tried using the UCM login/pwd, it does not work. I guess it is because it is not registered to the security domain anymore. So, I tried using the default login/pwd from the CS on the MGC, it failed too.

So, I tried to do a "resetPWD" on the MGC on both PWD2 and PDT2 level, then I tried logging into both LDB (Ctrl + LDB) and even OAM (Ctrl + OAM), it did accept the login/pwd BUT I just get no prompts response back like this ---> OAM> or LDB>. Seems like it just got stuck and I tried typing I get no response back.

When you said type in those commands like mgcIPClear, diskFormat, etc...Can I type that in when I am at the Username Prompt for Ctrl + LDB
OR
those commands only work when I have logged in successfully to the LDB (e.g. typing in mgcIPClear when I see LDB> ) Like I stated before, I can't get to it as when I login to the MGC, I just get stuck without any LDB prompt response.

Erm....hope my explanation above is a little clear.



Regards,
Kelvin

 

[one234]

Hi,

Is the MGC registered to the CS? If so, did you try to register/add it to the security domain using LD 117?


Marc D.

If Bill Gates had a nickel for every time Windows crashed... Oh wait, he does...

 

[ktse1210]

Hi Marc,
Yes, it is registered to the CS. I already did the LD 117, "register ucmsecurity system", I can see the CS successfully registering and it appears on the UCM's Element list. However, I still do not see the list of MGC's registering.

From the Element Manager, I can get to the MGCs using Virtual Terminal, however...the login/pwd does not work.

Regards,
Kelvin

 

[ktse1210]

BOINK! Anyone here? Anyone can help??

 

[odave]

Hi ktse1210,

In LD 22 can you PRT PSWV and post it here? I'm looking for what revisions of loadware you have on your system.

d

 

[ktse1210]

Hi D,
Sure thing. Here's the LD 22 PSWV printout:

REQ prt
TYPE pswv
PSWV VERSION: PSWV 100+
LCRI:
VERSION NUMBER: AA02
XNET:
VERSION NUMBER: AC23
XPEC:
VERSION NUMBER: AC43
FNET:
VERSION NUMBER: AA07
FPEC:
VERSION NUMBER: AA08
MSDL:
VERSION NUMBER: AJ73
SDI:
VERSION NUMBER: AH51
DCH:
VERSION NUMBER: AA72
AML:
VERSION NUMBER: AK81
BRIL:
VERSION NUMBER: AK83
BRIT:
VERSION NUMBER: AK82
MISP:
VERSION NUMBER: AJ71
BRSC:
VERSION NUMBER: AJ71
BBRI:
VERSION NUMBER: AH54
PRIE:
VERSION NUMBER: AA87
BRIE:
VERSION NUMBER: AK89
ISIG:
VERSION NUMBER: AA33
SWE1:
VERSION NUMBER: BA53
UKG1:
VERSION NUMBER: BA51
AUS1:
VERSION NUMBER: BA49
DEN1:
VERSION NUMBER: BA48
FIN1:
VERSION NUMBER: BA49
GER1:
VERSION NUMBER: BA54
ITA1:
VERSION NUMBER: AA54
NOR1:
VERSION NUMBER: BA49
POR1:
VERSION NUMBER: BA49
DUT1:
VERSION NUMBER: BA50
EIR1:
VERSION NUMBER: BA49
SWI1:
VERSION NUMBER: BA53
BEL1:
VERSION NUMBER: BA49
SPA1:
VERSION NUMBER: BA51
NET1:
VERSION NUMBER: BA48
FRA1:
VERSION NUMBER: BA52
CIS1:
VERSION NUMBER: BA48
ETSI:
VERSION NUMBER: BA48
E403:
VERSION NUMBER: BA07
N403:
VERSION NUMBER: BA05
JTTC:
VERSION NUMBER: AC08
TCNZ:
VERSION NUMBER: AA13
AUBR:
VERSION NUMBER: AA14
AUPR:
VERSION NUMBER: AA04
HKBR:
VERSION NUMBER: AA06
HKPR:
VERSION NUMBER: AA08
SING:
VERSION NUMBER: AA15
THAI:
VERSION NUMBER: AA07
NI02:
VERSION NUMBER: AA26
T1IS:
VERSION NUMBER: AA10
T1ES:
VERSION NUMBER: AA09
ESGF:
VERSION NUMBER: AC30
ISGF:
VERSION NUMBER: AC31
ESGFTI:
VERSION NUMBER: AC29
ISGFTI:
VERSION NUMBER: AC31
INDO:
VERSION NUMBER: AA06
JAPN:
VERSION NUMBER: AA16
MSIA:
VERSION NUMBER: AA04
CHNA:
VERSION NUMBER: AA04
INDI:
VERSION NUMBER: AA03
PHLP:
VERSION NUMBER: AA02
TAIW:
VERSION NUMBER: AA03
EAUS:
VERSION NUMBER: AA02
EGF4:
VERSION NUMBER: AC14
DCH3:
VERSION NUMBER: AA10
PUP3:
VERSION NUMBER: AA14
T1E1:
VERSION NUMBER: AA19
DITI:
VERSION NUMBER: AA40
CLKC:
VERSION NUMBER: AA19
3902:
VERSION NUMBER: AA84
3903:
VERSION NUMBER: AA90
3904:
VERSION NUMBER: AA93
3905:
VERSION NUMBER: AA93
MGC, MGX and MGS:
CSP VERSION: MGCC AM08+
MSP VERSION: MGCM AB01+
APP VERSION: MGCA AA07+
FPGA VERSION: MGCF AA16+
BOOT VERSION: MGCB AL60+
DSP1 VERSION: DSP1 AB01+
DSP2 VERSION: DSP2 AB01+


REQ




I have installed the most current loadware onto the MGCs already. Any thoughts?

Regards,
Kelvin

 

[ktse1210]

Hi Guys,
I finally managed to get the MGC to do a respin on the Gold Image and I did a diskformat on the CF card.
I rebooted the MGC and when it came back up, it found the Call Server and it began updating it's loadware.
Once that is completed, the MGC rebooted and it came back up registering to the Call Server. However, the error message SEC0027 error message is still present.
So, I still can't use any login/pwd to get access through.

I am really tempted to blow away the Call Server, the re-install the hardware and migrate the database again from Rel 3.0 to this Rel 6.0.

 

[teekow]

I just got done with the class for UCM and this sounds like a scenario that the instructor talked about. Try recreating the Secure FTP Token within UCM to see if that does it. Also, there is a command in LD 117 related to this somehow. It is ENL TRANSFERS SECURE. It almost sounds like you added the MGCs in question after your call server was already added.

One more note I have is for adding an MGC card manually use joinSecDomain command from MGC command line.

Maybe this will help.......

Good Luck
Rob

 

[ktse1210]

Thanks Rob. Wow...famous scenario that has just happened now.
Anyway, I can try to recreate the Secure FTP Token in UCM.
Once I've done that, should I reboot each of the 5x MGCs?

As the MGCs are registered to the Call Server but I know they are still hanging in limbo and not registered with the UCM as when I do a "stat ucmsecurity system", I can't see the MGC Elements registered.

For LD117, "enl transfers secure", when do you think I should be issuing this command?

Yes, my Call Server was added in first then 3x MGCs which was successful initially, until I deleted the 3x MGCs out. Now I can't even get any of the 5x MGCs to register to the UCM due to that fregging (SEC0027) system accounts are locked out.

Yea, I won't be able to use the joinSecDomain command until the system account is unlocked so that I can get access to the MGC's OAM prompt.

 

[odave]

You're MGC loadware is up to date. Did you solve this issue? I've seen it in the past were rebuilding the signalling servers rectified the problem.

 

[ktse1210]

I've managed to resolved the issue. The vendor's engineers were also in a wonder over this. I managed to find out what was causing the MGCs's accounts to get locked out.
It was actually due to the fregging loadware. Not all the 7x loadware is supposed to be uploaded to the CS. Out of the 7x there was only 3x that can be used for Rel 6.0.
Once I found that out, I yanked the rest out from the CS and rebooted the MGCs. The MGCs then one by one re-registered to the CS and re-sync'ed it's loadware with the CS. Once that's done.....lo and behold, I can finally login to both the MGC's OAM and LDB prompt.
Somehow, the vendor then produced a bulletin for Rel 6.0 that shows you want loadware is recommended. Sigh.

Anyway, it's all good now. I can dare say I managed to build up the new Rel 6.0 system now.

 

[odave]

Good call. I double checked on ESPL and found this in the loadware liner notes:

Description
Applicable H/W Platforms:
CS1000E MGC IPMG
Applicable S/W Platforms:
CS1000 Release 5.0/5.5 <---------- IMPORTANT!!!
Patches Dependencies: None

Product Dependencies: None
Size: 1692 KB
System Impact:
A reboot of MGC will be performed after the loadware is installed.
Does patch application force reboot: Yes
Other impacts: None
Limitations: No known limitations
Patch Removable: Yes
Description:
Mindspeed loadware for DSP low density daughter board.
Superseded Patches:
Supersedes loadware DSP2AA12.LD