Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Prime Infrastructure 2.1 ASA5580- Security Context Partial Collection Failure

I am attempting to add my ASAs into prime but get stuck almost instantly after adding the new device. Prime is able to get the device name and Device type (Cisco ASA-5580 Adaptive Security Appliance Security Context) Admin status shows up as Managed but Inventory Collection Status shows up as "Partial Collection Failure" For more detail it says "feature_image_firewall Unexpected error. See the log file inventory.log for details."

The only failure in inventory.log I could find was

 

[2014-09-26 12:40:01,868] [ICE Service[ 1]Thread: 20] [inventory] [ERROR] - 192.168.0.19 For device id: 2848866 Feature = feature_image_firewall and Procedure = ImageFireWal failed in time 45 with the following error and continuing with other features: com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>

 

[2014-09-26 12:40:01,868] [ICE Service[ 1]Thread: 20] [ice] [ERROR] - com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>

com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>

As far as the ASA config goes:

snmp-server enable

snmp-server host management 192.168.10.27 community c!$c0PR!me version 2c

logging enable

logging history 7

snmp-server enable traps

 

The above config works on our ASA5520s except I still haven't set up the traps right because there isn't any useful information on those devices so I am not sure what I need to change?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

There's always a chance.If it

There's always a chance.

If it were my network I'd open one and tell them they need to update PI 2.x to account for the thousands of ASA 5500 series customers have but cannot properly manage using Cisco flagship wired management tool.

Good luck.

7 REPLIES
Hall of Fame Super Silver

What version of ASA code are

What version of ASA code are you running?

New Member

The VPN boxs ASA5520 are

The VPN boxs ASA5520 are running 9.1(2)8

The Firewall box ASA5580 is 9.1(2)8

Hall of Fame Super Silver

There have been at least two

There have been at least two issues with respect to ASAs being managed by PI 2.x:

1. ASAs not supporting large SNMP packets. This was fixed in ASA 9.2 software. Related thread.

2. PI not able to ssh into newer ASAs. This is fixed by setting the ASA DH group to DH 1. See this thread

New Member

My ASA is using DH 1.How

My ASA is using DH 1.

 
For 9.2(1) I read this in the release notes.

Note The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models.

 
 
Hall of Fame Super Silver

You're right - it's a bit of

You're right - it's a bit of a Catch-22 on the older end-of-sales 5500 series.

They don't support the large SNMP packets that PI uses and the fix (9.2+) is not available on that platform. Unless or until Cisco issues the fix on 9.1 (or changes PI to use smaller packets) you will be unable to get full support from PI 2.1 on those older boxes.

New Member

Any chance that opening a

Any chance that opening a ticket with Cisco might help move the process along? Or they can find an alternate solution?

Hall of Fame Super Silver

There's always a chance.If it

There's always a chance.

If it were my network I'd open one and tell them they need to update PI 2.x to account for the thousands of ASA 5500 series customers have but cannot properly manage using Cisco flagship wired management tool.

Good luck.

610
Views
0
Helpful
7
Replies
CreatePlease to create content