I have just upgraded to CSM 4.4 (from 4.3 sp 1) almost everything works as expected.
However - one of my firewalls has had its ssl certificate expire.
So I go to device properties -> device credentials
Go down to the Authentication Certificate Thumbprint and click retrieve from device.
As expected I get a window with the Certificate details (and the expiry date is now 2023 so it is valid)
Click on accept
And then go to click on save - at this point I get a window with no description text, but a title which states "Error Validating Data" and a Yes or No Option.
Clicking either yes or no has the same result - it doesn't accept the cert and I can't then use test connectivty to get my firewall back to being managed.
Very confused here.... any suggestions
Thanks in advance
Found a workaround + cisco fix is there.
I had IPS software updated to 7.2.1. It is not supported by CSM 4.4 (SP1 should be installed) As a workaround I've:
- deleted the device
- added it back . During addition you have "test connectivity". It fails, but it shows you the device certificate. Copy fingerprint from the output.
- go to newly added device, then credentials, insert fingerprint, save.
Working fine but still CSM update is scheduled.
Sorry I found a workaround but forgot about this question.
Right click on the device and select Device Properties
Go to credentials
And click retrieve from device.
Copy the thumbprint to the clipboard.
Cancel the device properites screen
Go to Security manager administation
Select Device communication
Click Add Certificate
Paste in the thumbprint and supply the IP address of the device.
And it should work properly.
This is definitely a bug in CSM 4.x and still exists in the latest version 4.4 SP2.
I ran the script suggested in the workaround (script.pl) and it did provide a resolution on this issue in our installation. Here is the information taken directly from the bug links above.
A script is included with CSM 4.4 SP1 to automate these changes for all affected devices:
1.) Ensure that there are no pending changes present in CSM that have not been committed to the database. This can be done via the Configuration Manager (client app)'s File menu > Submit . Then, exit/close any/all open instances of CSM client app's.
2.) On the CSM server itself, right-click on the Command Prompt start menu item and choose the "Run as administrator" option to open a privileged command prompt window, then:
cd \"Program Files (x86)"\CSCOpx\bin
3.) Once the script completes, restart the 'Cisco Security Manager Daemon Manager' (CRMDmgtd) MS Windows service and allow it a few minutes for it to restart all dependent services
In case anyone has an issue after the script, then I have another workaround on this issue.
What we have done to update the certificates is to select the device under "Devices" and then run the "IPS Certificates Utility" (Manage->IPS->IPS Certificates). Select the device and choose "Regenerate Certificate" and it will update the certificate push the date out. The "Sync Certificate" works as well, but it is just a matter of preference on how you want to accomplish the update.
Thanks for the workaround suggestions provided and I hope this information is useful to someone.