ASA Configuration Troubleshooting

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(Configuration not pulled.)
(How to enable auto-update server logging on ASA device.)
Line 28: Line 28:
* '''port''' : HTTPS server port. By default the port specifies to 443. If this port changed during setup, then the same should be used here.
* '''port''' : HTTPS server port. By default the port specifies to 443. If this port changed during setup, then the same should be used here.
 +
 +
==How to enable auto-update server logging on ASA device.==
==How to enable auto-update server logging on ASA device.==
Line 40: Line 42:
ASA-Device# '''debug auto-update client'''
ASA-Device# '''debug auto-update client'''
-
 
== Configuration not pulled due to java.lang.SecurityException: Device Authentication Failed. ==
== Configuration not pulled due to java.lang.SecurityException: Device Authentication Failed. ==

Revision as of 06:17, 3 May 2011

Contents

Minimum supported IOS version of ASA Device

The Minimum supported IOS version of the ASA device is 8.x and later.

ASA related logs on CE Server

ASA server related log on CE server can be found @ /var/log/CNSCE/asa/asa.log.

The Minimum supported IOS version of the ASA device is 8.2 onwards.

Configuring the ASA device

Following CLIs should be configured on ASA device to communicate with CE server and work using call home protocol.

auto-update device-id [hostname] | [hardware-serial] | [ipaddress] | [mac-address]| string <device-name>

auto-update poll-period <period_in_minutes>

auto-update server https://<username>:<password>@<ce-server>:<port>/cns/ASAConfig

where

  • device-name : Name of the ASA device.
  • period_in_minutes : Poll period in minutes. On elapse of poll period, the ASA device will contact the CE server to pull its configuration and Image related information.
  • username : CE Server's admin username.
  • password : Password configured to the ASA device while creating the device on CE server.
  • port : HTTPS server port. By default the port specifies to 443. If this port changed during setup, then the same should be used here.


How to enable auto-update server logging on ASA device.

Execute the following commands.

ASA-Device(config)# logging enable

ASA-Device(config)# logging console 6

ASA-Device# debug auto-update server

ASA-Device# debug auto-update client

Configuration not pulled due to java.lang.SecurityException: Device Authentication Failed.

Check the following.

1. Check whether the ASA device is created on CE server.

2. if the device is created on CE side, then check the auto-update server cli on ASA to verify that the CLI is having correct username and password.

3. If you feel that the password is incorrect on either side, then re-sync the password on both the side by reconfiguring the auto-update server CLI on ASA device and by editing the device on CE side.

Configuration not pulled.

This is because the device already downloaded associated template from CE server and the ASA device is running with updated configuration. Do the following to verify this.

1. Enable console/terminal logging on ASA device.

2. On elapse of poll-period ASA device will try to contact the CE server to retrieve the new template. During this time following log (not identical but similar) can be seen on ASA device console.

%ASA-6-302013: Built outbound TCP connection 23 for inside:cede1/443 (cede1/443) to identity:10.104.58.246/33894 (10.104.58.246/33894)

%ASA-6-725001: Starting SSL handshake with server inside:10.104.58.246/33894 for TLSv1 session.

%ASA-6-725002: Device completed SSL handshake with server inside:10.104.58.246/33894

Auto-update client: Sent DeviceDetails to /cns/ASAConfig of server cede1

Auto-update client: Processing UpdateInfo from server cede1

Component: config, [URL: https://cnsce-asauser:naveen@cede1:443/cns/ASAConfigProvider?deviceID=ASA-5520-246], checksum:xd2423c0873e3338bec5042a3e143b5e8

%ASA-6-725007: SSL session with server inside:10.104.58.246/33894 terminated.

%ASA-6-302014: Teardown TCP connection 23 for inside:cede1/443 to identity:10.104.58.246/33894 duration 0:00:00 bytes 1336 TCP Reset-I

Auto-update client: no need to update cfg

3. If the logging says that no need to update cfg, then the configuration associated to the ASA device on CE server and running configuration on ASA device are same and current.

Rating: 0.0/5 (0 votes cast)

Personal tools