Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

I can't discover a ips device with CSM, connectivity test failed !!

Hi everybody,

As i say i c'ant discover my IPS device with CSM, i have this message :

Connectivity Test Failed. Time Elapsed: 0 seconds. Certificate Expired The certificate received from the device has expired. Certificate details that it received from device: [ [ Version: V1 Subject: CN=X.X.X.X, OU=SSM-IPS10, O="Cisco Systems, Inc.", C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus:

163313595958527341944117022920288114482504180720578005561064955313643774990976715676633248342066152083691325258722628818351428036183713571418359362172457378662626088225882179602799780417125413462000959388084832050518999958663965078068279649170934515615745020420256153072567949117948346991874191887565159544369

public exponent: 65537 Validity: [From: Tue Dec 07 10:42:59 CET 2010, To: Fri Dec 07 10:42:59 CET 2012] Issuer: CN=X.X.X.X, OU=SSM-IPS10, O="Cisco Systems, Inc.", C=US SerialNumber: [ -XXXXXXX] ] Algorithm: [SHA1withRSA] Signature: 0000: 3A DF E1 84 61 EF E5 C8 F5 F8 EB D1 54 BA C8 55 :...a.......T..U 0010: F8 54 E4 28 0F 0F DB B0 F8 DB CA 0A 5F 63 0E 0C .T.(........_c.. 0020: 4A 28 46 9E D0 B7 B9 F1 A7 B7 FD 35 2C 95 EB CA J(F........5,... 0030: 03 32 D1 13 1A DB B3 9B C9 E2 E6 22 04 3B 84 D1 .2.........".;.. 0040: 4D 4E BD D2 E0 EC 25 27 46 5F 1D ED 39 8F 38 BD MN....%'F_..9.8. 0050: ED BE E8 7D 02 AE 62 92 89 66 86 BB B4 1F B6 FD ......b..f...... 0060: 6C 46 2C 27 4B EF F8 4F C9 1E 81 5F 29 82 C1 AB lF,'K..O..._)... 0070: 06 33 0D EA CE 3F 85 CC 2F D6 82 D8 6B 8C 90 8B .3...?../...k... ] Please synchronize the time settings on the device and the Security Manager server and the expiration time of the certificate, then generate a new certificate.

I already generate a new rsa key on the ASA FW IOS version 8.4, my login is ok and my password to. i successfully discover the ASA FW but not the IPS module.

ver CSM 4.3.0 service pack2

Thank you for your help.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

I can't discover a ips device with CSM, connectivity test failed

This is a common issue with IPS and is easily fixed.

The IPS uses a self-signed certificate for TLS (Transport Layer Security) protection of its management channels. When an IPS is initialized that self-signed certificate is valid for two years. That certificate is distinct from the ASA RSA key.

To regenerate, please see the procedure described here.

Be sure to rate useful replies and mark your question as answered when resolved.

4 REPLIES
Hall of Fame Super Silver

I can't discover a ips device with CSM, connectivity test failed

Note the error message shows the IPS certificate expired last year:

     Validity: [From: Tue Dec 07 10:42:59 CET 2010, To: Fri Dec 07 10:42:59 CET 2012]

You'll need to address the issue of the expired certificate on the IPS. If they CSM server cannot communicate securely (which depends on a valid IPS certificate) it will not allow you to proceed.

New Member

I can't discover a ips device with CSM, connectivity test failed

Hi Marvin,

Thank you for you reply, sorry i didn't understand very well but generate a new rsa key on the ASA  is not

not enough.I need to discuss this issue with my boss in order to get new certificate on IPS.

Best regards,

Hall of Fame Super Silver

I can't discover a ips device with CSM, connectivity test failed

This is a common issue with IPS and is easily fixed.

The IPS uses a self-signed certificate for TLS (Transport Layer Security) protection of its management channels. When an IPS is initialized that self-signed certificate is valid for two years. That certificate is distinct from the ASA RSA key.

To regenerate, please see the procedure described here.

Be sure to rate useful replies and mark your question as answered when resolved.

New Member

I can't discover a ips device with CSM, connectivity test failed

Hi Marvin,

Thank very much, on cli commande i launch a tls generate-key and now the certificate is valide fot two years.

My issue has been resolved thank you for our help.

Best regards,

1126
Views
0
Helpful
4
Replies
CreatePlease login to create content