Table Of Contents
Router Platform Policies
Configuring Routers Running IOS Software Releases 12.1 and 12.2
Managing Encrypted Passwords on IOS Routers
Troubleshooting Device Interface Policies
Deploying Layer 2 Interface Definitions
Deleting an Interface Still in Use
Troubleshooting NAT Policies
VPN Traffic Sent Unencrypted
Loss of Communication Between Security Manager and Device
Security Manager Indicates Deployment Failed on an 83x Router
Troubleshooting DSL Policies
Unable to Deploy ADSL Policy
Troubleshooting PVC Policies
Unable to Deploy PVC Policy
Unable to Deploy IP Protocol Mappings
Troubleshooting Device Access Policies
Unable to Configure Device
Troubleshooting DHCP Policies
DHCP Traffic Not Being Transmitted
Troubleshooting SDP Policies
Unable to Deploy SDP Policy with Local CA Defined
Troubleshooting SNMP Policies
Selected Traps Not Being Sent by Device
Troubleshooting NAC Policies
NAC Not Implemented on Router
Deployment of NAC Policy Fails
Troubleshooting Static Routing Policies
Floating Route Not Inserted When Static Route Used as Backup
Router Platform Policies
This chapter describes how to troubleshoot common problems that might occur when you configure router platform policies on Cisco IOS routers and includes the following topics:
•
Configuring Routers Running IOS Software Releases 12.1 and 12.2
•Managing Encrypted Passwords on IOS Routers
•Troubleshooting Device Interface Policies
•Troubleshooting NAT Policies
•Troubleshooting PVC Policies
•Troubleshooting Device Access Policies
•Troubleshooting DHCP Policies
•Troubleshooting SDP Policies
•Troubleshooting SNMP Policies
•Troubleshooting NAC Policies
•Troubleshooting Static Routing Policies
Note For more detailed information on working with routers, see the "Managing Routers" chapter in the User Guide for Cisco Security Manager for your release.
Configuring Routers Running IOS Software Releases 12.1 and 12.2
Security Manager provides limited support for routers running Cisco IOS Software Releases 12.1 and 12.2. You can configure the following policies on these routers:
•Access Rules.
•Access Control Settings.
•Interfaces.
•FlexConfigs.
All other policies require Cisco IOS Software Release 12.3 or higher.
Managing Encrypted Passwords on IOS Routers
The manner in which Security Manager discovers and manages encrypted passwords on Cisco IOS routers varies from policy to policy, as follows:
•Accounts and Credentials—The encrypted password is discovered and is displayed by the Security Manager interface as asterisks. Any change that you make to the password causes it to be deployed to the device as a clear-text password.
•PPP—The encrypted password is discovered and is displayed by the Security Manager interface as asterisks. If you make any changes, you have the option of deploying the modified password either as encrypted or as clear text.
•SDP and Line Access (console and VTY)—The encrypted password is not discovered. The password defined on the device is not removed from the configuration unless you define and deploy a new password in Security Manager.
Troubleshooting Device Interface Policies
This section describes how to troubleshoot the following problems that might occur when you configure device interface policies on Cisco IOS routers in Security Manager:
•Deploying Layer 2 Interface Definitions
•Deleting an Interface Still in Use
Deploying Layer 2 Interface Definitions
Problem Deployment fails if the interface policy includes a definition for a Layer 2 interface.
Solution Layer 2 interfaces do not support Layer 3 interface definitions, such as IP addresses. Make sure that you did not define a Layer 3 definition on the Layer 2 interface.
Deleting an Interface Still in Use
Problem Activity submission fails after you delete an entry on the Interfaces page.
Solution If an interface is referenced as part of a policy definition, deleting that interface causes activity submission to fail. You must first remove the interface from the policy definition, then delete the interface.
Troubleshooting NAT Policies
This section describes how to troubleshoot the following problems that might occur when you configure NAT policies on Cisco IOS routers in Security Manager:
•VPN Traffic Sent Unencrypted
•Loss of Communication Between Security Manager and Device
•Security Manager Indicates Deployment Failed on an 83x Router
VPN Traffic Sent Unencrypted
Problem Traffic that should be sent encrypted over a VPN is instead being sent unencrypted.
Solution Ensure that you are not performing NAT on VPN traffic. Performing address translation on VPN traffic prevents the traffic from being encrypted and sent through the VPN tunnel. When defining dynamic NAT rules, make sure that you do not deselect the Do Not Translate VPN Traffic check box, even when you perform NAT into IPSec. (This option does not interfere with the translation of addresses arriving from overlapping networks.)
Note This option can be used only on site-to-site VPNs. For remote access VPNs, you need to create an ACL object that explicitly denies the flow containing VPN traffic and define this ACL as part of a dynamic rule in the NAT policy. For more information, see Defining Dynamic NAT Rules in the "Managing Routers" chapter of the User Guide for Cisco Security Manager for your release.
Loss of Communication Between Security Manager and Device
Problem Communication between Security Manager and a particular device is interrupted after you deploy a NAT policy to that device.
Solution Make sure that you are not using a local address on the device as the original address to be translated. Translating this address might result in translating the management traffic sent between Security Manager and the device, causing the interruption.
Security Manager Indicates Deployment Failed on an 83x Router
Problem Security Manager indicates that the deployment of NAT interface commands (ip nat inside and ip nat outside) fails.
Solution This problem occurs occasionally on Cisco 83x Series routers. When deploying NAT interface commands, the router returns the following reply:
% Failed to allocate regular expression state table : 62976
% PDL Error : Failed to compile regexp
: (regexp store insensitive
Deployment fails as a result of this error. Nevertheless, these NAT commands appear in the running configuration of the device. The error has no known affect on the NAT configuration of the device.
Troubleshooting DSL Policies
This section describes how to troubleshoot the following problem that might occur when you configure DSL policies on Cisco IOS routers in Security Manager:
•Unable to Deploy ADSL Policy
Unable to Deploy ADSL Policy
Problem Deployment fails for your ADSL policy.
Solution Make sure that you have selected the correct ATM interface card type in the policy definition. Security Manager cannot properly validate the policy definition without knowing the correct card type, which can lead to deployment failures.
Troubleshooting PVC Policies
This section describes how to troubleshoot the following problem that might occur when you configure PVC policies on Cisco IOS routers in Security Manager:
•Unable to Deploy PVC Policy
•Unable to Deploy IP Protocol Mappings
Unable to Deploy PVC Policy
Problem Deployment fails for your PVC policy.
Solution Make sure that you have selected the correct ATM interface card type in the policy definition. Security Manager cannot properly validate the policy definition without knowing the correct card type, which can lead to deployment failures.
Unable to Deploy IP Protocol Mappings
Problem Deployment fails when you select the None option in the Define Mapping dialog box. Mappings are required by the PVC to discover which IP address is reachable at the other end of a connection. The None option disables broadcast options for the map entry.
Solution This problem is known to occur when using Cisco IOS Software Releases 12.4(07.24)T01, 12.4(07.24)T02, and 12.4PI07. This problem is corrected in Cisco IOS Software Releases 12.4(09.10)T and 12.4(09)T01 and subsequent releases. Therefore, we recommend that you upgrade the Cisco IOS Software Release running on the device. If this is not possible, select one of the other options available in the Define Mapping dialog box (Broadcast or No Broadcast).
Troubleshooting Device Access Policies
This section describes how to troubleshoot the following problem that might occur when you configure device access policies on Cisco IOS routers in Security Manager:
•Unable to Configure Device
Unable to Configure Device
Problem Security Manager cannot configure a device after you unassign a device access policy from the device and redeploy it.
Solution Device access policies can be used to define the enable password for accessing the device. If you later unassign this policy and redeploy, the password is removed from the device. In such cases, the device typically reverts to the default password. However, in some cases, the device might contain an additional password that is unknown to Security Manager, such as a line console password. If this additional password exists, the device reverts to that password instead of the default password. If that happens, Security Manager cannot configure this device. Therefore, if you use a device access policy to configure the enable password or enable secret password on a device, make sure that you do not unassign the policy without assigning a new policy before the next deployment.
Troubleshooting DHCP Policies
This section describes how to troubleshoot the following problem that might occur when you configure DHCP policies on Cisco IOS routers in Security Manager:
•DHCP Traffic Not Being Transmitted
DHCP Traffic Not Being Transmitted
Problem DHCP traffic is not being transmitted even after you deploy a DHCP policy to the device.
Solution Check whether an access rule on the device blocks Bootstrap Protocol (BootP) traffic. Having such a rule prevents DHCP traffic from being transmitted.
Troubleshooting SDP Policies
This section describes how to troubleshoot the following problem that might occur when you configure SDP policies on Cisco IOS routers in Security Manager:
•Unable to Deploy SDP Policy with Local CA Defined
Unable to Deploy SDP Policy with Local CA Defined
Problem You cannot deploy an SDP policy that uses the local CA server option to authenticate the identity of petitioners.
Solution The CA server was not configured locally on the router serving as the registrar. Enter the command Crypto pki server [name] using the CLI or FlexConfigs.
Troubleshooting SNMP Policies
This section describes how to troubleshoot the following problems that might occur when you configure SNMP policies on Cisco IOS routers in Security Manager:
•Selected Traps Not Being Sent by Device
Selected Traps Not Being Sent by Device
Problem The device is not generating CPU and IP multicast traps, even though you selected these options in the assigned SNMP policy.
Solution The CPU and IP multicast traps require that you configure additional CLI commands to enable these traps on the router.
The CPU trap, which notifies users when a predefined threshold of CPU usage is crossed, requires that you define the rising and falling thresholds that determine when a trap is generated.
The IP multicast trap, which monitors the health of multicast deliveries and issues a trap when the delivery fails to meet certain parameters, requires you to define a multicast group address (Class D address, from 224.0.0.0 to 239.255.255.255) as well as other parameters related to the heartbeat. For more information, see the Cisco IOS IP Multicast Command Reference.
You can also use FlexConfigs to fully configure these traps.
Troubleshooting NAC Policies
This section describes how to troubleshoot the following problems that might occur when you configure NAC policies on Cisco IOS routers in Security Manager:
•NAC Not Implemented on Router
•Deployment of NAC Policy Fails
NAC Not Implemented on Router
Problem Network admission control is not being implemented on the router, even though a NAC policy was deployed to it.
Solution Ensure that the default ACL on the router permits UDP traffic over the port defined in the NAC policy for EAP over UDP traffic. This is the protocol that NAC uses for communication between the Cisco Trust Agent (CTA), which is the NAC client that provides posture credentials for the endpoint device on which it is installed and the network access device (NAD; in this case, the router) that relays the posture credentials to the AAA server for validation. The default port used for EAP over UDP traffic is 21862, but you can change this port as part of the NAC policy. If the default ACL blocks UDP traffic, EAP over UDP traffic is likewise blocked, which prevents NAC from taking place.
Deployment of NAC Policy Fails
Problem Deployment fails after defining a NAC policy on a device that also has an authentication proxy.
Solution Make sure that the NAC policy and the authentication proxy use the same intercept ACL.
Troubleshooting Static Routing Policies
This section describes how to troubleshoot the following problems that might occur when you configure static routing policies on Cisco IOS routers in Security Manager:
•Floating Route Not Inserted When Static Route Used as Backup
Floating Route Not Inserted When Static Route Used as Backup
Problem The static route you defined in Security Manager as a backup, "floating" route is not inserted in the routing table when the primary link fails.
Solution When using a static route as a floating route, you must specify the interface for the next hop instead of entering a specific IP address. For more information, go to:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800ef7b2.shtml
Feedback
