cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2153
Views
5
Helpful
6
Replies
Highlighted
Beginner

CSM 4.4 device credentials

I have just upgraded to CSM 4.4 (from 4.3 sp 1) almost everything works as expected.

However - one of my firewalls has had its ssl certificate expire.

So I go to device properties -> device credentials

Go down to the Authentication Certificate Thumbprint and click retrieve from device.

As expected I get a window with the Certificate details (and the expiry date is now 2023 so it is valid)

Click on accept

And then go to click on save - at this point I get a window with no description text, but a title which states "Error Validating Data" and a Yes or No Option.

Clicking either yes or no has the same result - it doesn't accept the cert and I can't then use test connectivty to get my firewall back to being managed.

Very confused here.... any suggestions

Thanks in advance

Giles Cooper

6 REPLIES 6
Highlighted
Participant

Hi,

Hitting the same issue. Did you found solution for this as I am about to go to cisco.

Thank you.

Highlighted
Participant

Found a workaround + cisco fix is there.

I had IPS software updated to 7.2.1. It is not supported by CSM 4.4 (SP1 should be installed) As a workaround I've:

- deleted the device

- added it back . During addition you have "test connectivity". It fails, but it shows you the device certificate. Copy fingerprint from the output.

- go to newly added device, then credentials, insert fingerprint, save.

Working fine but still CSM update is scheduled.

regards,

Volodymyr Morskyy

Highlighted

Sorry I found a workaround but forgot about this question.

Right click on the device and select Device Properties

Go to credentials

And click retrieve from device.

Copy the thumbprint to the clipboard.

Cancel the device properites screen

Go to Security manager administation

Select Device communication

Click Add Certificate

Paste in the thumbprint and supply the IP address of the device.

Click Save

And it should work properly.

Highlighted

Hi Giles,

Yes, the same thing I've done but from different menus))

Thank you anyway

Highlighted
Beginner

This is definitely a bug in CSM 4.x and still exists in the latest version 4.4 SP2. 

https://tools.cisco.com/bugsearch/bug/CSCue25304

https://tools.cisco.com/bugsearch/bug/CSCuf94050

I ran the script suggested in the workaround (script.pl) and it did provide a resolution on this issue in our installation.  Here is the information taken directly from the bug links above.

A script is included with CSM 4.4 SP1 to automate these changes for all affected devices:

1.) Ensure that there are no pending changes present in CSM that have not been committed to the database. This can be done via the Configuration Manager (client app)'s File menu > Submit . Then, exit/close any/all open instances of CSM client app's.

2.) On the CSM server itself, right-click on the Command Prompt start menu item and choose the "Run as administrator" option to open a privileged command prompt window, then:

cd \"Program Files (x86)"\CSCOpx\bin

perl.exe script.pl

3.) Once the script completes, restart the 'Cisco Security Manager Daemon Manager' (CRMDmgtd) MS Windows service and allow it a few minutes for it to restart all dependent services

In case anyone has an issue after the script, then I have another workaround on this issue.

What we have done to update the certificates is to select the device under "Devices" and then run the "IPS Certificates Utility"  (Manage->IPS->IPS Certificates).  Select the device and choose "Regenerate Certificate" and it will update the certificate push the date out. The "Sync Certificate" works as well, but it is just a matter of preference on how you want to accomplish the update.

Thanks for the workaround suggestions provided and I hope this information is useful to someone.


Highlighted
Beginner

I had this problems too.

We are checked Firewall events and it was blocked ssl(tcp/443) port between CSM and Firewalls. We opened these ports and it was solved.

Content for Community-Ad