This document demonstrates how to archive and roll back Cisco Secure
Policy Manager 2.x.
There are no specific prerequisites for this document.
The information in this document is based on these software and
The information presented in this document was created from devices in
a specific lab environment. All of the devices used in this document started
with a cleared (default) configuration. If you are working in a live network,
ensure that you understand the potential impact of any command before using
For more information on document conventions, refer to the
Technical Tips Conventions.
Cisco strongly recommends that you archive Cisco Secure Policy Manager
data often. Save the data to a .cpm file when a network policy or topology is
changed, or when device or system settings are changed.
If you experience a distribution error, perform the steps below in
order to determine the cause of the problem. Make sure that you have made and
archived a copy of the Cisco Secure Policy Manager data before completing these
Examine the distribution status in the Command Panel to determine
what may have gone wrong.
Save the current data to a .cpm file.
This step is valuable for later debugging and support from the
Cisco Technical Assistance Center (TAC) or from Development Engineering.
The device may have lost its routing, its interface, or its Telnet
permissions for accessing the Cisco Secure Policy Manager server, which may
cause a distribution error.
In the event of a distribution error from which you cannot recover,
verify the following:
Is the IP address for the interface (the one to which Cisco
Secure Policy Manager connects) still valid?
Does the device have a route to the Cisco Secure Policy Manager
Does the Cisco Secure Policy Manager server have appropriate
Do you have the correct enable password for the
Note: If you are using IPSec for secured distribution between Cisco
Secure Policy Manager and the device, ensure that the correct IPSec policy
information exists in the device configuration (such as the pre-shared key or
certificate, crypto map, or access control list [ACL]).
Verify connectivity to the device with Telnet.
If the current configuration generated by Cisco Secure Policy
Manager is still valid and you want to use it, try manual approval distribution
in the Command Panel.
If the manual approval distribution is unsuccessful, roll back to
the previous version of the configuration by loading the previous .cpm file
into Cisco Secure Policy Manager as follows:
Choose File > Reset & Save to expunge all
previous data from the database.
Import the previous .cpm file.
View the policy and topology in the GUI to ensure that it is the
correct version of the configuration.
Click Save/Update to save the information into
Check the command output and make sure there are no command
If the database is not repairable, it is usually possible to
reinitialize the database without completely reinstalling the software. In
order to do so, complete these steps:
In the Microsoft Windows NT Control Panel, stop the services Cisco
Controlled Host Component and Cisco Secure PostOffice; if the services do not
stop, change the startup setting to Manual and reboot the
Go to the directory where you installed the product (the default
location is C:\Program Files\Cisco Systems\Cisco Secure Policy Manager) and
remove the data subdirectory.
Copy the database_0 directory to replace the old data
The database_0 directory is a fresh database that is created upon
installation; it contains only the administrator account. The directory is
found within the Backup subdirectory in the install location.
Restart the services, launch the GUI, and connect to Cisco Secure
Note: If you have followed the above instructions and Cisco Secure
Policy Manager is still not working, save the configuration as a .cpm file and
open a case with the