CSM Deployment

Similar Messages

• Adding GSS on top of existing CSM deployment

  Hi there,
  I have an existing CSM deployment that is performing L4 load-balancing for a number of serverfarms. Each farm is presented as it's own VIP, so no VIP has multiple farms on different ports.
  I'm trying to add a GSS in front of this and I'd like to be able to have the GSS read load information from the CSM.  To accomplish this I've enabled CAPP on my CSM, and created a shared Keepalive that points to one of the internal addresses for the CSM (not a VIP address).  I've assigned this shared keepalive to two Answers, providing the VIP address of the service, and performing KAL-AP keepalives by Tag value.  In my vserver I've added the 'domain <TAG>' and entered in the matching Tag on the KAL-AP KeepAlive section of the Answer setup screen.
  With these steps completed, when I look at the Answer status under Monitoring > Answers > Answer Status,  the GSS always sees it as 'Offline (Load:255)'.  I've verified that the CAPP communication is successful by watching the stats on both the GSS Answer Keepalive stats page, and by the output of 'show mod csm x capp'.  It seems like the communication is working just fine.  Any ideas why the GSS isn't marking my Answers available?
  I'm using GSS 3.2.0.0.15 and CSM 4.3(5).
  Thanks in advance!
  Brandon

  Hi Chris,
  Thanks for the reply.  I ended up opening a TAC case to troubleshoot, and found I was running into the following bug:
  CSCsi70659 CSM sends vserver load of 255 for KAL-AP by tag
  Symptom:
  When CAPP UDP is enabled on the CSM, the CSM will return a load of 255 for vservers that are being probed by a KAL-AP keepalive.
  Workaround:
  Perform a 'no inservice' followed by an 'inservice' on the vserver.
  I executed the workaround and now my GSS is correctly pulling load information from the CSM.
  Thanks,
  Brandon

• CSM Deployment to a 2811 Failure

  Hi,
  I manage 213 2811s with CSM and there is one site that fails everytime I go to deploy changes to it. It fails with, "Failed to parse response from device. Cause: Upload configuration failed since the CT response from device XXXX is malformed. JDOM exception while parsing XML input stream."
  I have tried reimporting the policies but I get the same error on deployment. Any ideas?

  I tried to look it up in the Bug Toolkit and it says it is only available to Cisco employees. The router in question is running c2800nm-advsecurityk9-mz.124-15.T1.bin with 12.4(13r)T ROM. What version fixes it?

• CSM 3.3.1 - deployment bug? after installing SP1&SP2

  Hi all,
  I've recently installed CSM 3.3.1 with SP1 and SP2 and I've encountered quite serious (for me) problem. Has  anyone met strange situations after installing service packs?
  When I discover new device (i.e. router with 15.1 ios version) and make changes in ZBF policy, CSM deploys new configuration and everything seems to be fine. I must stress that only seems.
  When for example I want to make only small changes to that device (by adding new username ans password) I make "preview configuration" and I see that CSM deletes part of ZBF policy - 10 of 12 zone-pair. For example for some reasons manager makes "no service-policy ...." in zone-pair. When I do another "preview configuration" (after adding another username) it deletes those empty zone-pairs. I thoung maybe naming doesn't suit it and I need to recreate all policy through CSM - nooooo. It did not help. Still it tried to delete some of policy.
  Even when I created all ZBF policies from CSM Ive got situation when in one preview config it removes security-policy from zone-pair and after deployment in second preview it adds these security-policies to previous zone-pair. Its happaning in a  loop.
  Or another strange behaviour is when I add new username it does sth like this:
  In "preview configuration" there is
  policy-map type inspect CSM_ZBF_POLICY_MAP_1
  no class class-default
  class class-default
      drop
  while in GUI in CSM there is action inspect defined.
  I've looked through bugtool, but with no success, so need any help.
  regards

  hi,
  thx for interest,
  I didn't open the TAC case casue I didn't have much time for it, however the issue is resolved. It occured that SP2 to CSM was problematic. Right now I've got 3.3.1 version with SP1 and everything works just fine. To make sure that it was it, I installed then SP2 and the problem started again.
  I don't have configuration saved but actually there wasn't much of it. It was a fresh system and only 1 or 2 devices ware added so I suppose it should be easy to restore the situation.
  if you got any new info please let me know
  regards
  Przemek

• Cannot connect with CSM client

  One of our clients has a problem with their CSM deployment, they recently upgraded their CSM version which is deployed on a vmware environment, the services are listed as running and the webservice is available on port 1714 - when he tries to access it with the CSM client he gets the error.
  The client cannot connect to the authentication service."
  * Please cofnirm whether the security manager server is running
  I cant find any troubleshooting information for this specific issue - has anyone got any experience of this issue or what could be causing it.
  Regards
  Joel

  I'm having the exact same problem. My work around is to run C:\Program Files (x86)\cscopx\setup\support\resetcasuser.exe, select option 1 and reboot the CSM box.
  TAC said the issue was a GPO preventing the casuser for running batch, but we just modified the GPO yesterday and still have trouble.
  Strange thing is twe did not have this issue when the backup job was failing.

