03-22-2011 11:35 AM
Having trouble with advanced Compliance Management jobs in Ciscoworks.
Trying to remove ezvpn crypto config as follows
interface fastethernet0/0
crypto ipsec ezvpn fred
interface fastethernet0/1.1
crypto ipsec ezvpn fred inside
global
crypto ipsec ezvpn fred
Obviously can't remove global until interfaces have gone and can't remove fastethernet0/0, until fastethernet0/1.149 has gone
Tried this many ways as follows: -
Option 1
name = step1
submode = interface [intname]
- crypto ipsec ezvpn fred
- crypto ipsec ezvpn fred inside
name = step2
- crypto ipsec ezvpn fred
Option 2
name = step1
submode = interface [intname]
- crypto ipsec ezvpn fred
name = step2
parent = step1
submove = empty
- crypto ipsec ezvpn fred inside
name = step3
- crypto ipsec ezvpn fred
option 3
name = step1
submode = interface [intname1]
- crypto ipsec ezvpn fred
name = step2
submode = interface [intname2]
- crypto ipsec ezvpn fred inside
name = step3
- crypto ipsec ezvpn fred
None of the above seem to work and I have to run the compliance check two or three times for it to remove all of the config. First pass simply removes the interface fastether0/0 config?
Anybody got any ideas?
03-22-2011 10:02 PM
It looks like you need to remove Fa0/0 first, then Fa0/1.149, then the global config (i.e. outside, inside, global). In that case, just create the three commandlets in that order:
int fa0/0
- crypto ipsec client ezvpn fred
int fa0/1.149
- crypto ipsec client ezvpn fred inside
Here's where it gets problematic. The global mode commandlet cannot come after the last sub-mode commandlet as compliance will still be in the interface submode. To remove the global bit from the config, you will need a separate template.
03-25-2011 07:09 AM
Hi Joseph,
Thanks for the response and sorry for the delayed reply but been off sick.
Should have pointed out that the interfaces that this crypto config is on may be different on each device, hence the compliance check.
have already created the seperate commandlets that you mention as per the original post, but for some reason each time I run the compliance report it only ever removes one part of the config. So in the example I gave, if I run the compliance check it will remove the Fa0/0 okay and leave Fa0/1,149, Even though the comfig it shows that it will deploy covers all of the required removals. Next time I run it, it will then remove the Fa0/1.149 and leave the global and then once more and it will completely remove.
As mentioned, I have tried making these commands parents of each other, run sequentially top down in the same command set and also created three different command sets but none appear to work.
With regards to the global command set item you mention, does this mean that with any submode compliance jobs I run, I cannot get back to the global mode afterwards? Following that through logically, it would mean that in a normal non crypto situation I would need to remove/add the global command sets at the top of the compliance job before doing anything with any sub mode items?
Thanks for your help
Tim Cooper
03-25-2011 07:07 PM
Your device may be different than mine. I tested a 2821 running 15.0, and the outside interface needed to be removed before the inside. You may want to confirm on one of your devices by doing this manually. I was able to remove the two interface commands provided they were done in the right sequence.
You can use a regexp in compliance to make sure the varying interfaces are handled correctly.
Sub-int:
interface [#.*Ethernet\d+/\d+\.\d+#]
Main interface:
interface [#.*Ethernet\d+/\d+$#]
You must perform any global configuration steps first before entering a submode. In this case, the global command cannot be applied until the ezvpn profile has been removed from all associated interfaces, so two passes will be required.
03-30-2011 02:59 AM
Thanks Joseph,
I will give it a try and see what happens with the new regexp as at the moment I am just using interface [intname] in the submode area.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide