Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Ciscoworks showing + and - when running a compliance check

I am trying to write a compliance check for switches. The issue I am getting now is that when the template runs I am getting notices stating that non the of switches are compliant, when they are. In the output after it runs I am seeing items in red with - and items in green with +. I thought the items in green with the + and items that are needed in the switches. Am I correct in assuming this? What are the items in red with the -?

The problem seems to be with ACLs they first show up in red (-) and then again in green (+) even though they are correct in the switch. Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Ciscoworks showing + and - when running a compliance check

If you selected that the template is ordered, and the ACEs show up out of template order, then you could see what you describe.  You may also see problems if you have IP SLA configured on your device due to bug CSCtf82992.  In order to confirm, you will need to post the device's running config and an export of the template you are using.

12 REPLIES
Cisco Employee

Re: Ciscoworks showing + and - when running a compliance check

If you selected that the template is ordered, and the ACEs show up out of template order, then you could see what you describe.  You may also see problems if you have IP SLA configured on your device due to bug CSCtf82992.  In order to confirm, you will need to post the device's running config and an export of the template you are using.

New Member

Re: Ciscoworks showing + and - when running a compliance check

I can attach the requested files.. This happens to be a different switch, with the same issue. I am not sure why it keeps coming up with missing (-). Test is the test switch and run is the switch that had both the (-) and (+).

Cisco Employee

Re: Ciscoworks showing + and - when running a compliance check

In the run.log, your device has an ACL:

access-list 101 remark Permit SSH from admin systems and other switches
access-list 101 permit tcp 172.20.2.0 0.0.1.255 any eq 22 log
access-list 101 permit tcp 192.168.10.0 0.0.1.255 any eq 22 log
access-list 101 deny   ip any any log

But your template requires:

access-list 101 remark Permit SSH from admin systems and other switches
access-list 101 permit tcp 172.20.2.0 0.0.1.255 any eq 22 log
access-list 101 permit tcp 192.168.10.0 0.0.1.255 any eq 22 log

access-list 101 permit tcp 192.168.12.0 0.0.1.255 any eq 22 log
access-list 101 deny   ip any any log

The test.log device has "ip sla enable reaction-alerts" which will trigger a parse error in baseline.  If you remove this line, re-archive the config, then run a new compliance test, it should show as being compliant (from the ACL standpoint).

New Member

Re: Ciscoworks showing + and - when running a compliance check

Thanks I see the problem with ACL 101. The real issue is that I am getting the + and - for ACL 60 on the run config. I am not sure as to why.

Cisco Employee

Re: Ciscoworks showing + and - when running a compliance check

If you're seeing this on the device with the IP SLA configuration, then that is expected due to the bug I pointed out.  Any command below the IP SLA configuration will not be parsed correctly by RME.

New Member

Re: Ciscoworks showing + and - when running a compliance check

I understand. The problem is I can not seem to find this command in the run config for the switch that is labeled run.log.

Cisco Employee

Re: Ciscoworks showing + and - when running a compliance check

There may still be an issue with the config as it's archived in RME.  Post screenshots of the processed config from this run device from RME > Config Mgmt > Archive Mgmt > Version Tree (pick the latest version of this device's config).  You will need to grab screenshots for each of the submodes (i.e. the elements in the config tree).

New Member

Re: Ciscoworks showing + and - when running a compliance check

I have an export file that I can post up here of the device that is causing the issue.

Sorry it has taken me so long to get back I have been rather busy lately.

New Member

Re: Ciscoworks showing + and - when running a compliance check

Also the no ip sla enable reaction-alerts command is not removing this from the configuration.

Cisco Employee

Re: Ciscoworks showing + and - when running a compliance check

I found your problem.  Your spaces are wrong in your template.  If you change your ACL60 to the attached, it should work.

New Member

Re: Ciscoworks showing + and - when running a compliance check

I am still getting the same issue, but I am working with the IP SLA issue that is out there right now. It's still trying to removed ACL 60. Only this time it is saying it is in the config  twice, when I know it's not. Also, now, it's yelling about  ACL 101 being wrong when it's not, so I must be hitting that bug mentioned above.

Cisco Employee

Re: Ciscoworks showing + and - when running a compliance check

You may be.  I did some local testing with my template and your ACL 60, and I could not reproduce.  That's when I noticed your spacing issue.  If you just try my template, and RME reports non-compliance, then you may be hitting the bug I mentioned above.

1304
Views
0
Helpful
12
Replies
CreatePlease to create content