• CSM 3.3.1 SP1 is deleting the FW rules.

  Hi,
  I have many FWs  managed by CSM 3.3.1 SP1. Number of rules on each firewall ranges from hundreds up-to more than 30 thousands of lines as summation for all active ACLs on the FW. After start using CSM to manage these Firewalls, recently we noticed that some ACL lines or static translations are disappear from the FW although they are existing on the CSM topology (ACL list in CSM). We are suspecting few possible causes and one of them having CSM ignoring some lines during deploying the rules to the remote site. Links speeds are ranging from 256k up to 2M on some sites that we are facing problem with.
  We need feedback on the following:
  -          Is this behavior related to bug.
  -          Is there any limitations or recommendations on the links speed between CSM server and the remote firewalls.
  -          Is there any possibility that CSM omit some rules or configuration while transferring these changes to the remote firewall, or possibility of having some of these configurations not transferred successfully to the FW due to link performance issues, etc,… in this context, kindly explain the methods or techniques that CSM use to ensure reliability of the configuration and detection capabilities of any errors during the transfer.
  Regards,
  Muhannad

  Hi PK,
  Many thanks for the response.
  I will be checking the deployment transcripts that include these responses but what i am experiencing here is that some rules of the PIX are deleted once i am running the CSM deployment job, the only thing that has been verified that these firewalls are located in another countries which mean that they are located in very large geographical distances from the CSM.
  I am not sure if this due and limitations of the latency or the BW, also i am not sure about if the logs and debugs can guide me to something useful!
  Regards,
  Muhannad

• IPS Signature Update - CSM v3.3 SP1

  Hi,
  I am getting the following error message when deploying IPS signature updates to some of my sensors via the CSM deployment tool:
  "Failed to generate edit config delta  for host component. Detail: Error while processing the host component with DNS,access-list or http-proxy"
  The signature update actually deploys, but I am wondering what is causing this message.  I get this with some 4240, 4255 and IDSM-II blades, but not with others and I can't see any config variances.
  Does anyone have any ideas what is causing this message?  The access ACLs are the same for each sensor.
  Many thanks

  Hi Liam,
  As you mentioned you are using a shared policy, and the access ACLs for all sensors are the same, I assume that you may be using an "Allowed Hosts" shared policy.
  In that case, how did you create that policy ?
  Did you create the policy from the policy view page, or did you right click on the "Allowed Hosts" setting of a device in device view and select "share policy" ?
  If you did the first, you may be running into a known issue. You can read more about this on the bug toolkit:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg02063
  This is the workaround that should work for you in case you are indeed running into this issue:
  1. Rediscover or newly add any one IPS device running 7.x version
  2. Create entries for "Allowed Hosts" according to requirements.
  3. Right click on "Allowed Hosts", select "Share Policy..." and specify a name for shared policy.
  4. Assign this "Allowed Hosts" shared policy to one or more devices.
  5. Deployment should now be successful for "Allowed Hosts".

• CSM 3.3.1 - Reports for all FW and Rulset optimization

  Hi
  Any way to generate a report over all my firewalls to see how many rulesets are defined on each firewall ?
  Did anybody ever use the combine and anylaze Function to optimize the rulesets ?
  sincerely
  Alfred

  Hi PK,
  Many thanks for the response.
  I will be checking the deployment transcripts that include these responses but what i am experiencing here is that some rules of the PIX are deleted once i am running the CSM deployment job, the only thing that has been verified that these firewalls are located in another countries which mean that they are located in very large geographical distances from the CSM.
  I am not sure if this due and limitations of the latency or the BW, also i am not sure about if the logs and debugs can guide me to something useful!
  Regards,
  Muhannad

• Cisco CSM - Has anyone deployed it in their environment for IDS/IPS devices

  We are an MSP and are evaluating Cisco CSM to manage about 50 IDS/IPS devices. Each of these devices has their own customer signature policy.
  Does anyone use it in their production environments? Do you find it useful?
  Regarding policy management for devices that already have a signature policy, I know you can discover the policy, what we want to do is take the current discovered policy, modify it if we need to and then re-deploy it to the device. I'm finding that this is all read only once the policy is discovered.
  Is there a way to modify the signature, for example, adding a logging parameter and then re-deploy?
  Just curious if others had similar experiences with CSM.
  Thanks!

  haxworthy,
  I currently use CSM to manager a variety of IPS devices (IOS IPS, 42xx Sensors, 65xx-series blades). The policies vary on some devices. CSM works wonderfully. CSM discoveries the various policies on the device on an individual basis. Policies can then be edited on a per-sensor basis or on a group level. Has worked wonderful in our environment. A nice upgrade from the old IPSMC. Let me know if you have any other questions.
  -Mike
  http://cs-mars.blogspot.com

• CSM disconnects VPN sessions upon config deployment.

