Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1356
Views
0
Helpful
7
Replies

Prime Infrastructure 2.1 ASA5580- Security Context Partial Collection Failure

Go to solution
BrianEschen
Level 1
Level 1

‎09-26-2014 07:14 PM

I am attempting to add my ASAs into prime but get stuck almost instantly after adding the new device. Prime is able to get the device name and Device type (Cisco ASA-5580 Adaptive Security Appliance Security Context) Admin status shows up as Managed but Inventory Collection Status shows up as "Partial Collection Failure" For more detail it says "feature_image_firewall Unexpected error. See the log file inventory.log for details."

The only failure in inventory.log I could find was

 

[2014-09-26 12:40:01,868] [ICE Service[ 1]Thread: 20] [inventory] [ERROR] - 192.168.0.19 For device id: 2848866 Feature = feature_image_firewall and Procedure = ImageFireWal failed in time 45 with the following error and continuing with other features: com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>

 

[2014-09-26 12:40:01,868] [ICE Service[ 1]Thread: 20] [ice] [ERROR] - com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>

com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>

As far as the ASA config goes:

snmp-server enable

snmp-server host management 192.168.10.27 community c!$c0PR!me version 2c

logging enable

logging history 7

snmp-server enable traps

 

The above config works on our ASA5520s except I still haven't set up the traps right because there isn't any useful information on those devices so I am not sure what I need to change?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to BrianEschen

‎09-29-2014 10:45 AM

There's always a chance.

If it were my network I'd open one and tell them they need to update PI 2.x to account for the thousands of ASA 5500 series customers have but cannot properly manage using Cisco flagship wired management tool.

Good luck.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-27-2014 06:19 AM

What version of ASA code are you running?

0 Helpful

Go to solution
BrianEschen
Level 1
Level 1
In response to Marvin Rhoads

‎09-29-2014 06:22 AM

The VPN boxs ASA5520 are running 9.1(2)8

The Firewall box ASA5580 is 9.1(2)8

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to BrianEschen

‎09-29-2014 06:30 AM

There have been at least two issues with respect to ASAs being managed by PI 2.x:

1. ASAs not supporting large SNMP packets. This was fixed in ASA 9.2 software. Related thread.

2. PI not able to ssh into newer ASAs. This is fixed by setting the ASA DH group to DH 1. See this thread

0 Helpful

Go to solution
BrianEschen
Level 1
Level 1
In response to Marvin Rhoads

‎09-29-2014 08:25 AM

My ASA is using DH 1.

 
For 9.2(1) I read this in the release notes.

Note The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models.

 
 
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to BrianEschen

‎09-29-2014 08:59 AM

You're right - it's a bit of a Catch-22 on the older end-of-sales 5500 series.

They don't support the large SNMP packets that PI uses and the fix (9.2+) is not available on that platform. Unless or until Cisco issues the fix on 9.1 (or changes PI to use smaller packets) you will be unable to get full support from PI 2.1 on those older boxes.

0 Helpful

Go to solution
BrianEschen
Level 1
Level 1
In response to Marvin Rhoads

‎09-29-2014 10:42 AM

Any chance that opening a ticket with Cisco might help move the process along? Or they can find an alternate solution?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to BrianEschen

‎09-29-2014 10:45 AM

There's always a chance.

If it were my network I'd open one and tell them they need to update PI 2.x to account for the thousands of ASA 5500 series customers have but cannot properly manage using Cisco flagship wired management tool.

Good luck.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents