08-09-2012 02:56 AM - edited 03-11-2019 04:40 PM
Hi, ive seen some strange behavior in multiple context configuration in FWSM module in a 6509-E chassis when using Security Manager to deploy configs.
Software version in FWSM is 4.1(7), and the 6509-E has IOS 12.2(33)SXJ2
When deploying a config (changed inspect protocols) from CSM (tested both version 3.3.1 and 4.2) to a context it will fail with authentication error
and the aaa/tacacs+ config is erased/modifed !!(eg. aaa server....)
"Buggy" config as follows (relevant parts...):
---------------------------------------
interface Vlan1043
description Net_Aggr_Link_Elev only for Management
nameif Rve_Link_Net_Aggr_Elev
security-level 100
ip address 10.100.255.193 255.255.255.240
management-only
!
aaa-server XYZ protocol tacacs+
aaa-server XYZ (Rve_Link_Net_Aggr_Elev) host 172.23.16.24
timeout 5
key xxxxxxxx
aaa-server XYZ (Rve_Link_Net_Aggr_Elev) host 172.23.16.16
timeout 5
key xxxxxxxx
---------------------------------------
No commands in the deploy (seen in CSM) that affects the aaa config is visible, only the poilcy-map/inspect commands as expected
After deployment from the CSM, the aaa config is changed(!) and the key is missing from running config!! (see below)
---------------------------------------
interface Vlan1043
description Net_Aggr_Link_Elev only for Management
nameif Rve_Link_Net_Aggr_Elev
security-level 100
ip address 10.100.255.193 255.255.255.240
management-only
!
aaa-server XYZ protocol tacacs+
aaa-server XYZ (Rve_Link_Net_Aggr_Elev) host 172.23.16.24
timeout 5
aaa-server XYZ (Rve_Link_Net_Aggr_Elev) host 172.23.16.16
---------------------------------------
Ive checked the syntax for the interface/nameif command to see if the name was too long but the max length is 48 char so this seem to be OK.
But the syntax for the aaa-server command does not describe any limitations to the inteface name.(suspicious...hm!)
So i decided to change the nameif for the above interface to a shorter name (from 22 char to 4 char) as ive seen some similar problem in other areas with too long character strings.
So i changed the interface nameif string in context running config, rediscovered (live device) the context back into CSM and then made some changes for deployment in the CSM.
And this time it worked, this was clearly the problem. The interface namif string must be short, probable less than 16 characters
Working config as follows:
---------------------------------------
interface Vlan1043
description Net_Aggr_Link_Elev only for Management
nameif Mgmt
security-level 100
ip address 10.100.255.193 255.255.255.240
management-only
!
aaa-server XYZ protocol tacacs+
aaa-server XYZ (Mgmt) host 172.23.16.24
timeout 5
key xxxxxxxx
aaa-server XYZ (Mgmt) host 172.23.16.16
timeout 5
key xxxxxxxx
---------------------------------------
Anyone who has seen this behavior??
Regards
08-19-2012 10:26 AM
I was always under the impression the nameif characters can be as long as 48. I guess I learnt something new today :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide