ASA Configuration Troubleshooting

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(Enable Auto-update server Logging on ASA Device)
 
(35 intermediate revisions not shown)
Line 1: Line 1:
-
==Configuring ASA device.==
+
==IOS Version for ASA Device==
-
Following CLIs should be configured on ASA device to communicate with CE server and work using call home protocol.
+
-
auto-update device-id [hostname] | srting <device_name>
+
The minimum supported IOS version of the ASA device is '''8.x''' and later.
-
auto-update poll-period <period_in_minutes>
+
==ASA Related Logs on CE Server==
-
auto-update server <ASA_SERVLET_URL_ON_CE_SERVER>
+
The ASA server related logs on CE server can be found @ /var/log/CNSCE/asa/asa.log. The ASA device supports IOS version 8.2 onwards.
 +
==Configuring the ASA Device==
 +
The following commands should be configured on ASA device to communicate with CE server to work using the call home protocol.
-
==How to enable auto-update server logging on ASA device.==
+
'''auto-update device-id [hostname] | [hardware-serial] | [ipaddress] | [mac-address]| string <device-name>'''
-
'''Execute the following commands.'''
+
'''auto-update poll-period <period_in_minutes>'''
 +
 
 +
'''auto-update server https://<username>:<password>@<ce-server>:<port>/cns/ASAConfig'''
 +
 
 +
'''where'''
 +
* '''device-name''' : Name of the ASA device.
 +
 
 +
* '''period_in_minutes''' : Poll period in minutes. On elapse of poll period, the ASA device will contact the CE server to pull its configuration and Image related information.
 +
 
 +
* '''username''' : CE Server's admin username.
 +
 
 +
* '''password''' : Password configured to the ASA device while creating the device on CE server.
 +
 
 +
* '''port''' : HTTPS server port. By default the port specifies to 443. If this port changed during setup, then the same should be used here.
 +
 
 +
==Invalid Remote Host==
 +
 
 +
Make sure to add the appropriate name <ce-server-ip-address> <ce-server-hostname> command. As a work around you can use the IP address of the CE server in the '''auto-update server''' command instead of hostname.
 +
 
 +
==Enable Auto-update Server Logging on ASA Device==
 +
 
 +
To enable auto-update server logging on ASA device, execute the following commands:
ASA-Device(config)# '''logging enable'''
ASA-Device(config)# '''logging enable'''
Line 21: Line 43:
ASA-Device# '''debug auto-update client'''
ASA-Device# '''debug auto-update client'''
-
 
+
== Device Authentication Failed ==
-
== Configuration not pulled due to java.lang.SecurityException: Device Authentication Failed. ==
+
When you get this error message, check the following:
-
'''Check the following.'''
+
1. Check whether the ASA device is created on CE server.
1. Check whether the ASA device is created on CE server.
-
2. if the device is created on CE side, then check the auto-update server cli on ASA to verify that the CLI is having correct username and password.
+
2. If the device is created on CE side, then check the auto-update server CLI on ASA to verify that the CLI is having correct username and password.
3. If you feel that the password is incorrect on either side, then re-sync the password on both the side by reconfiguring the auto-update server CLI on ASA device and by editing the device on CE side.
3. If you feel that the password is incorrect on either side, then re-sync the password on both the side by reconfiguring the auto-update server CLI on ASA device and by editing the device on CE side.
-
== Configuration not pulled. ==
+
== Configuration Not Pulled ==
-
This is because the device already downloaded associated template from CE server and the ASA device is running with updated configuration. Do the following to verify this.
+
This is because the device already downloaded associated template from CE server and the ASA device is running with updated configuration. Do the following to verify this:
1. Enable console/terminal logging on ASA device.
1. Enable console/terminal logging on ASA device.
-
2. On elapse of poll-period ASA device will try to contact the CE server to retrieve the new template. During this time following log (not identical but similar) can be seen on ASA device console.
+
2. On elapse of poll-period, ASA device will try to contact the CE server to retrieve the new template. During this time, the following log (not identical but similar) can be seen on the ASA device console.
'''%ASA-6-302013: Built outbound TCP connection 23 for inside:cede1/443 (cede1/443) to identity:10.104.58.246/33894 (10.104.58.246/33894)'''
'''%ASA-6-302013: Built outbound TCP connection 23 for inside:cede1/443 (cede1/443) to identity:10.104.58.246/33894 (10.104.58.246/33894)'''
Line 56: Line 77:
'''Auto-update client: no need to update cfg'''
'''Auto-update client: no need to update cfg'''
-
3. If the logging says that '''no need to update cfg''', then the configuration associated on CE server and running configuration on ASA device are same and current.
+
3. If the logging says that '''no need to update cfg''', then the configuration associated to the ASA device on CE server and running configuration on ASA device will be the same and current.
 +
 
 +
== Prerequisite for ASA/ASDM Image Upgrade ==
 +
 
 +
Along with auto-update server configuration, following CLI should exist on the ASA device for the ASA/ASDM image upgrade to happen.
 +
 
 +
'''boot system disk0:/<a-valid-asa-image-name>'''
 +
 
 +
'''asdm image disk0:/<a-valid-asdm-image-name>'''
 +
 
 +
Without these two Commands, neither the ASA image or ASDM image upgrade will happen.
 +
 
 +
== ASA/ASDM Image Upgrade Fails ==
 +
 
 +
This failure could cause because of having not enough space on the flash card on the ASA device. Make sure that the flash have enough space on the device before performing the image upgrade operation.
 +
 
