CiscoWorks Out-of-Sync & Crypto

Unanswered Question
Apr 19th, 2007
User Badges:

In CiscoWorks Out-of-Sync reports all our APs are showing as out of sync because the Crypto-Crypto CA-Crypto CA certificate chain TP-self-signed-# key is not saved to startup config. We have been able to exclude the "Crypto-Crypto CA-Crypto CA certificate chain TP-self-signed-#" but not the accual key. Is there any way to exclude the key.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Thu, 04/19/2007 - 12:14
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This should be taken care of automatically assuming your device supports the command "show running-config brief". If it does, there is one more gotcha to be aware of. If you use TFTP to fetch your configs, there is no way of getting a brief running config using this method. Therefore, the running and startup configs will always be out-of-sync in terms of crypto.


The solution is to make either SSH or TELNET the first protocol in the config fetch protocol order under RME > Admin > Config Mgmt > Transport Settings.


However, if your device not support "show running-config brief" then you will need to upgrade the code, or just ignore the out-of-sync information for the crypto key.

duncan.goodfell... Thu, 01/03/2008 - 06:06
User Badges:

I have some 3750 switches with the same issue. They support "show running-config brief" command and the protocol order has Telnet & SSH before TFTP. I can also confirm that the config is being fetched using Telnet.


Any ideas?


LMS 2.5 & RME 4.0.4

Joe Clarke Thu, 01/03/2008 - 09:52
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You will need to get a sniffer trace or the dcmaservice.log after enabling ArchiveMgmt Service debugging to confirm if "show running-config brief" is actually being executed successfully on the devices.

duncan.goodfell... Fri, 01/04/2008 - 05:30
User Badges:

thanks for your response, I'll get that sorted. What is the course of action if the "show running-config brief" is not being executed?

Joe Clarke Fri, 01/04/2008 - 06:08
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The code shows that it really should be executed. My guess is that either telnet is failing for some reason, or "show running-config brief" is broken for this device for this version of code.

Actions

This Discussion