Orphan Device in CSM

Similar Messages

• Adding a cisco pix device to CSM 3.3

  I've been trying to add a cisco pix6.3 to a New CSM 3.3 server and it complains that my credentials are bogus, I can log in to the pix's PDM using the same credentials so I'm stumped, Is there a way that I can get a better idea of what is happening under the hood? I tried a debug and the server is clearly hitting the pix and it is responding but no go.
  I figured it out, the csm was set to use the users login credentials instead of the device credentials.

  Try Disable Java on Internet Options. This issue oculd be releated to Java version also.

• Task completed -- Adding device to CSM

  Hi Everyone,
  i was able to add the asa to csm 4.3 by  add device from network.
  ASA  is in production
  After  https connection was successfull it asked  me to create ticket for that step
  i created ticket need to know why this ticket creation is necessary?
  also after that i started to discover the device and it added the device with  warnings.
  And below is tab that shows
  generate report
  Need to know should i clickon generate report?   
  Last small  window i have is task completed.
  It says for security contexts to appear  in device selector you must submit the current activity.
  Do you want to submit the current activity  now.
  it has option yes  or no
  Should i click on yes?
  Need to know if i do all the steps above will it cause any config change on ASA?
  Thanks

  Ticketing is used primarily in multi-user environments to allow different users to keep track of one another's work. It can also optionally interface with an external ticket system like Remedy or Service Now.
  For instance, if one user has started work on an ASA configuration and plans to implement it at a later time, the ticket will show subsequent users that the configuration is, in effect, "checked out".
  For single user or very small shops, ticketing (and workflow) is not commonly required.

• Can't add MARS device to CSM

  I'm trying to add a MARS to a fresh install of CSM 3.2.0 through the CSM client.
  I constantly get the message:
  Connection with CS-MARS failed.
  Incorrect username or password.
  Make sure the CS-MARS username and password are valid.
  I'm sure that the credentials are OK.
  I even created a new user in MARS dedicated to CSM.
  The strange thing is that MARS doesn't have any logs of these login failures.
  Here's a screenshot of the error:
  https://dl.getdropbox.com/u/67172/Invalid_credentials_full.PNG

  Hi
  Please check the following from the screen shot I understand that you are trying to add the MARS using a Global account
  1) Make sure that you are able to login to GC or LC using this account.
  2) If you are trying to add the LC to CSM using the GC account, make sure the User account replicted to the LC.
  3) If you are trying to add a CS-MARS using useraccount which is integrated with AAA then check for Global Controller Considerations with External AAA Servers under
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/authen.html

• Finding Orphaned User Device Profiles for EM

  HI Everyone
  I want to clean up CUCM and get rid of orphaned device profiles and I wanted to know is there a function in CUCM that will allow me to do this or some sort of CLI command that I can use to get the excess profiles out of the system. Thanks in advance for the help and have a great day and I look forward to the answer.
  Eric                  

  I've been waiting for someone to post the command that I would use from the CLI so I googled it and I did find a site called UC Guerrilla and they talked about it but they didn't show what commands to use.

• CSM client device config

  Hi,
  On CSM Client >device> Access rules is showing the old config and not showing the active running config. Where as tools>preview configuration show me the running config.
  How do I make the csm client show the running config.
  Thanks.

  Raj;
    When managing devices with CSM, it is expected that all configuration changes made to the device are made via CSM.  Any changes made via PuTTY will not be reflected within CSM without first re-discovering the device's policies.
    The screenshot does not indicate a specific error, only that policy objects alreadty present in CSM were re-used with this device.  For the yellow triangle items, you will need to highlight each item and reference the matching description pane.  But from the overall status, the discovery was completed successfully with three warnings.
  Thanks,
  Scott

• Cisco CSM - Has anyone deployed it in their environment for IDS/IPS devices

  We are an MSP and are evaluating Cisco CSM to manage about 50 IDS/IPS devices. Each of these devices has their own customer signature policy.
  Does anyone use it in their production environments? Do you find it useful?
  Regarding policy management for devices that already have a signature policy, I know you can discover the policy, what we want to do is take the current discovered policy, modify it if we need to and then re-deploy it to the device. I'm finding that this is all read only once the policy is discovered.
  Is there a way to modify the signature, for example, adding a logging parameter and then re-deploy?
  Just curious if others had similar experiences with CSM.
  Thanks!

  haxworthy,
  I currently use CSM to manager a variety of IPS devices (IOS IPS, 42xx Sensors, 65xx-series blades). The policies vary on some devices. CSM works wonderfully. CSM discoveries the various policies on the device on an individual basis. Policies can then be edited on a per-sensor basis or on a group level. Has worked wonderful in our environment. A nice upgrade from the old IPSMC. Let me know if you have any other questions.
  -Mike
  http://cs-mars.blogspot.com

• CSM 4.1 Authorization error when trying to add a new device

                     Hi, i just finished installing a new CSM 4.1 and i set it up to use the local windows user accounts for its administration. So when i login to the CSM i use the same username/password as the one used to login to the underlying Windows OS.
                      When i am trying to add a new device in CSM i get an error saying that i do not have enough rights to do that. Any ideea why this happens?
  Thanks,
       Costin

  You seem a little grumpy. Yes, it has acurred to me that no one knows the solution. And no, I have not called tech support yet as I have been distracted lately and spending an hour on the phone trouble shooting is an hour I could be studying. Its much easier to "bump" this thread and hope someone with a suggest will chime in.
  Anyway, please dont just tell me to delete something without giving me an idea of what Im deleting. I have a feeling that this login.keychain deletion will cause me to loose the information already stored. Is this the truth?

• Adding Pix device public interface through Proxy server into CSM Fails

  Hi
  I am trying to add a device into CSM. The device is only reachable through proxy server. If i try to add the device, the connectivity test fails" unable to communicate with device". If i debug on the PIX i see no connection attemps. If imake a https connection from the Explorer from the windows server running CSM i get connected. I have set the proxy settings under Server Administration. I can update packages from CCO through the proxy. Is there somewhere else to tell CSM to run through proxy ?

  Hello,
  maybe your problem has to do something with loading SLPDA.NLM. If you
  cannot get to open Autoexec.ncf then go back to DOS-Mode, rename this
  file in C:\nwserver-directory and start again. i have seenthis behaviour
  on servers loading SLPDA with no network-communication and they stop
  loading at WPSD.NLM. Try to load SLPD.NLM manually when the server is
  up. After that shift the line in Autoexec.ncf where you want to load
  Slpda.NLM to the end of the file and boot the server again to see what
  happens.
  Good luck
  Burkhard Wiegand
  Netware Admin
  Debeka-Versicherungen
  D-56068 Koblenz

• Integrated CSM + ACS - DCR Device Wizard

  Hi there,
  I've integrated CSM v3.3.1 into ACS v4.1.4 within Common Services/AAA Setup and setup a Bulk Import of Devices from ACS into Common Services.  Have also setup default device credentials.
  This seems to be working fine, in that I can login to CSM using credentials from ACS and the CSM Device and Credentials list shows all my network devices imported from ACS.
  Again I've logged into the CSM Client using credentials from ACS but I don't seem to be able to "Add Devices From DCR", the only option I have is to import from an export file from DCR.   The problem here is that the export file contains all the default device credentials which I don't want users to know.
  Have I missed something?
  BAsed on the User Guide I'm expecting there to be an "Add Devices From DCR Wizard".
  Thanks
  Michael

  OK,
  I have got to the bottom of this now.
  I was reading the CSM 3.1 User Guide which I'd downloaded in the past, assuming that Cisco wouldn't remove a feature in a later release, just add/improve/fix features.
  Obviously not, having downloaded the CSM 3.3 User Guide it is obvious that the "Add Devices from DCR" option has been replaced with "Add Devices from File".
  To double-check this I've done a clean install of CSM 3.1 and the different outputs from the client showing the change are attached.
  The function does still exist in Performance Monitor however.....
  Therefore the only options are to either:
  Export the devices/credentials from DCR and import into CSM
  Means that people with access to the server (e.g. IT Department) have potential access to the export files containing master device credentials of firewalls which obviously is no use in a secure environment 
  Have the firewall/security administrators manually add each device to CSM supplying necessary credentials
  This is OK to an extent, except that we are trying to maintain a secure environment with "role seperation" and traceable named accounts, hence the integration to ACS.
  Rather than being able to set a complex "default credential" once which would then be destroyed/forgotton, this now means that the Firewall/Security administrator needs to know the master/generic admin account which is used by CSM to access the devices, which he/she could use instead of their named ACS account!
  None of this is very "secure" for a supposed security product
  Is there a way to re-instate the "Add Devices from DCR" option in client versions CSM 3.2+ ?
  Is there a way to set "default credentials" in CSM like you can in Common Services, so that administrators don't need to know them (e.g. have them written down) so they can be set each time a device is added ?
  Thanks
  Mike

• Login issue in CSM

  Hi All,
  After adding the ACS in CSM ,I am unable to login the CSM with the ACS username and password and also the admin username and password.
  Now i removed the csm server in ACS even then same status.How to login the csm ?

  Did you set up the authorization or just authentication through Tacacs+?
  I recently had an issue with this, but I was able to login. I wasn't able to see the devices however. It turns out that the devices in CSM need to be the same exact display name as they show up in ACS.
  This is the guide I followed.
  http://www.cisco.com/en/US/products/ps6498/products_configuration_example09186a00808eada8.shtml
  After some headache I just used ACS for authentication, and not authorization. To do this you choose "non-ACS" when you are setting it up just put the radio button in tacacs+. You then add the user in the local database for the authorazation piece. But it will authenticate against tacacs.

