WAAS Disk encryption

Unanswered Question
Mar 30th, 2008
User Badges:

I have a NM-WAE running WAAS software version 4.0.17.b.14. I have ticked the box in the GUI to enable disk encryption and rebooted the device a couple of times, but the disk is still not encrypted (I checked using show disk detail). If I check that immediately after a reboot the output reports that the disk is not encrypted. If I wait a few minutes and check again it usually says "Disk encryption feature is disabled" (and checking the running config shows that there is no disk encryption command). If I wait a while (5 - 10 minutes) it reports that Disk encryption is currently disabled, but will be enabled after reload." If I reload the module again I get the same result. Waiting over a weekend makes no difference (so it is not a matter of just waiting).


I have tried deleting it from the Cisco WAAS configuration manager and de-registered it and added it again. That made no difference. I also tried making the change via the command line and got the same result. The device is currently talking to the CM box (when I do a show cms info it shows synchronisation times within the last 10 minutes every time I look). According to the documentation the only things that I need for encryption to work is a working link to CMS and a reboot. Does anyone have any other ideas?


Thanks in advance,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Zach Seils Mon, 03/31/2008 - 11:30
User Badges:
  • Cisco Employee,

Peter,


Your issue doesn't sound familiar. What disk encryption related messages do you see in syslog.txt?


Zach



pthaynes Mon, 03/31/2008 - 19:28
User Badges:

Zach,


I can't see anything obvious in the syslog that relates to encryption. What I can see related to the hard drives that looks bas is:

Apr 1 00:32:43 wotamp kernel: %WAAS-SYS-4-900000: hda: drive_cmd: status=0x51 { DriveReady SeekComplete Error }

Apr 1 00:32:43 wotamp kernel: %WAAS-SYS-4-900000: hda: drive_cmd: error=0x04 { DriveStatusError }

Apr 1 00:32:43 wotamp kernel: %WAAS-SYS-4-900000: ide: failed opcode was: 0xa1

Apr 1 00:32:43 wotamp kernel: %WAAS-SYS-4-900000: CDB (1:0,0,0) 1a 00 1c 00 40 00 8f 6b 51


I ran the disk_check.sh script and all drives came back OK.


I've also noticed this error coming up a number of times:

Apr 1 10:33:52 wotamp wccp: %WAAS-WCCP-5-500008: A new view from the router <> with the given change number: 107.

Apr 1 00:33:52 wotamp config: %WAAS-UNKNOWN-1-899999: SendReport: Username is unknown


And it looks like I get this error the second time cms syncronises:

Apr 1 10:37:59 wotamp java: %WAAS-CMS-4-700002: Thread(pool-1-thread-2): java.net.SocketException: Socket closed: java.net.SocketException: Socket closed at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(Unknown Source) at unicorn.RpcTcpTransport.readBytes(RpcTcpTransport.java:168) at unicorn.RpcTcpTransport.readNext(RpcTcpTransport.java:217) at unicorn.RpcTcpTransport.invokeSynchronous(RpcTcpTransport.java:230) at dispatcher.Dispatcher.invokeSynchronous(Dispatcher.java:33) at unicorn.RpcDispatcherTransport.invokeSynchronous(RpcDispatcherTransport.java:47) at cmProbeRpc.CmProbeRpc.getPrimaryCM(CmProbeRpc.java:17) at com.cisco.waas.util.CMProber$ProbeWorker.execute(CMProber.java:139) at com.cisco.waas.util.CMProber$ProbeWorker.execute(CMProber.java:124) at com.cisco.waas.util.Worker.run(Worker.java:36) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurre


Zach Seils Tue, 04/01/2008 - 04:18
User Badges:
  • Cisco Employee,

The first set of log messages can be ignored.


The WCCP message and the java exception seem to indicate a connectivity problem. Are you seeing any errors on the WAE management interface? Do you have the same disk encryption issue with WCCP disabled?


Zach



pthaynes Tue, 04/01/2008 - 21:49
User Badges:

Zach,

The errors that I am seeing on the WAAS CM web site are only during the time that I restart the WAE. I receive the warning message:

Device wotamp with id CeConfig_20967 came offline


Followed by:

%WAAS-UNKNOWN-1-899999: SendReport: Username is unknown


Turning off WCCP for both the router and the WAE-NM made no difference.


WCCP is definitely working, as I can see packets getting redirected and conversations getting optimised.


The WAE device has the correct IP address and subnet mask. The only other route it has is the default-gateway - which points to the IP address of the In1/0 interface on the router the NM is plugged into.


I have also double-checked to make sure that I have the ip wccp redirect exclude in applied to the in1/0 interface on the router.


I did notice that the hostname of the WAE is not in DNS yet, so I'll get that sorted out just in case the name is verified in DNS when generating a shared key (or certificate if that is how the key is done).


Thanks,

Peter

Zach Seils Thu, 04/03/2008 - 13:56
User Badges:
  • Cisco Employee,

Peter,


I do not think there is a dependency on DNS. Can you please send me the syslog.txt file from the device?


Thanks,

Zach



pthaynes Thu, 04/03/2008 - 19:56
User Badges:

Zach,


Attached is a copy of the syslog from when I kicked off a reboot until I connected back in. The changes I made since yesterday are:

1. The WAE device is registered in DNS.

2. I changed the configuration of that device so that the central-manager address points to the actual IP of the central-manager rather than to a host name.


I haven't received the java message since making that second change, but the disk is still not encrypting.


Thanks,


Peter



Attachment: 
pthaynes Sun, 04/06/2008 - 22:50
User Badges:

I rebooted the WAE NM again this morning (in the vain hope that it might have sorted itself out over the weekend). It logged another error:

Apr 7 06:38:14 wotamp Nodemgr: %WAAS-NODEMGR-3-330039: Service 'get_config' has not returned within 300 seconds. Will try stopping it.


I am guessing that this means the WAE can't get its config from the central manager (which implies it has no connection to the central manager and therefore cannot start encrypting the drive). The other thing that seems to occur intermittently is that I get an error about is:

Apr 7 16:38:36 wotamp snmpced: %WAAS-LIBCMN-3-520015: Error reading quack device.


I have noticed that it sometimes occurs during a reboot, but I have also seen it when I use the show disk details command.


Thanks for your help.


Peter

pthaynes Mon, 04/07/2008 - 14:55
User Badges:

I'm still working on the theory that it is a communications problem. If I start a continuous ping from my PC (in the network core) to the WAE device in question (out on the edge of the WAN) I notice that it takes an inordinate amount of time before the WAE device responds. It doesn't seem to be a routing problem (the In1/0 interface comes up and the route is advertised in OSPF fairly early in the reboot process - and I can ping that at about the same time).


The error about the Quack device comes up soon after the WAE device starts to respond to pings. Even after the WAE device starts to respond to the pings I still get errors regarding Username is unknown. But at about that time I can login and doing a show cms info shows that the device has synchronised its config.


I have checked the addressing and it all looks fine (a /30 mask, and the WAE device is on .18 and the router is on .17).


Does anyone have any ideas on what else I should be looking at.


Thanks in advance,


Peter

pthaynes Mon, 04/07/2008 - 18:30
User Badges:

I've had a bit more of a dig and have noticed a couple of anomolies in the gui. If you look at the config in the CLI on an NM-WAE you will notice that it is hard set to 1000/full duplex. If you check the speed on the Integrated-Services-Engine interface on the router it will also show as 1000/full duplex. Neither of them are set to autonegotiate.


In the WAAS CM web page for an NM-WAE you will notice that it says the Gi1/0 interface is set to autodetect the speed and duplex. If you try to change that the Gui complains that you can't hard set to 1000/full - you need to use auto negotiation to achieve that speed.


When a NM-WAE gets its configuration from the configuration manager you usually get two errors with the description of "Unexpected CLI command failure on the node". The actual commands it tries to send arq "interface GigabitEthernet 1/0 autosense" and "interface GigabitEthernet 1/0 ip address "


I don't know if it has any impact on connectivity (I don't see any errors on the Integrated-Services-Engine interface). It just looks a bit odd.


Thanks,


Peter

Zach Seils Tue, 04/08/2008 - 11:59
User Badges:
  • Cisco Employee,

Peter,


I don't see any indication in syslog that disk encryption is enabled. I'm wondering if you aren't dealing with a hardware issue. Are you able to successfully enable disk encryption on other WAEs registered with this CM?


Can you please try the following:


- Restore factory defaults on the WAE

- Delete the device record from the CM

- Reconfigure the WAE from scratch, including CM registration


If you are still having problems, I would recommend that you replace the NME-WAE.

pthaynes Tue, 04/08/2008 - 18:45
User Badges:

I haven't tried disk encryption on any other WAE devices registered with this CM.


I went through your procedure (and tried it with both the 4.0.15 and 4.0.17 software). Neither worked.


I will be receiving some new WAE network modules early next week - I'll give a few of them a try. Just in case it is a hardware issue. Unfortunately I only have one WAE appliance - the rest are WAE NMs so I can't run up a second CM to try against a clean database.


Thanks for all your help.


Peter

Actions

This Discussion