Hi, folks.

Anyone here who uses the compliance feature of CPI 3.4 ??

If so, does it always work reliable ??

I am asking this question, because I have experienced some weird behaviour while trying to write some policies and testing them, here comes:

What I like to do is to have a policy which checks for a valid NTP configuration on IOS devices (2 servers and a peer acl), so at first I created the policy, added two rule input variables for the servers (at first) and used them in the conditions:

Up to this point, the ruleset works perfectly, all valid servers are checked, when invalid servers are found, violations are raised, the policy results in "failure" and all found violations could be removed through the fix after the policy has been run on the test device:

Now strange things happen:

When I add another input variable (the acl number to check for) to the rule and run it again on the test devices, the result of the audit changes into "Success" (which should not happen !!!) .....:

To be clear:

Nothing else has been changed, not in the conditions and also not in the configuration of the test device !!! Just a third input variable has been added !!

This is reproducible, meaning if I delete the third input variable from the rule and run it again, it works fine again !!!

If it is added again, wrong result !!!

Even putting an additional condition in the rule, which actually uses the third input variable makes no difference !

Although I am trying to use the compliance feature for a short time only, I do not think this is a mistake that I make somewhere in the process, this smells like a fat bug instead  .....

Can anyone confirm that weird behaviour ??

CPI is running on GEN2 Appliance, PI 3.4.1 Update 02, Prime Infrastructure 3.4 Device Pack 9.

DP9 and Update 02 have only been installed some days ago, I am not sure, if this behaviour already showed before installing Update 02 and DP9 .....

Rgs

Frank