CiscoWorks Out-of-Sync & Crypto

Unanswered Question
Apr 19th, 2007

In CiscoWorks Out-of-Sync reports all our APs are showing as out of sync because the Crypto-Crypto CA-Crypto CA certificate chain TP-self-signed-# key is not saved to startup config. We have been able to exclude the "Crypto-Crypto CA-Crypto CA certificate chain TP-self-signed-#" but not the accual key. Is there any way to exclude the key.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Joe Clarke Thu, 04/19/2007 - 12:14

This should be taken care of automatically assuming your device supports the command "show running-config brief". If it does, there is one more gotcha to be aware of. If you use TFTP to fetch your configs, there is no way of getting a brief running config using this method. Therefore, the running and startup configs will always be out-of-sync in terms of crypto.

The solution is to make either SSH or TELNET the first protocol in the config fetch protocol order under RME > Admin > Config Mgmt > Transport Settings.

However, if your device not support "show running-config brief" then you will need to upgrade the code, or just ignore the out-of-sync information for the crypto key.

duncan.goodfell... Thu, 01/03/2008 - 06:06

I have some 3750 switches with the same issue. They support "show running-config brief" command and the protocol order has Telnet & SSH before TFTP. I can also confirm that the config is being fetched using Telnet.

Any ideas?

LMS 2.5 & RME 4.0.4

Joe Clarke Thu, 01/03/2008 - 09:52

You will need to get a sniffer trace or the dcmaservice.log after enabling ArchiveMgmt Service debugging to confirm if "show running-config brief" is actually being executed successfully on the devices.

duncan.goodfell... Fri, 01/04/2008 - 05:30

thanks for your response, I'll get that sorted. What is the course of action if the "show running-config brief" is not being executed?

Joe Clarke Fri, 01/04/2008 - 06:08

The code shows that it really should be executed. My guess is that either telnet is failing for some reason, or "show running-config brief" is broken for this device for this version of code.


This Discussion