03-26-2010 06:54 AM
We are seeing an issue where RME is trying to access several, but not all, firewalls in our environment. It seems RME is trying to get the configuration, but for some reason it keeps logging in over and over and issuing the below commands. This info comes from a RME syslog report. The problem it is causing is VERY annoying. We also have MARS in our environment for alerting on firewall changes. The "configure terminal" syslog message, which is also sent to MARS, sets this off. It is creating a vicious circle, which generates MARS alerts every 5 to 10 minutes. I do have an active TAC case on this issue, but it is going nowhere. I have to figure out what is causing this and make it stop!
User ''x'' executed the ''terminal pager lines 0'' command.
User ''x'' executed the ''terminal pager lines 0'' command.
User ''x'' executed the ''configure terminal'' command.
User ''x'' executed the ''pager lines 0'' command.
User ''x'' executed the ''disable'' command.
User ''x'' executed the ''terminal pager lines 0'' command.
User ''x'' executed the ''terminal pager lines 0'' command.
User ''x'' executed the ''configure terminal'' command.
User ''x'' executed the ''terminal width 0'' command.
User ''x'' executed the ''terminal no monitor'' command.
User ''x'' executed the ''pager lines 0'' command.
User ''x'' executed the ''configure terminal'' command.
User ''x'' executed the ''no pager'' command.
User ''x'' executed the ''terminal pager lines 0'' command.
User ''x'' executed the ''terminal pager lines 0'' command.
User ''x'' executed the ''configure terminal'' command.
User ''x'' executed the ''terminal width 0'' command.
User ''x'' executed the ''terminal no monitor'' command.
User ''x'' executed the ''configure terminal'' command.
User ''x'' executed the ''no pager'' command.
User ''x'' executed the ''configure terminal'' command.
User ''x'' executed the ''pager lines 0'' command.
User ''x'' executed the ''configure terminal'' command.
User ''x'' executed the ''no pager'' command.
User ''x'' executed the ''terminal pager lines 0'' command.
User ''x'' executed the ''terminal pager lines 0'' command.
User ''x'' executed the ''configure terminal'' command.
User ''x'' executed the ''no pager'' command.
User ''x'' executed the ''configure terminal'' command.
User ''x'' executed the ''configure terminal'' command.
User ''x'' executed the ''pager lines 0'' command.
User ''x'' executed the ''disable'' command.
03-26-2010 11:10 AM
This could be related to the old bug CSCsi07492. Every time RME sees a certain syslog message from the PIX, it tries to archive the config. However, when RME logs into the PIX, and disables the pager, it triggers the same syslog. This can lead to a loop. Go to RME > Tools > Syslog > Automated Actions, and edit the Config Fetch action. Remove the following syslog pattern, and see if that helps:
PIX-*-5-111005:*
--
Please support CSC Helps Haiti
https://supportforums.cisco.com/docs/DOC-8895
https://supportforums.cisco.com
03-26-2010 11:32 AM
Hello Joe! As always, your assistance is greatly appreciated!
I have a question regarding this solution. We use CW to archive each PIX/ASA config change made, which is mandated by internal audit. Will removing that syslog pattern stop that from happening?
Thank you,
Drew
03-26-2010 10:54 PM
Yes. You will still get archives if you're doing periodic polling or collection, but you will not get an archive each time a config change is made.
--
Please support CSC Helps Haiti
https://supportforums.cisco.com/docs/DOC-8895
https://supportforums.cisco.com
04-01-2010 04:40 AM
RME should try hard to archive the running config without altering it!
This should be possible for all releases that support "terminal pager lines 0" and would avoid the config fetching loop.
04-01-2010 09:15 PM
This point was actually raised in CSCsi07492, but at the time, it was deemed easier considering the ubiquity of PIXOS 6.x code to simply remove the syslog messages. It's probably time to re-evaluate that.
--
Please support CSC Helps Haiti
https://supportforums.cisco.com/docs/DOC-8895
https://supportforums.cisco.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide