ASA Configuration Troubleshooting
How to enable auto-update server logging on ASA device.
Execute the following commands.
ASA-Device(config)# logging enable
ASA-Device(config)# logging console 6
ASA-Device# debug auto-update server
ASA-Device# debug auto-update client
Configuration not pulled due to java.lang.SecurityException: Device Authentication Failed.
Check the following.
1. Check whether the ASA device is created on CE server.
2. if the device is created on CE side, then check the auto-update server cli on ASA to verify that the CLI is having correct username and password.
3. If you feel that the password is incorrect on either side, then re-sync the password on both the side by reconfiguring the auto-update server CLI on ASA device and by editing the device on CE side.
Configuration not pulled.
This is because the device already downloaded associated template from CE server and the ASA device is running with updated configuration. Do the following to verify this.
1. Enable console/terminal logging on ASA device.
2. On elapse of poll-period ASA device will try to contact the CE server to retrieve the new template. During this time following log (not identical but similar) can be seen on ASA device console.
%ASA-6-302013: Built outbound TCP connection 23 for inside:cede1/443 (cede1/443) to identity:10.104.58.246/33894 (10.104.58.246/33894)
%ASA-6-725001: Starting SSL handshake with server inside:10.104.58.246/33894 for TLSv1 session.
%ASA-6-725002: Device completed SSL handshake with server inside:10.104.58.246/33894
Auto-update client: Sent DeviceDetails to /cns/ASAConfig of server cede1
Auto-update client: Processing UpdateInfo from server cede1
Component: config, [URL: https://cnsce-asauser:naveen@cede1:443/cns/ASAConfigProvider?deviceID=ASA-5520-246], checksum:xd2423c0873e3338bec5042a3e143b5e8
%ASA-6-725007: SSL session with server inside:10.104.58.246/33894 terminated.
%ASA-6-302014: Teardown TCP connection 23 for inside:cede1/443 to identity:10.104.58.246/33894 duration 0:00:00 bytes 1336 TCP Reset-I
Auto-update client: no need to update cfg
3. If the logging says that no need to update cfg, then the configuration associated on CE server and running configuration on ASA device are same and current.