Solved: Re: Ciscoworks showing + and - when running a compliance check

fredareid · ‎05-20-2010

I am trying to write a compliance check for switches. The issue I am getting now is that when the template runs I am getting notices stating that non the of switches are compliant, when they are. In the output after it runs I am seeing items in red with - and items in green with +. I thought the items in green with the + and items that are needed in the switches. Am I correct in assuming this? What are the items in red with the -?

The problem seems to be with ACLs they first show up in red (-) and then again in green (+) even though they are correct in the switch. Any ideas?

Joe Clarke · ‎05-21-2010

If you selected that the template is ordered, and the ACEs show up out of template order, then you could see what you describe. You may also see problems if you have IP SLA configured on your device due to bug CSCtf82992. In order to confirm, you will need to post the device's running config and an export of the template you are using.

View solution in original post

Joe Clarke · ‎05-21-2010

If you selected that the template is ordered, and the ACEs show up out of template order, then you could see what you describe. You may also see problems if you have IP SLA configured on your device due to bug CSCtf82992. In order to confirm, you will need to post the device's running config and an export of the template you are using.

fredareid · ‎05-24-2010

I can attach the requested files.. This happens to be a different switch, with the same issue. I am not sure why it keeps coming up with missing (-). Test is the test switch and run is the switch that had both the (-) and (+).

Joe Clarke · ‎05-24-2010

In the run.log, your device has an ACL:

access-list 101 remark Permit SSH from admin systems and other switches
access-list 101 permit tcp 172.20.2.0 0.0.1.255 any eq 22 log
access-list 101 permit tcp 192.168.10.0 0.0.1.255 any eq 22 log
access-list 101 deny ip any any log

But your template requires:

access-list 101 remark Permit SSH from admin systems and other switches
access-list 101 permit tcp 172.20.2.0 0.0.1.255 any eq 22 log
access-list 101 permit tcp 192.168.10.0 0.0.1.255 any eq 22 log

access-list 101 permit tcp 192.168.12.0 0.0.1.255 any eq 22 log
access-list 101 deny ip any any log

The test.log device has "ip sla enable reaction-alerts" which will trigger a parse error in baseline. If you remove this line, re-archive the config, then run a new compliance test, it should show as being compliant (from the ACL standpoint).

fredareid · ‎05-25-2010

Thanks I see the problem with ACL 101. The real issue is that I am getting the + and - for ACL 60 on the run config. I am not sure as to why.

Joe Clarke · ‎05-26-2010

If you're seeing this on the device with the IP SLA configuration, then that is expected due to the bug I pointed out. Any command below the IP SLA configuration will not be parsed correctly by RME.

fredareid · ‎05-26-2010

I understand. The problem is I can not seem to find this command in the run config for the switch that is labeled run.log.

Joe Clarke · ‎05-26-2010

There may still be an issue with the config as it's archived in RME. Post screenshots of the processed config from this run device from RME > Config Mgmt > Archive Mgmt > Version Tree (pick the latest version of this device's config). You will need to grab screenshots for each of the submodes (i.e. the elements in the config tree).

fredareid · ‎06-09-2010

I have an export file that I can post up here of the device that is causing the issue.

Sorry it has taken me so long to get back I have been rather busy lately.

fredareid · ‎08-06-2010

Also the no ip sla enable reaction-alerts command is not removing this from the configuration.

Joe Clarke · ‎08-07-2010

I found your problem. Your spaces are wrong in your template. If you change your ACL60 to the attached, it should work.

fredareid · ‎08-09-2010

I am still getting the same issue, but I am working with the IP SLA issue that is out there right now. It's still trying to removed ACL 60. Only this time it is saying it is in the config twice, when I know it's not. Also, now, it's yelling about ACL 101 being wrong when it's not, so I must be hitting that bug mentioned above.

Joe Clarke · ‎08-09-2010

You may be. I did some local testing with my template and your ACL 60, and I could not reproduce. That's when I noticed your spacing issue. If you just try my template, and RME reports non-compliance, then you may be hitting the bug I mentioned above.