cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1105
Views
0
Helpful
4
Replies

ASA with LMS3.2

Hello,

I am using LMS3.2, but it is not able to collect running config, and startup config from asa 5520.

Please note LMS is able to collect all syslog from asa.

Can you please advise?

thank you

1 Accepted Solution

Accepted Solutions

OK, your system appears to have reachability and credentials setup properly.

In LMS 3.2, it's Resource Manager Essenstial (RME) component which gather configurations. Have you set it up to do so per the procedure linked here? If so, what is the outcome of the job?

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Syslog is sent FROM the ASA and not dependent on LMS being able to log into the ASA remotely.

It sounds like perhaps you haven't correctly discovered the ASA and gotten it into the Device and Credentials Repository (DCR).

On your LMS, go to Inventory > Device Administration > Add / Import / Manage Devices. Does your ASA appear on that list?

That step (and more useful ones) are included in this guide:

Hope this helps.

                                                   
   Device Troubleshooting Report
Device Info
                                                                   
       Name 10.70.7.100
       Device TypeCisco ASA-5520 Adaptive Security Appliance
       IP Address 10.70.7.100
       Managed By     lms: Resource Manager Essentials, Campus Manager.
Reachability Check (Device connected)

LMS

       PingSuccess
       HTTPFailed
       SNMPv1/v2c ReadSuccess
       SNMPv1/v2c WriteFailed
       SSHv1Success
       SSHv2Failed
       TelnetSuccess

Trace Route (Trace Route retrieved for the selected device.)

LMS

Tracing route to 10.70.7.100 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.70.7.100

Trace complete.

           

Syslog Message (Syslog messages retrieved for the selected device.)

LMS

Severity : Alerts
                  
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
Device NameInterfaceTimestampFacility[-Sub-facility]SeverityMnemonicDescriptionDetails
1.10.70.7.10010.70.7.100Dec 29 2011 11:23:51ASA1106100access-list  DMZ1_access_in denied icmp DMZ1/10.80.8.201(8) ->  DMZ2-vm/10.70.7.200(0) hit-cnt 15 300-second interval [0xd09b143c, 0x0]*
2.10.70.7.10010.70.7.100Dec 29 2011 11:24:27ASA1106100access-list DMZ1_access_in denied icmp DMZ1/10.80.8.204(8) -> DMZ2-vm/10.70.7.203(0) hit-cnt 1 first hit [0xd09b143c, 0x0]*
3.10.70.7.10010.70.7.100Dec 29 2011 11:24:27ASA1106100access-list  DMZ1_access_in denied icmp DMZ1/10.80.8.201(8) ->  DMZ2-vm/10.70.7.207(0) hit-cnt 3 300-second interval [0xd09b143c, 0x0]*
4.10.70.7.10010.70.7.100Dec 29 2011 11:24:27ASA1106100access-list DMZ1_access_in denied icmp DMZ1/10.80.8.204(8) -> DMZ2-vm/10.70.7.200(0) hit-cnt 1 first hit [0xd09b143c, 0x0]*
5.10.70.7.10010.70.7.100Dec 29 2011 11:24:35ASA1106100access-list  DMZ1_access_in denied udp DMZ1/169.254.218.192(137) ->  DMZ2-vm/10.70.7.200(137) hit-cnt 1 first hit [0xd09b143c, 0x0]*
6.10.70.7.10010.70.7.100Dec 29 2011 11:24:53ASA1106100access-list DMZ1_access_in denied icmp DMZ1/10.80.8.201(0) -> DMZ2-vm/10.70.7.206(0) hit-cnt 1 first hit [0xd09b143c, 0x0]*
7.10.70.7.10010.70.7.100Dec 29 2011 11:25:26ASA1106100access-list DMZ1_access_in denied icmp DMZ1/10.80.8.204(0) -> DMZ2-vm/10.70.7.206(0) hit-cnt 1 first hit [0xd09b143c, 0x0]*
8.10.70.7.10010.70.7.100Dec 29 2011 11:29:31ASA1106100access-list  DMZ1_access_in denied icmp DMZ1/10.80.8.204(8) ->  DMZ2-vm/10.70.7.203(0) hit-cnt 1 300-second interval [0xd09b143c, 0x0]*
9.10.70.7.10010.70.7.100Dec 29 2011 11:29:31ASA1106100access-list  DMZ1_access_in denied icmp DMZ1/10.80.8.204(8) ->  DMZ2-vm/10.70.7.200(0) hit-cnt 3 300-second interval [0xd09b143c, 0x0]*
10.10.70.7.10010.70.7.100Dec 29 2011 11:29:38ASA1106100access-list  DMZ1_access_in denied udp DMZ1/169.254.218.192(137) ->  DMZ2-vm/10.70.7.200(137) hit-cnt 5 300-second interval [0xd09b143c, 0x0]*
Severity : Errors
                  
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
Device NameInterfaceTimestampFacility[-Sub-facility]SeverityMnemonicDescriptionDetails
1.10.70.7.10010.70.7.100Dec 29 2011 11:50:46ASA3710003TCP access denied by ACL from 10.70.7.212/49192 to DMZ2-vm:10.70.7.100/80*
2.10.70.7.10010.70.7.100Dec 29 2011 11:50:46ASA3710003TCP access denied by ACL from 10.70.7.212/49192 to DMZ2-vm:10.70.7.100/80*
3.10.70.7.10010.70.7.100Dec 29 2011 11:50:46ASA3710003TCP access denied by ACL from 10.70.7.212/49192 to DMZ2-vm:10.70.7.100/80*
4.10.70.7.10010.70.7.100Dec 29 2011 11:51:01ASA3710003TCP access denied by ACL from 10.70.7.212/49227 to DMZ2-vm:10.70.7.100/80*
5.10.70.7.10010.70.7.100Dec 29 2011 11:51:01ASA3710003TCP access denied by ACL from 10.70.7.212/49227 to DMZ2-vm:10.70.7.100/80*
6.10.70.7.10010.70.7.100Dec 29 2011 11:51:01ASA3710003TCP access denied by ACL from 10.70.7.212/49227 to DMZ2-vm:10.70.7.100/80*
7.10.70.7.10010.70.7.100Dec 28 2011 13:06:54ASA3713119Group = 173.192.254.5, IP = 173.192.254.5, PHASE 1 COMPLETED*
8.10.70.7.10010.70.7.100Dec 28 2011 13:07:41ASA3713902Group = 173.192.254.5, IP = 173.192.254.5, Removing peer from peer table failed, no match!*
9.10.70.7.10010.70.7.100Dec 28 2011 13:07:41ASA3713119Group = 173.192.254.5, IP = 173.192.254.5, PHASE 1 COMPLETED*
   
More Details

Audit Report (No audit summary for the selected device.)

LMS

No records.

Generic OnLine Diagnostics (Generic OnLine Diagnostics details not available for the selected device.)

LMS

The device does not support the task

Call Home (Call Home details not available for the selected device.)

LMS

The device does not support the task


Embedded Event Manager (Embedded Event Manager details not available for the selected device.)

LMS

The device does not support the task


Device Credential Verification Report (Verification Report for the selected device.)

LMS

Credential Verification report as on Dec 28 2011 12:57:05 GMT+04:00 Run now
Device NameRead CommunityRead Write Community SNMPV3TelnetEnable by TelnetSSHEnable by SSH
10.70.7.100OKNot SupportedNo Value To TestOK(Primary Successful)OK(Primary Successful)No Value To TestDid Not Try

Last Configuration Change (No configuration archived for the selected device.)

LMS

No configuration archived for the selected device.

CDP Neighbors (No CDP Neighbor exists for the selected device.)

LMS

CDP Neighbors : N/A

Discrepancy (No Discrepancy found for the selected device.)

LMS

No Discrepancies Found.


  

MARVIN RHOADS wrote:

Syslog is sent FROM the ASA and not dependent on LMS being able to log into the ASA remotely.

