Removing ezvpn crypto with compliance management in LMS 3.2

tim.cooper · ‎03-22-2011

Having trouble with advanced Compliance Management jobs in Ciscoworks.

Trying to remove ezvpn crypto config as follows

interface fastethernet0/0

crypto ipsec ezvpn fred

interface fastethernet0/1.1

crypto ipsec ezvpn fred inside

global

crypto ipsec ezvpn fred

Obviously can't remove global until interfaces have gone and can't remove fastethernet0/0, until fastethernet0/1.149 has gone

Tried this many ways as follows: -

Option 1

name = step1

submode = interface [intname]

- crypto ipsec ezvpn fred

- crypto ipsec ezvpn fred inside

name = step2

- crypto ipsec ezvpn fred

Option 2

name = step1

submode = interface [intname]

- crypto ipsec ezvpn fred

name = step2

parent = step1

submove = empty

- crypto ipsec ezvpn fred inside

name = step3

- crypto ipsec ezvpn fred

option 3

name = step1

submode = interface [intname1]

- crypto ipsec ezvpn fred

name = step2

submode = interface [intname2]

- crypto ipsec ezvpn fred inside

name = step3

- crypto ipsec ezvpn fred

None of the above seem to work and I have to run the compliance check two or three times for it to remove all of the config. First pass simply removes the interface fastether0/0 config?

Anybody got any ideas?

Joe Clarke · ‎03-22-2011

It looks like you need to remove Fa0/0 first, then Fa0/1.149, then the global config (i.e. outside, inside, global). In that case, just create the three commandlets in that order:

int fa0/0

- crypto ipsec client ezvpn fred

int fa0/1.149

- crypto ipsec client ezvpn fred inside

Here's where it gets problematic. The global mode commandlet cannot come after the last sub-mode commandlet as compliance will still be in the interface submode. To remove the global bit from the config, you will need a separate template.

tim.cooper · ‎03-25-2011

Hi Joseph,

Thanks for the response and sorry for the delayed reply but been off sick.

Should have pointed out that the interfaces that this crypto config is on may be different on each device, hence the compliance check.

have already created the seperate commandlets that you mention as per the original post, but for some reason each time I run the compliance report it only ever removes one part of the config. So in the example I gave, if I run the compliance check it will remove the Fa0/0 okay and leave Fa0/1,149, Even though the comfig it shows that it will deploy covers all of the required removals. Next time I run it, it will then remove the Fa0/1.149 and leave the global and then once more and it will completely remove.

As mentioned, I have tried making these commands parents of each other, run sequentially top down in the same command set and also created three different command sets but none appear to work.

With regards to the global command set item you mention, does this mean that with any submode compliance jobs I run, I cannot get back to the global mode afterwards? Following that through logically, it would mean that in a normal non crypto situation I would need to remove/add the global command sets at the top of the compliance job before doing anything with any sub mode items?

Thanks for your help

Tim Cooper

Joe Clarke · ‎03-25-2011

Your device may be different than mine. I tested a 2821 running 15.0, and the outside interface needed to be removed before the inside. You may want to confirm on one of your devices by doing this manually. I was able to remove the two interface commands provided they were done in the right sequence.

You can use a regexp in compliance to make sure the varying interfaces are handled correctly.

Sub-int:

interface [#.*Ethernet\d+/\d+\.\d+#]

Main interface:

interface [#.*Ethernet\d+/\d+$#]

You must perform any global configuration steps first before entering a submode. In this case, the global command cannot be applied until the ezvpn profile has been removed from all associated interfaces, so two passes will be required.

tim.cooper · ‎03-30-2011

Thanks Joseph,

I will give it a try and see what happens with the new regexp as at the moment I am just using interface [intname] in the submode area.