cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1317
Views
10
Helpful
7
Replies
Highlighted
Enthusiast

Cannot import S160 config to S170 - error on line 1065 wga_config

We just received a brand new Cisco S170 from our reputable vendor.  I got it updated to the same ASYNC OS that our S160 is on, and I exported the config from the S160 to XML with passwords in it.

 

The only thing i had to massage in the XML is the interface M2 which doesn't exsist on the S170.  No big deal, we didn't use it anyway.  But now I am getting the following error:

Configuration File was not loaded. Parse Error on element "wga_config" line number 1065 column 15: Error in certificate validation: Signing key has expired.

 

Cisco doesn't want to help us with our brand new appliance.  They say this BRAND NEW appliance is not under warranty.  Well with all the Cisco B.S. bureaucracy I will never do bushiness with them again after this.  I even did all the license transfers on the online portal.  I even paid the extra $250 or whatever it was for a year of SmartNet.  So I'm reaching out in all desperation to the community now.  How can I get this config imported?

 

We have no webfiltering now because our old S160 cannot handle Async os 8 so we had to take wccp rules out of the firewall.  The S160 was causing too many issues like worse than dial up internet speeds.  Please help.

7 REPLIES 7
Collaborator

I'm pretty sure its the demo

I'm pretty sure its the demo cert that has expired.  This cert is used for the admin login page, and if you didn't issue a new cert for the HTTPS proxy, its there too...

If you issued a cert from your own CA for the HTTPS proxy make sure you have a copy of its cert and key somewhere.

You can regenerate the demo by going in to Security Services/HTTPS Proxy, clicking on Edit Settings, switch to "Use Generated Certificate and Key", clicking on "Generate New Certificate and Key"

Export the config, import on the S170, then import your cert...

OR if you are using the demo, add this new demo to however you got it to your users as a trusted cert before...

 

 

Or if you're brave, you can chop it out of the xml file...

 

 

 

 

 

 

Enthusiast

Unfortionaly that wasn't it.

Unfortionaly that wasn't it.  I thought of that too, but the self signed cert was still good until 2016.  I generated a new one anyway and made that the https certificate for https proxy, exported the config, removed the m2 interface references from it, and uploaded it to the new S170.  I got the same error:

Configuration File was not loaded. Parse Error on element "wga_config" line number 1078 column 15: Error in certificate validation: Signing key has expired.

 

I go to that line column 15 is just the white space after the closing carrot of <wga_config>.  The wga_config element spans line 1078 to line 11357 in the xml, so its a bulk majority of the information.

Is there anywhere else certificates could be hiding on here, or any command line way to do it with appropriate force switches or anything you know of?

Beginner

does anybody having solution

does anybody having solution for this issue

Beginner

Please check the "proxyerrlog

Please check the "proxyerrlog.current" on your appliance and look for "Signing cert expires"

If I guess correctly your cert expired on May 1 2016.

Also take a look at this thread:
https://supportforums.cisco.com/discussion/13044711/wsa-config-load

Enthusiast

Ok I figured it out. So I

Ok I figured it out.

 

So I exported the virgin config of the S170, exported the config of the S160 and compared the cert sections under the wga_config xml element (the largest element in the xml file).  Then I copied the cert contents from the virgin S170 to the S160's config section, saved the file and uploaded it.

 

Everything is ok now, thanks for your help!  I'm on the phone with my reseller and they are going to pry into Cisco to see why the device is not coming up even though we paid for smartnet.

 

Sorry for my frustration earlier.  Really want to get this going today so we can have web filtering.

Collaborator

No need to apologize.  I've

No need to apologize.  I've kicked more than one reseller to the curb because they couldn't get that stuff right...and had "intense discussions" with people at Cisco about what a mess the process is.

Glad to hear you got something working.

 

Beginner

Re: Ok I figured it out. So I

I too had this issue when migrating from S300 to S690. It was fixed after removing the below lines and contents from the backup XML.

<prox_config_secure_auth_cert_name></prox_config_secure_auth_cert_name><prox_config_secure_auth_cert></prox_config_secure_auth_cert>
<prox_config_secure_auth_key></prox_config_secure_auth_key>