It sounds like perhaps you haven't correctly discovered the ASA and gotten it into the Device and Credentials Repository (DCR).

On your LMS, go to Inventory > Device Administration > Add / Import / Manage Devices. Does your ASA appear on that list?

That step (and more useful ones) are included in this guide:

Hope this helps.

Hello marvin,

thank for your reply, please see the report below, the device is already added on the LMS 3.2. but the software is not able to get the running config and startuo config.

   Device Troubleshooting Report
Device Info
       Name 10.70.7.100
       Device TypeCisco ASA-5520 Adaptive Security Appliance
       IP Address 10.70.7.100
       Managed Bylms: Resource Manager Essentials, Campus Manager.
Reachability Check (Device connected)

LMS

       PingSuccess
       HTTPFailed
       SNMPv1/v2c ReadSuccess
       SNMPv1/v2c WriteFailed
       SSHv1Success
       SSHv2Failed
       TelnetSuccess
Trace Route (Trace Route retrieved for the selected device.)

LMS

Tracing route to 10.70.7.100 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  10.70.7.100

Trace complete.

Syslog Message (Syslog messages retrieved for the selected device.)

LMS

Severity : Alerts
Device NameInterfaceTimestampFacility[-Sub-facility]SeverityMnemonicDescriptionDetails
1.10.70.7.10010.70.7.100Dec 29 2011 11:23:51ASA1106100access-list  DMZ1_access_in denied icmp DMZ1/10.80.8.201(8) ->  DMZ2-vm/10.70.7.200(0) hit-cnt 15 300-second interval [0xd09b143c, 0x0]*
2.10.70.7.10010.70.7.100Dec 29 2011 11:24:27ASA1106100access-list DMZ1_access_in denied icmp DMZ1/10.80.8.204(8) -> DMZ2-vm/10.70.7.203(0) hit-cnt 1 first hit [0xd09b143c, 0x0]*
3.10.70.7.10010.70.7.100Dec 29 2011 11:24:27ASA1106100access-list  DMZ1_access_in denied icmp DMZ1/10.80.8.201(8) ->  DMZ2-vm/10.70.7.207(0) hit-cnt 3 300-second interval [0xd09b143c, 0x0]*
4.10.70.7.10010.70.7.100Dec 29 2011 11:24:27ASA1106100access-list DMZ1_access_in denied icmp DMZ1/10.80.8.204(8) -> DMZ2-vm/10.70.7.200(0) hit-cnt 1 first hit [0xd09b143c, 0x0]*
5.10.70.7.10010.70.7.100Dec 29 2011 11:24:35ASA1106100access-list  DMZ1_access_in denied udp DMZ1/169.254.218.192(137) ->  DMZ2-vm/10.70.7.200(137) hit-cnt 1 first hit [0xd09b143c, 0x0]*
6.10.70.7.10010.70.7.100Dec 29 2011 11:24:53ASA1106100access-list DMZ1_access_in denied icmp DMZ1/10.80.8.201(0) -> DMZ2-vm/10.70.7.206(0) hit-cnt 1 first hit [0xd09b143c, 0x0]*
7.10.70.7.10010.70.7.100Dec 29 2011 11:25:26ASA1106100access-list DMZ1_access_in denied icmp DMZ1/10.80.8.204(0) -> DMZ2-vm/10.70.7.206(0) hit-cnt 1 first hit [0xd09b143c, 0x0]*
8.10.70.7.10010.70.7.100Dec 29 2011 11:29:31ASA1106100access-list  DMZ1_access_in denied icmp DMZ1/10.80.8.204(8) ->  DMZ2-vm/10.70.7.203(0) hit-cnt 1 300-second interval [0xd09b143c, 0x0]*
9.10.70.7.10010.70.7.100Dec 29 2011 11:29:31ASA1106100access-list  DMZ1_access_in denied icmp DMZ1/10.80.8.204(8) ->  DMZ2-vm/10.70.7.200(0) hit-cnt 3 300-second interval [0xd09b143c, 0x0]*
10.10.70.7.10010.70.7.100Dec 29 2011 11:29:38ASA1106100access-list  DMZ1_access_in denied udp DMZ1/169.254.218.192(137) ->  DMZ2-vm/10.70.7.200(137) hit-cnt 5 300-second interval [0xd09b143c, 0x0]*
Severity : Errors
Device NameInterfaceTimestampFacility[-Sub-facility]SeverityMnemonicDescriptionDetails
1.10.70.7.10010.70.7.100Dec 29 2011 11:50:46ASA3710003TCP access denied by ACL from 10.70.7.212/49192 to DMZ2-vm:10.70.7.100/80*
2.10.70.7.10010.70.7.100Dec 29 2011 11:50:46ASA3710003TCP access denied by ACL from 10.70.7.212/49192 to DMZ2-vm:10.70.7.100/80*
3.10.70.7.10010.70.7.100Dec 29 2011 11:50:46ASA3710003TCP access denied by ACL from 10.70.7.212/49192 to DMZ2-vm:10.70.7.100/80*
4.10.70.7.10010.70.7.100Dec 29 2011 11:51:01ASA3710003TCP access denied by ACL from 10.70.7.212/49227 to DMZ2-vm:10.70.7.100/80*
5.10.70.7.10010.70.7.100Dec 29 2011 11:51:01ASA3710003TCP access denied by ACL from 10.70.7.212/49227 to DMZ2-vm:10.70.7.100/80*
6.10.70.7.10010.70.7.100Dec 29 2011 11:51:01ASA3710003TCP access denied by ACL from 10.70.7.212/49227 to DMZ2-vm:10.70.7.100/80*
7.10.70.7.10010.70.7.100Dec 28 2011 13:06:54ASA3713119Group = 173.192.254.5, IP = 173.192.254.5, PHASE 1 COMPLETED*
8.10.70.7.10010.70.7.100Dec 28 2011 13:07:41ASA3713902Group = 173.192.254.5, IP = 173.192.254.5, Removing peer from peer table failed, no match!*
9.10.70.7.10010.70.7.100Dec 28 2011 13:07:41ASA3713119Group = 173.192.254.5, IP = 173.192.254.5, PHASE 1 COMPLETED*
More Details
Audit Report (No audit summary for the selected device.)