  CSM version 4.3 SP1
  Hi,
  I've noticed that while deploying configuration to our ASA5520 devices active VPN sessions are being disconnected.
  Has anyone noticed the same ?
  I've not found anything related in Cisco Forum.
  I also have not found anything related at Cisco BugToolkit.
  Thanks for help.
  Krzysztof

  and from asa device perspective (debug log):
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  Dec 28 13:43:51 [IKEv1]Group = ******, Username = ****, IP = ****, Session is being torn down. Reason: Administrator Reset
  and lots more

• Csm error message when doing deploy to device

                     hi
  i have csm 4.3 and i did deploy to file and it was a success , when i am doing deploy to device i am getting an error saying:
  an error response from the device prevented succeful completion of this operation. the device provided the following description: crypto map CSM_outside_map 1 match address CSM_IPSEC_ACL_24:unable to locate access-list CSM_IPSEC_ACL_24
  when i am doing preview their is no problem
  what this message meen?

  Hello,
  Am using remote object services.
  USing component (ColdFusion as destination).

• CSM Cisco Secure Manager - deploy a Blank configuration!

  Hi all,
  need some help. Its just installed a CSM, v.4.8. It adds a device and its configuration from the network, a FW ASA 8.3 correctly.
  i make a change on the local policy and as soon i make a deploy to device it start doing a:
  no xxxx
  no xxxx1
  no xxxx2
  for each line of the current configuration! so it deletes all!
  I am missing a point in here. User guide says that i have to bind a policy to the device but that easy step i do not know how to do it.
  thanks in advance for the help
  Regards
  José

  Security Manager does not currently leverage object groups for ACL objects used in VPNs. An enhancement bug has been filed under CSCsl20196 and is something we are looking to address in the upcoming Security Manager 3.2 release due late 1QCY08.

• CSM 4.2 sp1 and strange deploy and monitoring behaviour

  Hi, recently I have upgrade a CSM installation to 4.2 sp1 release on 2008 R2 VM server with 8 GB RAM.
  I've noted the followings:
  1- if I try to deploy policy on many device, the deploy manager stops on updating devices and never switch to downloading phase.
  2- I see https connection to devices with login "" on CS-MARS caming from CSM, even if nothing is configured on CSM performance monitor. All devices credentials are correct.
  Any suggest ?
  thanks

  Hi, I have no error if I deploy 4 devices, but if I try to deploy 10 or more devices I received the following error for each device:
  Status:
  Failed: uploading divice ...
  Message:
  System error
  Description:
  Device provisioning failed
  Java heap space
  Action:
  Please retry the operation. If the prblem persists, ....
  I restart the server and 4 by 4 I'm able to deploy every device.
  thanks

• CSM 4.2 deployment never completes

  Hi all,
  Just wonder if anyone had similar issue but I have a problem where deployment never completes:
  We have fresh install of csm 4.2 sp1
  Device that we deploy to is 5585 active/passive pair with 8.4.2
  Deployment transcript shows that CLI is success and write mem is performed
  On next step and that is Cisco Secure Desktop Configuration it hangs forever on:
  ! COMMENT: Using : https://x.x.x.x/admin/flash/sdesktop/data.xml
  ! COMMENT:  Trying to connect using enable password ******
  Deployment never completes but configuration is delivered to the ASA.
  Thanks....

  I ran across the same issue and drove me crazy.
  The problem was with the use of the object "any". The configuration parser is having trouble with it. You basically have to create an object for the subnet 0.0.0.0/0 and use that instead. The bug has been fix but is in the pending release state.
  Cisco Bug: CSCtu01132

• CSM 3.2 SP 1: Deployment Schedules

  I am using CSM in non-Workflow mode. Is it possible to create and edit deployment jobs? So far I have tried without success: the job status is Active - the comment is 'Non Work Flow mode auto resume schedule for update'. The job runs, I get a 'Last Run' and 'Next Run' entry but the changes are NOT deployed.
  Thanks, Manola

  Non Workflow mode the default mode of operation. When using non Workflow mode, there is no need to create activities and jobs. When you log in, Security Manager automatically creates an activity for you. This activity is transparent to the user and does not need to be managed in any way. In addition, when you save and deploy configuration changes, Security Manager automatically creates a job for you as well. Like activities, jobs are transparent and do not need to be managed.