LMS 3.2 Compliance jobs and crypto trustpoints

tim · ‎07-27-2011

Hi Guys,

Got a little bit of a problem. I am trying to write a compliance job that is going to adjust the config in a trustpoint. I need it to first confirm that the trustpoint exists and then add some additonal command to the trust point.

crypto pki trustpoint fred

enrollment mode ra

enrollment xxxx

So from the above config I would write a job that would have a pre-requisite of crypto pki trustpoint fred

and then add auto-enroll x regenerate into the trustpoint.

However when I try to do this via compliance job the job always shows as compliant even though the device has not got the auto-enroll x regenerate line in the trustpoint.

It doesn't seem to matter whether I do a basic or advanced compliance job, or whether I set the pre-requite of crypto pki trustpoint fred as both a pre-requisite and parent of the subcommand auto-enroll x regenerate or just a pre-requisite. It also doesn't seem to matter whether I set the auto-enroll x regenerate command as a subcommand or global. All attempts seem to pass as compliant even though they only have the pre-requisite met and not the command I am looking for within the pre-requisite as a sub command?

Any ideas as I need to deploy this configuration across about 100 devices tomorrow

Thanks

tim · ‎07-28-2011

Lots of views but no answers anyone got any ideas?

tim · ‎07-31-2011

Just to let people know, I raised a bug with Cisco TAC and they have told me to install SP1. Apparently this fixes a lot of compliance type issues. Will report back once its done to confirm if the problem is fixed.