Filter
Top Products
9-16
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 9 Troubleshooting Device Communication and Deployment
Troubleshooting Deployment
Deployment Fails for Interface Settings
Problem: Deployment fails for interface settings on a Catalyst 6500/7600 device.
Solution: Certain interface settings (such as speed, duplex, and MTU settings) are specific to particular
card types and are not validated prior to deployment. Make sure to enter the correct values for your
specific card type to ensure successful deployment.
Deployment Failures to FWSM Security Contexts After Changing Interface Policies
Problem: You add an FWSM with security contexts and discover its policies. The configuration includes
interface aliases (the allocate interface command). After changing the interfaces policy for a context,
deployment fails.
Solution: Connect directly to the FWSM and remove all mapped interface names from the system
execution space configuration and in all other contexts, replace interface references to mapped names
with the VLAN ID of the interface. You can then delete the FWSM from the Security Manager inventory
and rediscover it.
Deployment Failures for FWSMs That Have Multiple Contexts
Problem: Deployment to an FWSM that has multiple security contexts sometimes fails or results in a
temporary performance impact to the FWSM.
Solution: The problem is that Security Manager is trying to deploy configurations to more than one
security context on a device at the same time. Depending on the configuration changes, this can result
in errors on the device that prevent successful deployment. If you use FWSM in multiple-context mode,
configure Security Manager to deploy configurations serially to the device so that one context at a time
is configured, as described in Changing How Security Manager Deploys Configurations to
Multiple-Context FWSM, page 9-17.
Deployment Fails for Internal VLANs
Problem: Deployment fails when Security Manager tries to create a VLAN with an ID that is within the
range of the device’s internal VLAN list.
Solution: Security Manager cannot detect internal VLANs. Therefore, you must define a VLAN ID that
falls outside of the device’s internal VLAN list. Use the show vlan internal usage command on the
device to view the list of internal VLANs.
Deployment Fails When Changing the Running Mode of an IDSM Data Port VLAN
Problem: Deployment fails when you attempt to change the running mode of the data port VLAN from
Trunk (IPS) to Capture (IDS) and the following error message is displayed:
Command Rejected: Remove trunk allowed vlan configuration from data port 2 before configuring
capture allowed-vlans
Solution: On some software releases such as 12.2(18)SFX4, there is a bug that prevents the change from
occurring correctly. Reload the device to overcome the problem.
Deployment Fails for FWSM Configuration With Large Numbers of ACLs
Problem: Deployment to FWSM devices fail when the configuration contains a large number of ACLs.
Solution: This could occur because the CPU utilization is high during ACL compilation. To resolve this,
reconfigure the CPU utilization threshold limit by doing the following:
1. On the Security Manager server, open the DCS.properties file in the \CSCOpx\MDC\athena\config
folder in the installation directory (usually C:\Program Files).
2. Locate the DCS.FWSM.checkThreshold=False property.
3. Change the value to true: DCS.FWSM.checkThreshold=True.
4. Restart the CiscoWorks Daemon Manager.