Cisco security manager deployment issue with invalid command

Running CSM 3.3.1, to manage an 800 series pre-configured router.
The router has a number of policy ACL's and class-maps configured. When the config is imported to CSM a number of warnings are seen reporting that some of the interfaces are unprotected by ACL's, which is correct, no serious errors are reported and the device is succesfully imported.
But, when I look at the configuration within CSM non of the ACL's or the class maps are shown.
Also, when I configure some feature on the router, during the deployment phase I get an error indicating that there is an invalid protocol under one of the class maps associated with an interface. The protocol in question is bittorrent. This error prevents depolyment of my changes. In fact this causes my client to hang, eventually if I close the application windoes reports that the issue is caused by javaw.exe faiing to respond.
If I take out the bittorrent protocol under the class map then all seems well.
So, I though flexconfigs would resolve this, enabling me to import the config with the unsupported command. I created a flexconfig with the class map and the invalid protocol. When I re-imported the device there is still a lot of configuration features that are on the router but are missing in CSM.
I'm not sure how to resolve this, the router was not configured through CSM in the first place.

Update to this, the CSM is also altering firewall configurations, if I import a configuration from an ASA running 8.0.4 code, then compare that configuration to that running on the same ASA there are quite a few differencies. Some of these are not items that CSM reports as requiring Flexconfig support, which concerns me.
This is not the first time I've seen this occur, customer is concerned about the reliability of the way this system handles configurations, and I cannot explain why it exhibits this process.
Anyone else seen this, and found a work around?

Similar Messages

  • CSM Cisco Secure Manager - deploy a Blank configuration!

    Hi all,
    need some help. Its just installed a CSM, v.4.8. It adds a device and its configuration from the network, a FW ASA 8.3 correctly.
    i make a change on the local policy and as soon i make a deploy to device it start doing a:
    no xxxx
    no xxxx1
    no xxxx2
    for each line of the current configuration! so it deletes all!
    I am missing a point in here. User guide says that i have to bind a policy to the device but that easy step i do not know how to do it.
    thanks in advance for the help
    Regards
    José

    Security Manager does not currently leverage object groups for ACL objects used in VPNs. An enhancement bug has been filed under CSCsl20196 and is something we are looking to address in the upcoming Security Manager 3.2 release due late 1QCY08.

  • Cisco Security Manager IOPS for Storage (VM Deployent)

    Hi,
    I've been asked by a client about the Cisco Security Manager requirement to have 1TB of storage for events and another for archiving.
    They wish to know the IOPS requirement for this storage. Please could anyone assist in this ?
    Many thanks,
    Mark                 

    Hi,
    I'm not sure that I can really help you, but I can verify that on my CSM 4.5 server which is running normally, that service has a starup type of automatic and is in the "Started" state.
    You may want to check your system and application event logs to see if there are any messages that could explain why it stopped.
    Regards,
    Matt

  • FlexConfigs in Cisco Security Manager 3.2.1 SP1

    Hi,
    I have a problem with Cisco Security Manager 3.2.1 SP1 (fresh intall).
    When I create a FlexConfig with any IP AUDIT commands or VPDN (for PPPoE config) every time I deploy the configurations in file the flexconfig is repeated in the configuration. The behavior is the same on PIX and ASA configuration.
    If I deploy 20 times my devices than I'll have 20 times the same line in the configuration !
    Any way to solve that problem in CSM??
    The server is Win 2003 Standard English and there's absolutely nothing else than CSM installed on it...so??

    Hello,
    I'm having the same problem for one of our customers! but flexconfig didn't work!
    Can you please be more specific what exactly you did! Flex config doens't remove generated command it's adding the no crypto ca enroll 'trustpoint name' after the generated crypto ca enroll 'trustpoint name'
    I've been also looking for related bugs but didn't find any!
    Regards

  • Cisco Security Manager 3.2.1 Sp1 and Public Key Infrastructure

    Hi, all!
    Recently I created configuration on PIX (FOS 7.2.4) with Cisco Security Manager 3.2.1 Sp1 to allow to work with certificate-based authentication of VPN connections. CSM created necessary commands (and unfortunately many necessary commands left unsupported too). But every time I upload new configuration (even with untouched PKI configuration) CSM adds following command - "crypto ca enroll CA-NAME noconfirm".
    Right now I created FlexConfig which just do "no crypto ca....". And it works. But is there more clean solution? Why do I need to enroll every deployment?
    Wait for answers.
    With best regards
    Maxim

    Hello,
    I'm having the same problem for one of our customers! but flexconfig didn't work!
    Can you please be more specific what exactly you did! Flex config doens't remove generated command it's adding the no crypto ca enroll 'trustpoint name' after the generated crypto ca enroll 'trustpoint name'
    I've been also looking for related bugs but didn't find any!
    Regards

  • Cisco Security Manager, need global search, i.e. filters are not good at all

    Does anybody know how to work effectively with security manager and filtering?
    It is extremely time consuming and frustrating to work with Cisco Security Manager in regards to search for entries or filter. I have not been able to find some kind of global search, is there?
    How do other people cope with this?

    It appears to have been a temporary issue as the backup is running fine again now... closing the thread.

  • Failed to setup Velocity Engine ... in Cisco Security Manager

    Anyone having problems trying to validate syntax in a FlexConfig in Cisco Security Manager?
    CSM version 4.4.0 SP2
    Java 1.6.0_14-b08
    I have heard that there are issues with earlier versions of Java.
    I have also heard that this problem was fixed in CSM
    Any ideas anyone?
    Adrian

    I believe this is where you need to run CSM Configuration Manager as Administrator.  I had that issue, and I think the note about this is in the Install Guide.
    HTH
    Paul

  • Install Cisco Security Manager 4.7 on Hyper-V

    Hello,
    Our customer want to install Cisco Security Manager on a Virtual Machine virtualized with Hyper-V. Documentation only mentions install the software on a Virtual Machine on Vmware systems.
    Can we install without problems, and the installation will be supported on TAC if we need open a support case?
    Best Regards,
    David

    While it should work (since CSM is basically an application running on a Windows server), it is not a system that meets the requirements of the Installation Guide.
    So... if the TAC found an issue related to that setup when you needed their help, they'd be within their rights to say your installation is unsupported.

  • Installing Cisco Security Manager

    I would like to uninstall and reinstall my Cisco Security Manager 3.0 since 3.1 has been taken off the market for the time being.
    Is there a step by step process that I would have to take to install this with standard install, Service packs and patches?
    In a nutshell, I would like to do a complete reinstall and be fully operational when completed.
    Thanks

    Cisco Security Manager (Security Manager) enables you to configure, deploy, and manage services and policies on Cisco security devices. With Security Manager, you can provision VPN and firewall services across multiple, different device types, including IOS routers, firewall devices (PIX and ASA), Catalyst 6500/7600 devices, and Catalyst security services modules (VPN, FWSM, and so on). On some device types, you can also provision platform-specific settings such as QoS, SNMP, and routing, even though these settings are not necessarily security settings.

  • JEE WebSphere Management Pack: Issue with 8.5.5 Discovery

    Is WebSphere Application Server 8.5.5 supported as a discoverable JEE Application Server within System Center Operations Manager 2012 R2? We have tried just about everything at this point....
    Currently Running JEE IBM WebSphere 8 Application Server MP version 7.3.2135.0
    Agent Running as Proxy
    RunAs account created and bound to server
    BeanSpy deployed and functioning via query.
    Universal Discovery used with no success. (NewJ2EEAppServer.ps1 does not except version 8 of WebSphere).
    Any help would be appreciated

    Hi Deem13,
    Please look at these posts:
    http://blogs.technet.com/b/random_happy_dev_thoughts/archive/2012/05/21/manually-discovering-jee-application-servers-with-scom-2012.aspx
    http://social.technet.microsoft.com/Forums/systemcenter/en-US/d15bc060-a071-4063-bf5d-c4ec9f0d8cbb/jee-websphere-management-pack-issue-with-discovery?forum=operationsmanagermgmtpacks
    http://blogs.inframon.com/post/2012/04/27/WebSphere-monitoring-with-the-JEE-Application-Performance-Monitoring-management-packs.aspx
    Natalya

  • Unable to Install Cisco Security Manager

    Hi,
    I facing issue when trying to install Cisco Security Manager in my Windows Server 2008.
    I had attach the print screen of my server version and error message.
    The error message had mention that it was due to unsupport OS or terminal service.
    But, i check and it show that my Window Server was the recommend version and no terminal service been enable.

    Hi Vincent,
    Please understand that Window Server 2008 R2 Enterprise Server is not same as Windows Server 2008 Enterprise Server. I had faced the same problem earlier. The R2 version is supported only CSM 4.1 onwards.
    Regards,
    Chetan

  • Cisco Security Manager Local RBAC Authentication Radius assign user role

    Is it possible to use Cisco Security Manager with local RBAC, authenticate the user to Radius and retrieve it's role from Radius. Getting the authentication to work isn't the problem, but is it also possible to return the role the user has (i.e. Super Admin) via Radius, without having to create all the users one-by-one in the local CSM database with the correct role.
    Can i use a certain Cisco-AV-Pair attribute to return the user role via Radius?

    I just got asked to look at the same situation by one of our security people.
    We have exactly the same problem but it reports a username of "*****" and we are running CSM 4.7 (upgraded last week)

  • Cisco Security Manager (CSM) License Problem

    Hi All,
    We have CSM V3.2 with Professional license edition and support 50 devices. It's installed properly in the Cisco Security Manager client as appeared in the attachement but the problem is in the server administration- license management which doesn't include any records for license (see attachment).
    I tried to upload the .lic file by clicking the Update button in server administration but an error message appeared stated that the license file is corrupted although it's installed properly in CSM client!!!
    Could you please advise what's the problem and what should I do?
    Thanks in Advance!

    Sorry but Cisco seems to have removed that product bulletin from cisco.com.
    Your reseller can use Cisco Commerce Workspace (CCW) to order the correct part number for your CSM installation. There is a unique number for each licensing level and/or upgrade.
    For instance, for a 10-device standard license, the support would be part number CON-SAS-CSMST10K.
    For the 100-device Pro license, the support would be CON-SAS-CSMPR4K9.
    The reseller needs to adjust the support term (12-60 months) to suit when ordering.

  • Import Network host objects to Cisco Security Manager

    Is it possible to import complete lists of Network Hosts objects to Cisco Security Manager?
    Exporting the hosts already defined in the ASAs is easy but how to import them in CSM??
    Thanks

    No hostnames discovered go the Policy Object Manager (nor to the Access rules), only group-names (there's a bug in ASAs related to single host names too). The way CSM handles single hosts is previously creating them, so when we later discover devices, the single hosts names set in the discovered device are not considered, only their IP addresses; then you can see that in the discovered access rules CSM shows the hostname as the previously defined ones in the Policy Object Manager. If you dont define those hostnames before the device discovery, you will only see IP addresses, no hostnames, no matter they are set in your firewalls.
    Imagine discovering a couple FWSM modules with 500 access rules, and you only get to see the IP addresses of the 2,500 hosts on your network. And you have all those hosts already defined in your FWSM firewalls, when you log via ASDM you view your hard created rules with hostnames, and when you log to CSM you only view IP addresses. The clients get very disappointed with CSM after that, and discard it. The bigger the network, the faster they reject CSM.
    The only way to add hosts in the Policy Object Manager is 1 by 1. But as this may have happened to more than one company and considering how easy it is to code a feature like that, I assume that it's possible to import a complete list of single hosts to CSM.
    is that really possible? it should be.
    thanks for the replies so far

  • Catalyst 3750x and 4510R and Cisco Security Manager

    Hi,
    I just downloaded and install trial (evaluation) version of Cisco Security Manager 4.3. In supported devices list I saw Cisco Catalyst 3750 and 4510R but when I try to add it I got for 3750:
    Invalid device: Device is a switch and cannot be mapped to a Generic Router model.
    Please verify the selected device type, OS version and device configuration
    For 4510R:
    Invalid device: Version 03.03.00.SG (N/A) is not supported for the device type of Cisco Catalyst 4510R Switch Please verify the selected device type, OS version and device configuration
    We need to make a purchase decision but for it we need to import all of our devices and perform some tests.
    Thanks in advance for your replies!
    BR, Vasily.

    I figured this out on my own -- change Compatibility mode of the installer to be Windows 8 (which is same OS version as Windows 2012) and it installs just fine.

Maybe you are looking for

  • Adobe Content Viewer Crashing in Ipad 1

    Hello We've created a publication which is working good on iPad 2 but I am having many crashes on iPad 1. There is no HTML code, but there are many animation and interactivity. Is there anyone else that has this experience between iPad 1 and 2?  Than

  • Dvd to i-tunes

    can any one help me. i am trying to load dvds to i-tunes. just like cds to i-tunes , but it will not let me or i do not know how. help please

  • IPhone sending texts

    I just got my iPhone 5 Thursday and I had to wait for it to work a few days for my number to transfer to my new sim as I changed network and wanted my old number still. The Internet works fine and I call people, however if people text or call me it c

  • PM month end closing

    Hi Gurus, I want to learn, is there any account or FI document creation exist during PM month end closing? If yes, how can I found it? Thanks...

  • Want to disable few fields im SM30

    Hi Gurus , I have a requirement to maintain a  ztable thorugh t-code. This all have to be done by one program . In the program selection we have to radio button - a.)  Maintain   and b.)  Validate. What the program is doing is just calling sm30 t-cod