09-26-2014 07:14 PM
I am attempting to add my ASAs into prime but get stuck almost instantly after adding the new device. Prime is able to get the device name and Device type (Cisco ASA-5580 Adaptive Security Appliance Security Context) Admin status shows up as Managed but Inventory Collection Status shows up as "Partial Collection Failure" For more detail it says "feature_image_firewall Unexpected error. See the log file inventory.log for details."
The only failure in inventory.log I could find was
[2014-09-26 12:40:01,868] [ICE Service[ 1]Thread: 20] [inventory] [ERROR] - 192.168.0.19 For device id: 2848866 Feature = feature_image_firewall and Procedure = ImageFireWal failed in time 45 with the following error and continuing with other features: com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>
[2014-09-26 12:40:01,868] [ICE Service[ 1]Thread: 20] [ice] [ERROR] - com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>
com.cisco.nm.expression.function.FunctionException: <palError><deviceId>2848866</deviceId><code>HANDLER_ERROR</code><message>Error while trying to run handler. Action : imageFireWall, Handler : com.cisco.nm.pal.customhandler.RPLHandler. Error : Exception thrown : Constraint violation. See log for details.</message><handlerCode>ERROR_HANDLER_ERROR</handlerCode></palError>
As far as the ASA config goes:
snmp-server enable
snmp-server host management 192.168.10.27 community c!$c0PR!me version 2c
logging enable
logging history 7
snmp-server enable traps
The above config works on our ASA5520s except I still haven't set up the traps right because there isn't any useful information on those devices so I am not sure what I need to change?
Solved! Go to Solution.
09-29-2014 10:45 AM
There's always a chance.
If it were my network I'd open one and tell them they need to update PI 2.x to account for the thousands of ASA 5500 series customers have but cannot properly manage using Cisco flagship wired management tool.
Good luck.
09-27-2014 06:19 AM
What version of ASA code are you running?
09-29-2014 06:22 AM
The VPN boxs ASA5520 are running 9.1(2)8
The Firewall box ASA5580 is 9.1(2)8
09-29-2014 06:30 AM
There have been at least two issues with respect to ASAs being managed by PI 2.x:
1. ASAs not supporting large SNMP packets. This was fixed in ASA 9.2 software. Related thread.
2. PI not able to ssh into newer ASAs. This is fixed by setting the ASA DH group to DH 1. See this thread.
09-29-2014 08:25 AM
My ASA is using DH 1.
Note The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models.
09-29-2014 08:59 AM
You're right - it's a bit of a Catch-22 on the older end-of-sales 5500 series.
They don't support the large SNMP packets that PI uses and the fix (9.2+) is not available on that platform. Unless or until Cisco issues the fix on 9.1 (or changes PI to use smaller packets) you will be unable to get full support from PI 2.1 on those older boxes.
09-29-2014 10:42 AM
Any chance that opening a ticket with Cisco might help move the process along? Or they can find an alternate solution?
09-29-2014 10:45 AM
There's always a chance.
If it were my network I'd open one and tell them they need to update PI 2.x to account for the thousands of ASA 5500 series customers have but cannot properly manage using Cisco flagship wired management tool.
Good luck.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide