Cisco Configuration Professional -- Troubleshooting
Cisco Configuration Professional (Cisco CP) is a GUI based device management tool for Cisco access routers. This tool simplifies routing, firewall, IPS, VPN, unified communications, WAN, and LAN configuration through GUI based wizards.
Using Cisco CP, network administrators and channel partners can deploy routers with ease. It offers one-click router lock-down and voice and security auditing capability to check and recommend changes to router configuration. Cisco CP also monitors router status and troubleshoots WAN and VPN connectivity issues.
Cisco CP is free and you can download it from: http://www.cisco.com/go/ciscocp.
This document contains troubleshooting information for Cisco CP.
The troubleshooting information available is as follows:
- #Minimum screen resolution for Cisco CP
- #JRE settings for Cisco CP
- #Pop-up screens appearing on primary monitor if Cisco CP is moved to extended monitor
- #Cisco IOS enforces one-time use of default credentials
- #Cisco CP Merge and Replace Configuration Functions Fail Under Some Conditions
- #Cisco CP May Lose Connection to Network Access Device
- #Pop-up Blockers Disable Cisco CP Online Help
- #Temporary Internet Files—Impact on Launch
- #Collecting Tech Logs
Minimum screen resolution for Cisco CP
Cisco CP requires a screen resolution of at least 1024 x 768.
JRE settings for Cisco CP
The following JRE settings are needed for Cisco CP to function properly:
- Go to Start > Control Panel > Java.
- Click View under Java Applet Runtime Settings.
- Select your JRE in use.
- Set the "Java runtime parameters" with the value "-Xmx256m -Dsun.java2d.d3d=false".
In addition, if JRE is upgraded to versions 1.6.0_11 or above, the following settings are needed after installing Cisco CP:
- Go to Start > Control Panel > Java > Advance.
- Select "Java Plug-in" tree.
- Uncheck the check box for Enable next-generation Java Plug-in.
- Restart Cisco CP.
Pop-up screens appearing on primary monitor if Cisco CP is moved to extended monitor
Symptom: If Cisco CP is running on a laptop that is also connected to an external monitor and the screen is set for extended display, pop-up dialog boxes of all SDM applet security pages, routing pages, and help pages appear on the primary monitor.
- Connect the monitor to a laptop and set the screen for extended display.
- Launch Cisco CP and move it to secondary screen.
- Click Configure > Security > Security Audit > Perform Security Audit.
- The Audit screen appears in the primary monitor and Cisco CP in the secondary monitor.
Workaround: There is no workaround.
Cisco IOS enforces one-time use of default credentials
To address CSCsm25466, Cisco IOS images included with recent shipments of Cisco 800, Cisco 1800, Cisco 2800, Cisco 2900, Cisco 3800, and Cisco 3900 routers, enforce the one-time use of the default user name and password provided in the Cisco CP configuration file.
If you bypass Cisco CP or Cisco CP Express and use a console or Telnet connection to log into the router, the login and exec banners warn you that you must change the user name to "cisco" and the password to "cisco" before you log off the router. If you do not change the credentials as directed, you will not be able to log into the router the next time that you attempt to do so.
The following Cisco IOS releases enforce the one-time use of the default credentials:
- 12.4(11)T or later
- 12.4(11)SW, 12.4(11)SW1, 12.4(11)XV, 12.4(11)XJ
- 12.4(9)T5, 12.4(9)T6
- 15.0(1)M or later
Follow the procedure in this section to secure the router by creating a new username and password, to remove the login banner and exec banner warnings, and to save the configuration changes to the router startup configuration.
Note: If you log into the router using a Telnet or a console connection but do not complete the steps in this procedure, be aware of the following:
- If you do not change the default username and password, and log off the router, you will not be able to log into the router again without entering the reload command. No additional warning is given before you log off.
- If you do not change the default username and password, but do enter the write memory command before ending the session, future logins are disabled. In this case, you will need to follow the password recovery procedure at the following link:
To secure the router, remove the banner warnings, and save the changes to the router startup config, complete the following steps:
1. Connect the blue console port on your router to a serial port on your PC using the light blue console cable, included with your router. See your router's hardware installation guide for instructions.
2. Connect the power supply to your router, plug the power supply into a power outlet, and turn on your router. See your router's quick start guide for instructions.
3. Use HyperTerminal or a similar terminal emulation program on your PC, with the terminal emulation settings of 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control, to connect to your router.
4. When prompted, enter the username cisco, and password cisco.
5. Enter configuration mode by entering the following command:
yourname# configure terminal
yourname(config)# username username privilege 15 secret 0 password
7. Replace username and password with the username and password that you want to use.
8. Remove the default username and password by entering the following command:
yourname(config)# no username cisco
8. To remove the login banner, enter the following command:
yourname(config)# no banner login
The login banner warning will no longer appear.
9. To remove the exec banner, enter the following command:
yourname(config)# no banner exec
The exec banner warning will no longer appear.
10. Leave configuration mode by entering the following command:
11. Copy the configuration changes to the startup configuration by entering the following command:
yourname# copy running-config startup-config
When logging into the router in the future, use the username and password that you created in 6.
Cisco CP Merge and Replace Configuration Functions Fail Under Some Conditions
The problem described here is caveat CSCsj21989. If you attempt to merge configuration changes made using the Cisco CP Config Editor feature, or replace the running configuration with a configuration from the Config Editor, the router configuration will not be changed if there is a network device with a Network Address Translation (NAT) IP address, or a cache engine in the connection between the PC and the router. If you need to make changes to the router configuration that you would normally make using the Cisco CP Config Editor, use the Cisco IOS CLI instead.
Some (or all) of the top threats you obtain using the Cisco CP Security Dashboard may not pertain to your Cisco IOS IPS installation. After you deploy the signatures applicable to the top threats displayed by the Cisco CP Security Dashboard, the dashboard may still display some (or all) top threats with a red icon because applicable signatures could not be found. Those remaining top threats are unrelated to your Cisco IOS IPS installation and are not a danger to your router running Cisco IOS software.
Cisco CP May Lose Connection to Network Access Device
This note concerns the Network Admission Control (NAC) feature.
If the PC used to invoke Cisco CP returns a posture state (Healthy, Infected, Checkup, Quarantine, or Unknown) and if the group policy on the ACS server attached to the posture token assigned to the PC has a redirect URL configured, the connection between Cisco CP and the router acting as the Network Access Device (NAD) may be lost. The same problem can occur if an exception list entry attached to a policy with a redirect URL is configured with the IP address or MAC address of the PC.
If you try to reinvoke Cisco CP from this type of PC, you will not be able to do so because the browser will be redirected to the location specified in the redirect URL.
There are two workarounds for this problem:
- Ensure that the PC that you use to invoke Cisco CP attains a posture token that has an associated group policy on the ACS server that is not configured with a redirect URL.
- Alternatively, use Cisco CP to create a NAC exception list entry with the IP address or MAC address of the PC you use to invoke Cisco CP. Note that the exception list entry created for the PC should be associated to an exception policy that does not have a redirect URL configured in it.
For more information, see the links on the Cisco CP NAC online help pages.
Pop-up Blockers Disable Cisco CP Online Help
If you have enabled pop-up blockers in the browser you use to run Cisco CP, online help will not appear when you click the help button. To prevent this from happening, you must disable the pop-up blocker when you run Cisco CP. Pop-up blockers may be enabled in search engine toolbars, or may be standalone applications integrated with the web browser.
Microsoft Windows XP with Service Pack 2 blocks pop-ups by default. To turn off pop-up blocking in Internet Explorer, go to Tools > Pop-up Blocker > Turn Off Pop-up Blocker.
If you have not installed and enabled third-party pop-up blockers, go to Tools > Internet Options > Privacy, and uncheck the Turn on Pop-up Blocker check box.
Temporary Internet Files—Impact on Launch
Because of Microsoft Windows Java caching issues, Cisco CP is sometimes unable to complete discovery of a device. To fix this issue, complete the following steps:
1. Choose Application > Exit to shut down Cisco CP.
2. Close all existing Internet Explorer windows.
3. Go to Start > Control Panel > Java. The General tab is displayed.
4. In the Temporary Internet Files box, click Delete Files.
5. In the displayed dialog box, leave all file types checked, and click OK.
6. Click OK in the Java control panel to close it.
7. Restart Cisco CP.
Collecting Tech Logs
In case of issues where CCP doesn't launch, the customer has to launch the application and when he sees the problem, collect the tech logs from Start -> Program Files -> Cisco > Configuration Professional -> Collect Data for Tech Support.