LMS

No records.
Generic OnLine Diagnostics (Generic OnLine Diagnostics details not available for the selected device.)

LMS

The device does not support the task
Call Home (Call Home details not available for the selected device.)

LMS

The device does not support the task
Embedded Event Manager (Embedded Event Manager details not available for the selected device.)

LMS

The device does not support the task
Device Credential Verification Report (Verification Report for the selected device.)

LMS

Credential Verification report as on Dec 28 2011 12:57:05 GMT+04:00 Run now
Device NameRead CommunityRead Write Community SNMPV3TelnetEnable by TelnetSSHEnable by SSH
10.70.7.100OKNot SupportedNo Value To TestOK(Primary Successful)OK(Primary Successful)No Value To TestDid Not Try
Last Configuration Change (No configuration archived for the selected device.)

LMS

No configuration archived for the selected device.
CDP Neighbors (No CDP Neighbor exists for the selected device.)

LMS

CDP Neighbors : N/A
Discrepancy (No Discrepancy found for the selected device.)

LMS

No Discrepancies Found.

OK, your system appears to have reachability and credentials setup properly.

In LMS 3.2, it's Resource Manager Essenstial (RME) component which gather configurations. Have you set it up to do so per the procedure linked here? If so, what is the outcome of the job?

MARVIN RHOADS wrote:

OK, your system appears to have reachability and credentials setup properly.

In LMS 3.2, it's Resource Manager Essenstial (RME) component which gather configurations. Have you set it up to do so per the procedure linked here? If so, what is the outcome of the job?

Hello Marvin,

Thank a lot for your advise.

It's working fine now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco