topic Hi againAfter some digging I in Network Security

Cisco Security Manager: Failover interface error at deployment

hoffa2000 — Fri, 21 Feb 2020 13:25:51 GMT

Hi folks

I have an ASA 5505 running 9.2(3) managed through my CSM 4.8 server. Everything has been going fine until I added failover, after that every deployment fails at the point below.

Line# 30. (SUCCESS) Sent (Fri Mar 20 12:10:12 EET 2015): interface Ethernet0/7
Received (Fri Mar 20 12:10:13 EET 2015):
Line# 31. (ERROR) Sent (Fri Mar 20 12:10:12 EET 2015): switchport access vlan 15
Received (Fri Mar 20 12:10:13 EET 2015): ERROR: Interface is in use by failover. Remove failover configuration first
! COMMENT: Device reported error here and stopped accepting further commands
! COMMENT: BULK END
! COMMENT: Trying URL: https://192.168.42.1/admin/config

It seems CSM is walking through all interfaces during deployment and when it reaches the failover interface it cannot proceed since that interface is "special" compared to the others. My first question if of course if I've missed something that caused this, failover is operational? But a larger question would be, why do CSM have to walk through all the interfaces in the first place and if this "feature" can be disabled?

Update

It seems if I check the "Allow download on Error" option in Administration - Deployment at least CSM deploys the changes but there is still a nasty error being generated.

Regards

Fredrik

Hi againAfter some digging I

hoffa2000 — Thu, 26 Mar 2015 10:48:23 GMT

Hi again

After some digging I've found a work around for this. In the CSM FAQ and Troubleshooting Guide http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/3-3/troubleshooting/guide/csmts_wrapper/dpts.html#pgfId-1046597 I found a section about "Changing how security Manager responds to Device Messages". When I followed this and added .*Interface is in use by failover.*$\ to the DCS.properties file on the CSM server my deployments no longer fails with the failover error.

Nice

Thank you, Fredrik!I can

Karen Kelch — Fri, 27 Mar 2015 11:58:34 GMT

Thank you, Fredrik!

I can report that the problem occurs in both 4.7 and 4.8, and that the workaround you posted does work/allows the policy to be deployed.

I opened a TAC case for this, and TAC reported this is a "regression defect" and there is a new bug for it, CSCut07447 (https://tools.cisco.com/bugsearch/bug/CSCut07447/?referring_site=bugquickviewclick).

I referenced your post when I opened the case, and TAC reported it should work (and to let them know if it did).

It makes sense that the fix is in a document for CSM 3.3: old bug, old fix 😉

One note (that is explained in the CSM FAQ document above): when you add the line to the "PIX Warning expressions" section of DCS.properties file, add it above the last line of that section - the whole list of error messages has to end with "$", not "$\" . If the list of messages in the section doesn't end with "$", it does not work (see Step 5, "except for the last expression, you must delimit all expressions with "$\""). I initially added the new message as the last line, and the deploy still failed. Moving it up a line did the trick.

Saved me a lot of grief, thank you!

Excellent. Old bug indeed.

hoffa2000 — Fri, 27 Mar 2015 13:13:04 GMT

Excellent. Old bug indeed.

/Fredrik