Pix Firewall Managment in CW LMS RME

Unanswered Question
Dec 18th, 2008
User Badges:

Is it possible to manage/archive Pix Firewall configurations in CiscoWorks LMS? I have added our Pix Firewall in LMS however the config fetch fails in RME with the following error:


CM0056 Config fetch failed for Pix515 Cause: CM0204 Could not create DeviceContext for 63 Cause: CM0202 Could not access 172.16.x.x via SNMP. Action: Check the Read Community string Action: Check if required device packages are available in RME. Action: Check if protocol is supported by device and required device package is installed.


Is it even possible to archive pix configurations in LMS RME? Any thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Thu, 12/18/2008 - 10:10
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Yes, it is possible. RME supports TELNET and SSH transports for archiving configurations from PIX, ASA, and FWSM devices. This problem could point to a package issue, missing TELNET or SSH from your config fetch protocol list, or bad credentials in DCR for this PIX.

NPT_2 Thu, 12/18/2008 - 10:20
User Badges:

Thanks for the ideas. I just checked my credentials and they are set fine. But if I run a check credentials job all results are Device Not Reachable. Also I am seeing Device Type Unknown in Device Center. I'm going to check my package and see if I need to update those for pix support.

NPT_2 Thu, 12/18/2008 - 10:25
User Badges:

Do you have any other thoughts? I just check my packages and I show:

416. 1.3.6.1.4.1.9.1.677 Cisco PIX 515E Firewall Security Context Rtr3200 5.0


being available.


Also I checked my config transport settings and I have TELNET, TFTP, SSH, RCP , and HTTPS for config fetch and TELNET, TFTP, SSH, and HTTPS for config deploy.

Joe Clarke Thu, 12/18/2008 - 10:33
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You're probably on Windows, and your package repository is probably damaged. The directories NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/lib/pkgs and NMSROOT/www/classpath/com/cisco/nm/xms/psu/pkgs/rme must be identical in terms of .zip files.

NPT_2 Thu, 12/18/2008 - 10:39
User Badges:

I'm just now updating all my packages to the latest version to see if this helps. If not what is the easiest way to fix the damaged package repository?

Joe Clarke Thu, 12/18/2008 - 10:45
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

If the package directories are not the same, you will need to manually sync the two, then restart CiscoWorks Daemon Manager.

NPT_2 Thu, 12/18/2008 - 11:20
User Badges:

Thanks for the assistance, you pointed me in the right direction. The problem turned out to be an incorrect snmp string. The strange thing is until I got that string right my telnet credential verification failed too, now they are are working fine and my configuration in now synchronized and it shows PIX515E for my device type.


Thanks Again,

Jim

Joe Clarke Thu, 12/18/2008 - 11:22
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Without a valid SNMP community string, LMS couldn't read the sysObjectID to know what type of device it was.

Actions

This Discussion