08-15-2012 08:50 AM - edited 03-10-2019 05:45 AM
My DB needed pruning so I went to the normal steps to clear the events, and cleared the logs, and now my agents won't poll, and the MC see's my clients, but there all not active. I have checked my licenses there all still valid, and I have even 50+ open. Fast poll doesn't work either. I stopped and restarted the services and even rebooted, and nothing? Any ideas?
08-23-2012 11:42 PM
Check first that the agent can reach the MC. On the agent, open cmd prompt (assuming Windows) and try "telnet
09-06-2012 05:34 AM
Matt, thanks for the reply, I believe it has been narrowed down to my SSL certificate expiring. I found it in my agent log, then went to the MC page, the root certificate is updated, but the one the webpage uses has expired right on the date that my agents stopped polling, which the agents need to communicate. I have a CSA book I bought previously although it doesnt have anything in about updating the date on the SSL certificate, and anything I can find on the web pertains to reissuing and SSL certificate if you change the server, ie. rebuild, rename, re-ip. All I need to do is to update expire date, and I believe that will resolve the issue completly.
The statement in the log on the agent was saying to check the CSAMC system times and to make sure they are not unsyncronized, or to check the certificate file sslca.crt and see if the valid from date-time of the cert is later than this host system, and adjust the system time to fix.Problem is the date is expired and I can find anything that tells me just how to update it.
Any idea or link to just updating this?
09-06-2012 07:16 AM
The procedure to replace the MC certs when the hostname changes is as follows. This is the procedure I would also use for expired certs. The example here is for csa 6.0. Which version are you running ? Do you have an easy way of distributing the new certs to each agent ?
1: net stop csagent
2. cd program files/cisco/csamc/csamc60/cfg
delete files sslca.crt,sslca.csr, sslca.key, sslca.sn,sslhost.crt, sslhost.csr, sslhost.key
3: program files/cisco/csamc/apache2/conf - http.confg - rename 2 entries with hostname
4: cd program files/cisco/csamc/csamc60/bin
../perl/5.8.7/bin/MSWin32-x86/perl.exe installcert.pl -forceinstall
5: net start csagent
6: cd program files/cisco/csamc/csamc60/bin
webmgr makekits_refresh
7: copy cert file sslca.crt from \csamc60\cfg to the agent /cfg directory
Matthew
09-06-2012 07:55 AM
Using latest version 6, agents are 6.0.2.126.
Not really a way to distribute kits as I would like I remember back in ver4 when someone else was keeping watch on the system, and they had to redo the hardware, we had to go around manually and either reinstall the agent, or copy the 2 files over. It wasn't fun. we were thinking using a GP to push them? Is that possible.
09-06-2012 08:30 AM
You only have to distribute the certs and copy them to the agent directory, though a new agent kit might be easier for users to deploy. What is GP ??? Matthew
09-06-2012 09:52 AM
When you say distribute, you mean give them to all the PC's that have agents on them?
When you state through a new agent kit, would there be any way to make them update automatically, GP (Group Policy) was suggested to be used by one of our support tech's, not sure how that would pan out.
09-06-2012 10:22 AM
When you say, copy the sslca.crt from the csamc60\cfg to the agent cfg directory, are you talking about the cfg directory on the actual user pc running the agent?
The sslca.crt file is already up to date on the user machine, the one that is out dated on the MC in the ..\csamc60\cfg is the sslhost.crt file.
If I check the date on the sslca.crt on the server, and on the users pc those are up todate, its just the sslhost on the server that is out dated.
It may have been from the one support tech trying to fix it, I know he ran something but didn't use the forceinstall option.
09-10-2012 12:02 AM
I'm sorry, but I am not sure on how you replace just the sslhost.crt file. I have used the script have to replaced certs when either the mc name, ip address changed or the certs became out of date. To answer your question, yes the sslca.crt file from the MC needs to be copied to all agents. Not nice if you have many agents. Matthew
09-12-2012 10:11 AM
Matt, so if I follow these steps, it will recreate all the new files, sslca.crt, sslca.csr, sslca.key, sslca.sn, and sslhost.crt, and sslhost.cr and sslhost.key? Then after that, the next step is to deploy a copy of the sslca.crt to the users (agent) cfg direct as in step 7? I noticed on 2 client machines the current sslca.crt in their cfg direct was already up todate, could it be possible we won't have to deploy that with group policy.
1: net stop csagent
2. cd program files/cisco/csamc/csamc60/cfg
delete files sslca.crt,sslca.csr, sslca.key, sslca.sn,sslhost.crt, sslhost.csr, sslhost.key
3: program files/cisco/csamc/apache2/conf - http.confg - rename 2 entries with hostname
4: cd program files/cisco/csamc/csamc60/bin
../perl/5.8.7/bin/MSWin32-x86/perl.exe installcert.pl -forceinstall
5: net start csagent
6: cd program files/cisco/csamc/csamc60/bin
webmgr makekits_refresh
7: copy cert file sslca.crt from \csamc60\cfg to the agent /cfg directory
09-12-2012 11:20 AM
Thats right. You won't need to do step 3 as the MC name is not changing. I don't understand the question about not having to deploy with group policy. I'm not sure how you get to a situation where some certs are expried and some are not. Do you want to take a look at this together ? Drop me a mail (mwinnett@cisco.com). Matthew
09-12-2012 12:13 PM
Yeah, Just looked at a 3rd machine, in the agent config directory the sslca.crt has a date good to 07/21/2017, says Issued to: Root CA on Myser.x.yxx.local
Issued by: Root CA on Myser.x.yxx.local
Valid from 07/24/2007 to 07/21/2017
If I go to my https page of my MC, on the login page there is the link in the lower left corner "Get Root Certificate" I get the pop up and it says sslca.cer, upon opening it has the same credentials with a good date.When I go to the server directory of the Myser.x.yxx.local , \programs\cisco systems\csamc\csamc60\cfg and look at the sslca.crt it shows the same information with the updated dates, then when I look at the sslhost.crt it says.:
Issued to: Myser.x.yxx.local<-Different
Issued by: Root CA on Myser.x.yxx.local
Valid from 07/24/2007 to 07/22/2012<--Different
The 22nd is when agents stopped polling. My question was pertaining to the dates on the agents, it appears the sslca.crt is updated, or at least the ones I have checked. So when I run the script to update the sslhost.crt, will that make those sslca.crt files on the agents invalid, as it will regenerate all new security encrypters? OR since the server is keeping the same name and the config hasn't changed will those be valid. It appears so far that I have checked that the agents have and updated valid copy of the sslca.crt, it was just the sslhost.crt on the server that expired.
Does that clear it up at all?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide