CSA Agents, and MC stopped polling after db prunning

D. STM · ‎08-15-2012

My DB needed pruning so I went to the normal steps to clear the events, and cleared the logs, and now my agents won't poll, and the MC see's my clients, but there all not active. I have checked my licenses there all still valid, and I have even 50+ open. Fast poll doesn't work either. I stopped and restarted the services and even rebooted, and nothing? Any ideas?

mwinnett · ‎08-23-2012

Check first that the agent can reach the MC. On the agent, open cmd prompt (assuming Windows) and try "telnet 5401" and "telnet 443". If it times out then you have connectivity issues, if it opens then the MC is reachable on the required ports. Next check and see if the agent is really polling. I would install wireshark and check that it is trying to communicate. You should see SYN requests on ports 5401 & 443. If the agent is polling and the MC is reachable then the wireshark should show a full tcp connection (approx 20 pkt exchange). I would go to the MC and delete the entry for the agent and then poll again from the agent. The agent should reregister. If this fails, then we will need to look at some logs. Matthew

D. STM · ‎09-06-2012

Matt, thanks for the reply, I believe it has been narrowed down to my SSL certificate expiring. I found it in my agent log, then went to the MC page, the root certificate is updated, but the one the webpage uses has expired right on the date that my agents stopped polling, which the agents need to communicate. I have a CSA book I bought previously although it doesnt have anything in about updating the date on the SSL certificate, and anything I can find on the web pertains to reissuing and SSL certificate if you change the server, ie. rebuild, rename, re-ip. All I need to do is to update expire date, and I believe that will resolve the issue completly.

The statement in the log on the agent was saying to check the CSAMC system times and to make sure they are not unsyncronized, or to check the certificate file sslca.crt and see if the valid from date-time of the cert is later than this host system, and adjust the system time to fix.Problem is the date is expired and I can find anything that tells me just how to update it.

Any idea or link to just updating this?

mwinnett · ‎09-06-2012

The procedure to replace the MC certs when the hostname changes is as follows. This is the procedure I would also use for expired certs. The example here is for csa 6.0. Which version are you running ? Do you have an easy way of distributing the new certs to each agent ?

1: net stop csagent

2. cd program files/cisco/csamc/csamc60/cfg

delete files sslca.crt,sslca.csr, sslca.key, sslca.sn,sslhost.crt, sslhost.csr, sslhost.key

3: program files/cisco/csamc/apache2/conf - http.confg - rename 2 entries with hostname

4: cd program files/cisco/csamc/csamc60/bin

../perl/5.8.7/bin/MSWin32-x86/perl.exe installcert.pl -forceinstall

5: net start csagent

6: cd program files/cisco/csamc/csamc60/bin

webmgr makekits_refresh

7: copy cert file sslca.crt from \csamc60\cfg to the agent /cfg directory

Matthew

D. STM · ‎09-06-2012

Using latest version 6, agents are 6.0.2.126.

Not really a way to distribute kits as I would like I remember back in ver4 when someone else was keeping watch on the system, and they had to redo the hardware, we had to go around manually and either reinstall the agent, or copy the 2 files over. It wasn't fun. we were thinking using a GP to push them? Is that possible.

mwinnett · ‎09-06-2012

You only have to distribute the certs and copy them to the agent directory, though a new agent kit might be easier for users to deploy. What is GP ??? Matthew

D. STM · ‎09-06-2012

When you say distribute, you mean give them to all the PC's that have agents on them?

When you state through a new agent kit, would there be any way to make them update automatically, GP (Group Policy) was suggested to be used by one of our support tech's, not sure how that would pan out.

D. STM · ‎09-06-2012

When you say, copy the sslca.crt from the csamc60\cfg to the agent cfg directory, are you talking about the cfg directory on the actual user pc running the agent?

The sslca.crt file is already up to date on the user machine, the one that is out dated on the MC in the ..\csamc60\cfg is the sslhost.crt file.

If I check the date on the sslca.crt on the server, and on the users pc those are up todate, its just the sslhost on the server that is out dated.

It may have been from the one support tech trying to fix it, I know he ran something but didn't use the forceinstall option.

mwinnett · ‎09-10-2012

I'm sorry, but I am not sure on how you replace just the sslhost.crt file. I have used the script have to replaced certs when either the mc name, ip address changed or the certs became out of date. To answer your question, yes the sslca.crt file from the MC needs to be copied to all agents. Not nice if you have many agents. Matthew

D. STM · ‎09-12-2012

Matt, so if I follow these steps, it will recreate all the new files, sslca.crt, sslca.csr, sslca.key, sslca.sn, and sslhost.crt, and sslhost.cr and sslhost.key? Then after that, the next step is to deploy a copy of the sslca.crt to the users (agent) cfg direct as in step 7? I noticed on 2 client machines the current sslca.crt in their cfg direct was already up todate, could it be possible we won't have to deploy that with group policy.

1: net stop csagent

2. cd program files/cisco/csamc/csamc60/cfg

delete files sslca.crt,sslca.csr, sslca.key, sslca.sn,sslhost.crt, sslhost.csr, sslhost.key

3: program files/cisco/csamc/apache2/conf - http.confg - rename 2 entries with hostname

4: cd program files/cisco/csamc/csamc60/bin

../perl/5.8.7/bin/MSWin32-x86/perl.exe installcert.pl -forceinstall

5: net start csagent

6: cd program files/cisco/csamc/csamc60/bin

webmgr makekits_refresh

7: copy cert file sslca.crt from \csamc60\cfg to the agent /cfg directory

mwinnett · ‎09-12-2012

Thats right. You won't need to do step 3 as the MC name is not changing. I don't understand the question about not having to deploy with group policy. I'm not sure how you get to a situation where some certs are expried and some are not. Do you want to take a look at this together ? Drop me a mail (mwinnett@cisco.com). Matthew

D. STM · ‎09-12-2012

Yeah, Just looked at a 3rd machine, in the agent config directory the sslca.crt has a date good to 07/21/2017, says Issued to: Root CA on Myser.x.yxx.local

Issued by: Root CA on Myser.x.yxx.local

Valid from 07/24/2007 to 07/21/2017

If I go to my https page of my MC, on the login page there is the link in the lower left corner "Get Root Certificate" I get the pop up and it says sslca.cer, upon opening it has the same credentials with a good date.When I go to the server directory of the Myser.x.yxx.local , \programs\cisco systems\csamc\csamc60\cfg and look at the sslca.crt it shows the same information with the updated dates, then when I look at the sslhost.crt it says.:

Issued to: Myser.x.yxx.local<-Different

Issued by: Root CA on Myser.x.yxx.local

Valid from 07/24/2007 to 07/22/2012<--Different

The 22nd is when agents stopped polling. My question was pertaining to the dates on the agents, it appears the sslca.crt is updated, or at least the ones I have checked. So when I run the script to update the sslhost.crt, will that make those sslca.crt files on the agents invalid, as it will regenerate all new security encrypters? OR since the server is keeping the same name and the config hasn't changed will those be valid. It appears so far that I have checked that the agents have and updated valid copy of the sslca.crt, it was just the sslhost.crt on the server that expired.

Does that clear it up at all?