2960 and ASA devices in Out-of-sync status

Answered Question
Dec 23rd, 2008

Hi,

we have a LMS 3.1 on a Windows and we are having problems with all our 2960 and ASA devices and the configs.

These devices always appear in the out-of-sync status, even if we execute "sync on device" or "copy runn start".

If we look at the "diff only", it appears the "ntp clock" command and these other:

-2960 startup config:

Crypto-Crypto PKI-Crypto PKI Certificate chain TP-self-signed-226392448

certificate self-signed 01 nvram:IOS-Self-Sig#3838.cer

-2960 running config:

Crypto-Crypto PKI-Crypto PKI Certificate chain TP-self-signed-226392448

certificate self-signed 01

-ASA: the following lines appear in the startup config but not in the running:

asdm location xxxxx 255.255.255.255 Gestion

Does anyone know how to fix this?

Devices packages are updated.

Regards.

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 7 years 11 months ago

The ASA can be fixed by adding the "asdm location" command to the list of excluded commands under RME > Admin > Config Mgmt > Exclude Commands. The crypto issue is a known problem which can only be solved if the device supports "show running brief" and you are using TELNET or SSH to fetch the configuration. If you use TFTP, the configs will always be reported as different.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Joe Clarke Tue, 12/23/2008 - 09:46

The ASA can be fixed by adding the "asdm location" command to the list of excluded commands under RME > Admin > Config Mgmt > Exclude Commands. The crypto issue is a known problem which can only be solved if the device supports "show running brief" and you are using TELNET or SSH to fetch the configuration. If you use TFTP, the configs will always be reported as different.

stephenscott Fri, 04/10/2009 - 12:51

I am having the same problem. I have 24 2960's and every one of them fail the sync on the cert self signed portion of the config.

startup: Crypto-Crypto CA-Crypto CA certificate chain TP-self-signed-2xxxxxxxx8

certificate self-signed 01 nvram:sw-recjuv-1s#6D01.cer

running: Crypto-Crypto CA-Crypto CA certificate chain TP-self-signed-2xxxxxxxx8

certificate self-signed 01

All 24 of my 2960's are doing this.

Joe Clarke Fri, 04/10/2009 - 14:13

Review the comments in my previous post. If you are already fetching the config with telnet or SSH, then please start a new thread for your issue.

Actions

This Discussion