CSM - Site-to-site monitoring with unmanaged device

deephazz02 · ‎01-09-2009

Hello All,

Is it possible to monitor some Site-to-site VPNs that include unmanaged devices? I tried to discover a few site to site VPNs using the wizard but it always fails with saying that CSM can only discover site to site vpn on managed devices.

Maybe I missed something in the manual...

Is anybody able to monitor site to site vpn including 3rd party firewall with CSM?

Regards,

Thibault.

Jason Gervia · ‎01-13-2009

Hello,

You can't discover a VPN on CSM with a 3rd party device. You can *configure* one, however, which is what I would do.

Arrange a disruptive change window, and then configure the VPN from scratch in CSM with an unmanaged device, and that should allow you to change the Cisco side of the VPN in CSM after that.

deephazz02 · ‎01-13-2009

Hello,

Thanks for your reply.

It's shame CSM can't discover vpn with 3rd party devices.

Thibault.

trasheuro · ‎01-13-2009

Yeah, you can't discover a site to site vpn to an unmanaged device. You can manually create one in CSM however using the following process:

1) Discover managed device.

2) Discover unmanaged device (using Add New Device wizard, and unselect "Manage in Cisco Security Manager")

3) Add an interface to the unmanaged device with correct peer IP address. This seems to be required otherwise when you submit changes an error occurs.

4) Create Site to Site VPN.

5) Submit and deploy.

Note that when deploying, CSM still wants to deploy to the unmanaged device (which is silly as the device is not managed by CSM).

I logged a call with Cisco and had a round table with their CSM developers on the issues above, and also discovery of vpns to unmanaged devices. They gave me some constructive feedback that they are working on all of the issues, however they don't expect a solution to be released for some time.

Matt