CiscoWorks Out-of-Sync & Crypto

josephenix · ‎04-19-2007

In CiscoWorks Out-of-Sync reports all our APs are showing as out of sync because the Crypto-Crypto CA-Crypto CA certificate chain TP-self-signed-# key is not saved to startup config. We have been able to exclude the "Crypto-Crypto CA-Crypto CA certificate chain TP-self-signed-#" but not the accual key. Is there any way to exclude the key.

Thanks

Joe Clarke · ‎04-19-2007

This should be taken care of automatically assuming your device supports the command "show running-config brief". If it does, there is one more gotcha to be aware of. If you use TFTP to fetch your configs, there is no way of getting a brief running config using this method. Therefore, the running and startup configs will always be out-of-sync in terms of crypto.

The solution is to make either SSH or TELNET the first protocol in the config fetch protocol order under RME > Admin > Config Mgmt > Transport Settings.

However, if your device not support "show running-config brief" then you will need to upgrade the code, or just ignore the out-of-sync information for the crypto key.

duncan.goodfellow · ‎01-03-2008

I have some 3750 switches with the same issue. They support "show running-config brief" command and the protocol order has Telnet & SSH before TFTP. I can also confirm that the config is being fetched using Telnet.

Any ideas?

LMS 2.5 & RME 4.0.4

Joe Clarke · ‎01-03-2008

You will need to get a sniffer trace or the dcmaservice.log after enabling ArchiveMgmt Service debugging to confirm if "show running-config brief" is actually being executed successfully on the devices.

duncan.goodfellow · ‎01-04-2008

thanks for your response, I'll get that sorted. What is the course of action if the "show running-config brief" is not being executed?

Joe Clarke · ‎01-04-2008

The code shows that it really should be executed. My guess is that either telnet is failing for some reason, or "show running-config brief" is broken for this device for this version of code.