• Upgrade CSM 3.1.1 to 3.2.0

  Hi Friends,
  I have installed CSM 3.1.1 and planning to upgrade to 3.2.0
  I have not added any devices in CSM 3.1.1 and its a fresh installation. Can I directly upgrade from 3.1.1 to 3.2.0 and can I use the same license? Any issues while upgrading?
  I have a maintenance contract with Cisco. Do I need to get the license for 3.2 and also for MCP?
  Thanks,
  Chandru

  I did this last week... Yes you can go directly to 3.2.0 Also there is 2 Service Packs out you will want to apply after upgrading to 3.2 After you have upgraded you will need to Get the 3.2 CSM client on your machine. The best advice for this install is that you will need to be next to the server (not remotely accessing), and be patient... it takes awhile. NO NEW LICENSE.

• ACS not authorising Security Manager devices

  Hi I have a setup ACS 4.1 CS-Manager 3.2.2
  I have intergrated the CS-Manager into ACS with no problems.
  However when I try to add devices into the CS-Manager I get the message "The Device is not in the Cisco Secure ACS"
  I have one wildcard entry encompassing all devices and the CS-Manager (TACACS+ (cisco IOS))
  I am wondering if CS-Manager is not liking the wildcards.
  Unfortunatley as we have 500 or so production devices already using this entry I am not in a position to remove it to test my theory at present.
  Any one know if Wildcards are supported for authorising CS-Manager devices?
  Regards
  Colin

  Colin
  Assumption: you have CSM's common services integrated correctly into ACS, first with a admin account in acs with full rights and second with the system identity user and pass in the ACS server with full rights as a user (not admin portal) and during the setup of AAA in CS you used the [tick box] to push out the authorization categories from CS into ACS.
  Assumption: you have a super admin group in ACS setup that has full rights to CSM authorization categories that was pushed into ACS from Common Services when you first setup AAA in CS. And you have setup a user that is part of that the ACS super admin group.
  Three things to check.
  1. Under ACS, click the 'Share Profile Components' buttom, check that Common services has pushed out the Authorization categories into ACS, you should see CSM and auto update modules. Drill down into the CSM and check to see which authorization category gives the most access, should be 'System Administrator', make sure that all the tick boxes in this profile is all ticked with no gray or shaded boxes.
  2. The user account your logging into CSM is part of the ACS super user group that you created. Check the ACS super user group is correctly matching the CS-manager authorization categories. i.e make sure that you have matched the group that you checked in my previous point, 'System Administrator' or what ever group you created that gave full rights.
  3. Finally, you must have the device listed in your network device groups in ACS. Remembering that CSM will check against the ACS's NDG lists and WILL also matches against a FQDN, so if you added domain information into a device in CSM then the device listed in ACS will need to be the FQDN, if its not, then remove the domain name info from CSM and test. (EDIT: This might have been fixed in 3.2.2 not 100% sure but it broke my network in 3.1). I'm going to take a wild stab in the dark and say that the wild card might be failing you because it doesnt match between CSM host name and domain name sections to the ACS host name.
  Dale
  Oh one final test you can try, log into the end device manually using telnet or ssh using the system identity user and pass. Just double check that the account gets access to the device via tacacs and that you can perform enable access type functions using this account.

• Adding a 4250 into CSM...

  4350 running 6.0
  CSM running 3.3.0 SP2
  I have a few or these I need to add into CSM and the all are failing...
  Does anyone have basic instructions for doing this? Should be pretty
  straight forward but I keep getting http errors.
  Thanks...

  Hi
  As you said, Adding ips device in csm is pretty straight forward and simple.
  For security reason CSM by default use HTTPS to communicate with device.
  Could you please check whether HTTPS is properly enabled in device and also could you please post your http errors here.
  Thanks,
  Suresh.

• Out of band config changes and CSM

    Were running CSM 3.3.1 SP1 on a windows machine.  We aquired a company and have found that they were making out of band changes without the use of CSM directly from the CLI.  Is there any easy way to sync the running config on the ASA firewalls to the CSM server?  I dug in help files but nothing really pointing me where to go. 
  Thanks for any help!

  Hello,
  The easiest/fastest way to do this is to right-click on the device in CSM's device inventory and select "Rediscover policies on device". This will clear the configuration from the CSM database and rediscover the device config based on what is in the ASA's running-config.
  Keep in mind that if you are using any custom rule sections for your Access Rules or the device has any shared policies assigned, you'll need to manually rebuild the sections or re-assign the shared policies. To avoid this, you would have to manually sync the changes (i.e. make the same changes in CSM that were made on the CLI). If only certain policies are affected, you can also add the device into CSM's inventory as a new device (with a new name), and then copy the policies that weren't affected from the old device to the new device.
  Hope that helps.
  -Mike