Cisco Secure Policy Manager

Archiving and Rollback Procedures for Cisco Secure Policy Manager 2.x

Document ID: 13849

Updated: Jan 17, 2006



This document demonstrates how to archive and roll back Cisco Secure Policy Manager 2.x.



There are no specific prerequisites for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Secure Policy Manager 2.x

  • Microsoft Windows NT

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.


For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Archive Cisco Secure Policy Manager Data

Cisco strongly recommends that you archive Cisco Secure Policy Manager data often. Save the data to a .cpm file when a network policy or topology is changed, or when device or system settings are changed.

Roll Back to the Previous Configuration

If you experience a distribution error, perform the steps below in order to determine the cause of the problem. Make sure that you have made and archived a copy of the Cisco Secure Policy Manager data before completing these steps:

  1. Examine the distribution status in the Command Panel to determine what may have gone wrong.

  2. Save the current data to a .cpm file.

    This step is valuable for later debugging and support from the Cisco Technical Assistance Center (TAC) or from Development Engineering.

  3. The device may have lost its routing, its interface, or its Telnet permissions for accessing the Cisco Secure Policy Manager server, which may cause a distribution error.

    In the event of a distribution error from which you cannot recover, verify the following:

    • Is the IP address for the interface (the one to which Cisco Secure Policy Manager connects) still valid?

    • Does the device have a route to the Cisco Secure Policy Manager server?

    • Does the Cisco Secure Policy Manager server have appropriate Telnet permissions?

    • Do you have the correct enable password for the device?

    Note: If you are using IPSec for secured distribution between Cisco Secure Policy Manager and the device, ensure that the correct IPSec policy information exists in the device configuration (such as the pre-shared key or certificate, crypto map, or access control list [ACL]).

  4. Verify connectivity to the device with Telnet.

  5. If the current configuration generated by Cisco Secure Policy Manager is still valid and you want to use it, try manual approval distribution in the Command Panel.

  6. If the manual approval distribution is unsuccessful, roll back to the previous version of the configuration by loading the previous .cpm file into Cisco Secure Policy Manager as follows:

    1. Choose File > Reset & Save to expunge all previous data from the database.

    2. Import the previous .cpm file.

    3. View the policy and topology in the GUI to ensure that it is the correct version of the configuration.

    4. Click Save/Update to save the information into the database.

    5. Check the command output and make sure there are no command generation errors.

    6. Click Approve.

Delete the Database Without Reinstalling the Software

If the database is not repairable, it is usually possible to reinitialize the database without completely reinstalling the software. In order to do so, complete these steps:

  1. In the Microsoft Windows NT Control Panel, stop the services Cisco Controlled Host Component and Cisco Secure PostOffice; if the services do not stop, change the startup setting to Manual and reboot the system.

  2. Go to the directory where you installed the product (the default location is C:\Program Files\Cisco Systems\Cisco Secure Policy Manager) and remove the data subdirectory.

  3. Copy the database_0 directory to replace the old data subdirectory.

    The database_0 directory is a fresh database that is created upon installation; it contains only the administrator account. The directory is found within the Backup subdirectory in the install location.

  4. Restart the services, launch the GUI, and connect to Cisco Secure Policy Manager.

    Note: If you have followed the above instructions and Cisco Secure Policy Manager is still not working, save the configuration as a .cpm file and open a case with the Cisco Technical Support.

Related Information

Updated: Jan 17, 2006
Document ID: 13849