Hi Palonso,I do not see any

palonso_3 · ‎06-24-2014

Hi,

I'm trying to add a pair of ASA in HA (Active - Standby) in PRSM Server Multimode Device Mode. I'm getting the error that appears in the title:

"Error ASA CX import configuration - Unauthorized request

Version ASA: 9.1.3

ASA CX: 9.2.1.1 (48)

ASA PRSM: 9.2.1.1 (48)

PRSM Server: 9.2.1.1 (48)

The configuration in ASA PRSM is the default factory, no policies created, just uploaded the NGIPS license for 1 year in each ASA PRSM.

In PRSM Server is loaded a license to manage 5 devices. Rest of the licenses present is the evaluation licenses in the version loaded.

The connection between ASA PRSM and PRSM Server is correct through https or ping.

In PRSM Server when i try to add a device, in Policy/Settings menu, all the data are introduced correctly, ip of primary ASA, port, and username and password. Then appears that PRSM has detected that ASA is in a cluster active / passive, and i can see the certificate that ASA presents.

Then it detects each ASA has a CX module and asks for the password od the user admin. And when i apply this step to finish the discovery of the ASAs, its whe appears the error i said before.

So any advice or help would be very appreciated because i'm stuck at this point, and i dont know if its a bug of the version, or i'm doing something wrong.

Thanks in advance.

Regards,

nkarthikeyan · ‎06-24-2014

Hi Palonso,

I do not see any compatibility issues with the versions of SW you use.

I guess you have some issues with the admin password which you use for integrating CX-Module.

If the ASA contains an ASA CX SSP, you are prompted for its communication properties. Please ensure that you issue the exact steps as mentioned below for adding cx module to prsm multiple device mode.

The properties are explained above. Keep the following in mind when filling in the properties for ASA CX:

The admin username and password are required. The admin username is the only one allowed for device discovery.

Tip

Do not change the admin password on the device after adding it to the inventory, or communication with the device will fail. You will have to delete the device from the inventory and add it again to use the new password.

Keep the port number 443.
You cannot change the device name, but you can change the default description.
The IP address is discovered through the parent ASA. If you configured both IPv4 and IPv6 management addresses, the IPv4 address is the one used. If you prefer, you can replace this with the global IPv6 address.
If there is a NAT boundary between the PRSM server and the device, be aware that the discovered address is the real IP address of the device. You must change it to the NAT address for discovery to succeed.

Adding the Cisco document URL for better understanding on the whole part.

http://www.cisco.com/c/en/us/td/docs/security/asacx/9-1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_0110.html#task_7E648F43AD724DA2983699B12E92A528

HTH

Regards

Karthik

palonso_3 · ‎06-25-2014

Hi nkarthikeyan,

Thank for your reply. I think that i follow all the steps above. The user admin in PRSM is not change, it has the default password. In the version i use, it detects that there's an ASA Active / Standby pair, and it assigns a different name to each other, though they have the same name in the config, as expected.

The ASA uses a third party certificate issued by, but the PRSM uses the self-signed certificate. But i'm only adding the ASA in monitoring only, and then the CX module, so i dont think i should add the root CA of the ASA certificate in the PRSM.

I followed the steps in the link you attached, and everything is correct. So i dont know where my problem could be. Now i'm uploading the version to the 9.2.1.2-82

If you have any other idea, i'll be gratefull.

Thanks in advance.

Regards,

PRSM - ASA Active/Standby - Error ASA CX import configuration - Unauthorized request