Filter
Top Products
9-19
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 9 Troubleshooting Device Communication and Deployment
Troubleshooting Deployment
• Call home mode setup—The device is not connected to Configuration Engine in this mode;
therefore, all Security Manager operations that require the retrieval of the device configuration using
Configuration Engine are not supported. This includes discovery, preview configuration, display
running configuration, and connectivity tests (and rollback, for IOS devices).
Question: Why is deployment to my Configuration Engine-managed ASA/PIX device not working?
Answer: There are several possibilities:
• The configuration contains invalid commands. You can test this by copying the configuration
associated with the ASA/PIX device in Configuration Engine and pasting it directly into the device.
• The auto-update server command contains an invalid username and password.
• You did not wait long enough for the configuration to be polled into the ASA/PIX device. Use the
show auto command to verify when the next polling cycle will occur.
• If you previously used the Configuration Engine server for the same ASA/PIX device and did not
delete the device from the Configuration Engine server before you started the current task, it is
possible that the device received the previous configuration from the server before you deployed the
new configuration to it.
• If none of the suggestions above solves the problem, turn on Configuration Engine debug mode on
the ASA/PIX device and check the log for errors after the next polling cycle.
Question: Why was I able to deploy successfully to a Configuration Engine-managed ASA/PIX device
the first time, but subsequent deployments were unsuccessful?
Answer: This can happen if the configuration pushed during the first deployment contains incorrect CLI
commands for the auto-update feature. Check the following:
• Make sure the username and password of the Configuration Engine server is defined correctly in the
auto-update command.
• If you used name commands when configuring the auto-update server using the device CLI, make
sure that you have defined a FlexConfig that contains the necessary name commands. A FlexConfig
is necessary because Security Manager does not support this command directly. As a result, even
though the command was discovered, it does not appear in the full configuration. If you use Security
Manager to configure the AUS policy, name commands are not necessary.
Question: How do I debug Configuration Engine on an ASA/PIX device?
Answer: Enter the following CLI commands:
logging monitor debug
terminal monitor
logging on
You can also find relevant information in the PIX log on the Configuration Engine server.
Question: How do I debug Configuration Engine on an IOS device?
Answer: Enter the following CLI commands:
debug cns all
debug kron exec-cli
terminal monitor
When working in event mode, you can also find relevant information in the event log on the
Configuration Engine server. When working in call home mode, check the config server log on the
Configuration Engine server.
Question: Why did I fail to discover an IOS device and acquire its configuration through Configuration
Engine?