 +
== ASA/ASDM Image Upgrade Know Issues ==
 +
Following are the known issues at this point which might impact the ASA/ASDM image upgrade on ASA devices.
 +
 
 +
CSCsx01913 [http://cdetsweb-prd.cisco.com/erm_enu/start.swe?SWEMethod=LookUpBug&SWECmd=InvokeMethod&_sn=IKBj7sBC4EkIHUlNyM6tklrz7QKKu.BWcYHr6yGqDfo_&SWEService=CSCBookMarkService&SWEC=1&Identifier=CSCsx01913&SWEHo=cdetsweb-prd.cisco.com&SWETS=1304503304&SWERF=1]
 +
 
 +
CSCtn98874 [http://cdetsweb-prd.cisco.com/erm_enu/start.swe?SWECmd=InvokeMethod&SWEMethod=LookUpBug&SWEService=CSCBookMarkService&SWERF=1&SWEC=1&Identifier=CSCtn98874]
 +
 
 +
CSCtn65993 [http://cdetsweb-prd.cisco.com/erm_enu/start.swe?SWECmd=InvokeMethod&SWEMethod=LookUpBug&SWEService=CSCBookMarkService&SWERF=1&SWEC=1&Identifier=CSCtn65993]
 +
 
 +
 
 +
[[Category:Configuration Engine Troubleshooting]]
 +
[[Category:Configuration Engine]]

Latest revision as of 10:10, 2 June 2011

Contents

IOS Version for ASA Device

The minimum supported IOS version of the ASA device is 8.x and later.

ASA Related Logs on CE Server

The ASA server related logs on CE server can be found @ /var/log/CNSCE/asa/asa.log. The ASA device supports IOS version 8.2 onwards.

Configuring the ASA Device

The following commands should be configured on ASA device to communicate with CE server to work using the call home protocol.

auto-update device-id [hostname] | [hardware-serial] | [ipaddress] | [mac-address]| string <device-name>

auto-update poll-period <period_in_minutes>

auto-update server https://<username>:<password>@<ce-server>:<port>/cns/ASAConfig

where

  • device-name : Name of the ASA device.
  • period_in_minutes : Poll period in minutes. On elapse of poll period, the ASA device will contact the CE server to pull its configuration and Image related information.
  • username : CE Server's admin username.
  • password : Password configured to the ASA device while creating the device on CE server.
  • port : HTTPS server port. By default the port specifies to 443. If this port changed during setup, then the same should be used here.

Invalid Remote Host

Make sure to add the appropriate name <ce-server-ip-address> <ce-server-hostname> command. As a work around you can use the IP address of the CE server in the auto-update server command instead of hostname.

Enable Auto-update Server Logging on ASA Device

To enable auto-update server logging on ASA device, execute the following commands:

ASA-Device(config)# logging enable

ASA-Device(config)# logging console 6

ASA-Device# debug auto-update server

ASA-Device# debug auto-update client

Device Authentication Failed

When you get this error message, check the following:

1. Check whether the ASA device is created on CE server.

2. If the device is created on CE side, then check the auto-update server CLI on ASA to verify that the CLI is having correct username and password.

3. If you feel that the password is incorrect on either side, then re-sync the password on both the side by reconfiguring the auto-update server CLI on ASA device and by editing the device on CE side.

Configuration Not Pulled

This is because the device already downloaded associated template from CE server and the ASA device is running with updated configuration. Do the following to verify this:

1. Enable console/terminal logging on ASA device.

2. On elapse of poll-period, ASA device will try to contact the CE server to retrieve the new template. During this time, the following log (not identical but similar) can be seen on the ASA device console.

%ASA-6-302013: Built outbound TCP connection 23 for inside:cede1/443 (cede1/443) to identity:10.104.58.246/33894 (10.104.58.246/33894)

%ASA-6-725001: Starting SSL handshake with server inside:10.104.58.246/33894 for TLSv1 session.

%ASA-6-725002: Device completed SSL handshake with server inside:10.104.58.246/33894

Auto-update client: Sent DeviceDetails to /cns/ASAConfig of server cede1

Auto-update client: Processing UpdateInfo from server cede1

Component: config, [URL: https://cnsce-asauser:naveen@cede1:443/cns/ASAConfigProvider?deviceID=ASA-5520-246], checksum:xd2423c0873e3338bec5042a3e143b5e8

%ASA-6-725007: SSL session with server inside:10.104.58.246/33894 terminated.

%ASA-6-302014: Teardown TCP connection 23 for inside:cede1/443 to identity:10.104.58.246/33894 duration 0:00:00 bytes 1336 TCP Reset-I

Auto-update client: no need to update cfg

3. If the logging says that no need to update cfg, then the configuration associated to the ASA device on CE server and running configuration on ASA device will be the same and current.

Prerequisite for ASA/ASDM Image Upgrade

Along with auto-update server configuration, following CLI should exist on the ASA device for the ASA/ASDM image upgrade to happen.

boot system disk0:/<a-valid-asa-image-name>

asdm image disk0:/<a-valid-asdm-image-name>

Without these two Commands, neither the ASA image or ASDM image upgrade will happen.

ASA/ASDM Image Upgrade Fails

This failure could cause because of having not enough space on the flash card on the ASA device. Make sure that the flash have enough space on the device before performing the image upgrade operation.

ASA/ASDM Image Upgrade Know Issues

Following are the known issues at this point which might impact the ASA/ASDM image upgrade on ASA devices.

CSCsx01913 [1]

CSCtn98874 [2]

CSCtn65993 [3]

Rating: 0.0/5 (0 votes cast)

Personal tools