MASTER YOUR CASTLE with your new build or reno project
Enter competition

Data Center Expert | Alarm "Device status may be inaccurate due to attempt to transfer DDF failed"

FA177004

30/04/2019

Issue:
   StruxureWare Data Center Expert message "Device status may be inaccurate due to attempt to transfer DDF failed"

Product Line:
   StruxureWare Data Center Expert (DCE)
   APC Networked Devices

Environment:
   StruxureWare Data Center Expert (all versions)
APC Network Management Card (NMC)

Cause:
   Data Center Expert uses device definition files (DDFs) to understand what information to poll from a discovered device.  During the discovery of APC devices and after a firmware update of an APC NMC, Data Center Expert will attempt to download a DDF file (ddf.zip) from the device using either FTP or SCP (SSH).  If the server is unable to perform this transfer, you will see a message stating "Device status may be inaccurate due to attempt to transfer DDF failed".

Resolution:

Device Definition File Transfer Process
   1) A condition occurs that causes Data Center Expert to reach out to the device to pull down the DDF.
   2) Data Center Expert attempts to connect to the device using passive FTP/SCP using credentials and ports defined within: DCE Desktop Client > Device menu > SNMP Device Communication Settings > Device File Transfer Settings.
   3) A connection to the device is established and then an ephemeral port connection is established in it's place.
       NOTE: Ephemeral ports are ports that range from 1024 to 65535.  A connection is established over an ephemeral port to allow multiple FTP/SCP sessions to occur at the same time.
   4) The ddf.zip file from the device is transferred from the NMC to DCE.

Checking APC NMC log files to determine possible cause
   1) Log into the Data Center Expert Desktop Client using administrator credentials.
   2) Within the monitoring perspective, right-click on the device and select Request Device Scan.
       NOTE: This step is to ensure that the DCE connection attempt is logged recently in the NMC Event Log.
   3) Log into the web interface of the APC NMC using administrator credentials.
   4) Logs Menu > Events > Log.
   5) There are three different possible options:

Detected an unauthorized user attempting to access the FTP/SCP interface from DCE_IP_Address.
   DCE attempted to log into the device using credentials that are not defined within the NMC as administrator.  Follow the steps below for verifying DCE Device File Transfer Settings.

No entries for FTP/SCP access
   
DCE was unable to make a connection to the NMC over FTP/SCP.  This is due to one of the following:
   - FTP/SCP may not be enabled on the device or ports may be incorrect, see section Enabling FTP/SCP on APC NMC.
   - Specified FTP/SCP ports are blocked on the network, see section Network Firewall or ACL.

FTP/SCP user 'username' logged in from IP_Address / FTP/SCP user 'username' logged out from DCE_IP_Address
   DCE was able to make a successful connection to the device over the specified FTP/SCP port, but was not able to establish a passive FTP/SCP connection to the device.  For additional information on passive connections over ephemeral ports, see section Network Firewall or ACL.

Enabling FTP/SCP on APC NMC
NOTE: Only FTP or SCP need to be enabled for Data Center Expert to retrieve the essentials alerts device definition file.

After FTP/SCP settings are verified, correct the credentials listed within Data Center Expert.  For instructions see section DCE Device File Transfer Settings.

FTP NMC firmware version 6.X
   1) Log into the web interface of the APC NMC using administrator credentials.
   2) Configuration Menu > Network > FTP Server.
   3) Ensure that the Enable checkbox is checked.  Also take note of the port number, by default it is 21.

SCP NMC firmware version 6.X
   1) Log into the web interface of the APC NMC using administrator credentials.
   2) Configuration Menu > Network > Console > Access.
   3) Ensure that the Enable checkbox is checked for SSH.  Also take note of the port number, by default it is 22.

FTP NMC firmware version 3.X-5.X
   1) Log into the web interface of the APC NMC using administrator credentials.
   2) Administration Tab > Network Sub-tab > FTP Server.
   3) Ensure that the Enable checkbox is checked.  Also take note of the port number, by default it is 21.

SCP NMC firmware version 3.X-5.X
   1) Log into the web interface of the APC NMC using administrator credentials.
   2) Administration Tab > Network Sub-tab > Console > Access.
   3) Enable an option for SSH.  Also take note of the port number, by default it is 22.

DCE Device File Transfer Settings
   NOTE: It is recommended that as few entries as possible apply to any one single device within the device file transfer settings.

   1) Log into the Data Center Expert desktop client using administrator credentials.
   2) Device menu > SNMP Device Communication Settings > Device File Transfer Settings.
   3) Ensure that there is an entry created in this screen that applies to the device with the settings from the APC NMC.  Note that credentials provided must be the NMC Administrator account credentials.
       NOTE: Wildcards and dashes can be used to specify ranges, for example: *.*.*.* (all devices), 10.10.*.*, 10.10.17.1-20, 10.10.10-17.*
       NOTE: If all of your devices use the same username/password, you will only need one entry within the Device File Transfer Settings screen.  If every device uses a unique set of administrator credentials, an entry will need to exist for each device within the Device File transfer settings screen.

Network Firewall or ACL (Access Control Lists)
   If FTP/SCP is fully blocked on the network between DCE and the NMC there will be no events within the NMC Event Logs.  This is because the connection request never gets to the NMC across the network.  You must work with your local network administrator to unblock the required ports and allow passive connections over ephemeral ports as well.

   If there are successful login/logout messages from DCE within the NMC Event Logs, the connection over the specified FTP/SCP ports is not blocked on the network.  Once a connection is established between DCE and the NMC an ephemeral port connection is then established in place of the main connection.  If ephemeral ports are blocked on the network, the connection will not be able to be established and then the main FTP/SCP session is closed.  Ephemeral ports are any port numbers from 1024 to 65535.  You must work with your network administrator to allow connections utilizing ephemeral ports.  There is no way to disable the use of ephemeral ports.
 
Additional Information & Troubleshooting:

My company is unable to allow FTP/SCP access between DCE and the devices
- FTP is insecure and blocked on most internal networks.  If FTP is not avaialble for use on your network, try utilizing SCP.
- There is currently no way to disable the alarm or manually import the essential alerts DDF file from the device into DCE.

Rack ATS AP44XX DDF transfer issue still occurs after troubleshooting steps listed above
- It has been seen in the AP44XX series Rack ATS firmware (ats4g 6.4.7 or 6.5.0) that this message may occur due to a firmware related issue. If you have this version of firmware and see this error, please upgrade to the most recent firmware (AOS 6.5.0 with an ats4g 6.5.1). This firmware is available for download on the APC web site as well as in the newest StruxureWare DCE firmware catalog.