Categorization of Problem Areas


Problem areas of VMS can be categorized as follows:

  • Licensing issues

  • Installation issues

  • User management issues

  • Database management issues

Licensing Issues

This section presents some of the most common licensing issues related to the CiscoWorks VPN/Security Management Solution (VMS) bundle.

Before you delve into further details, it is useful to review some of the licensing options you have on the VMS:

  • VMS Evaluation License This is a trial license, which expires in 90 days.

  • VMS Basic License This type of license supports up to five devices. This number restriction is only for the Management Consoles, not for CSA Agent. There is no license limitation on the number of CSA agents that can be managed if the agents are purchased separately.

  • VMS Restricted License This type of license supports up to 20 devices. Again, there is no license limitation on the number of CSA agents that can be managed, as they are purchased separately.

  • VMS Unrestricted License This type of license allows use of the product on a Windows or Solaris server for any number of devices.

VMS has two types of license keys that require registration with Cisco Systems and installation on the VMS server. These two types of license keys are:

  • The Management Center for Cisco Security Agent (CSA MC) key This key enables one CSA MC and three CSA server agents on the CiscoWorks Common Services server. Other agents are purchased and licensed separately.

  • Common services key This key enables all the other Management and Monitoring Center software in VMS. This key defines the number of hardware devices that can be managed.

Support of different licenses and installation methods is summarized in Table 17-2.

Table 17-2. Support of Different Licenses on VMS

License

VMS Basic

VMS Restricted

VMS Unrestricted

VMS Evaluation

Updating from a Previous VMS 2.x Version

Number of devices supported

5 device keys for Common Services

20 device keys for Common Services

Unlimited device keys for Common Services

Operates for 90 days

A previous VMS 2.0, 2.1 or 2.2 Common Services key will continue working with future VMS 2.x updates

CSA Support

Management of an unlimited number of CSA agents. Agents are purchased and licensed separately

Management of an unlimited number of CSA agents. Agents are purchased and licensed separately

Management of an unlimited number of CSA agents. Agents are purchased and licensed separately

N/A

N/A

Part Numbers

CWVMS-2.2-B-SR-K9 and bundled with various hardware bundles

CWVMS-2.2-WINR-K9

CWVMS-2.2-WUPGR-K9

CWVMS-2.2-UR-K9

CWVMS-2.2-UPGUR-K9

N/A

CWVMS-DEC03URMR-K9

CWVMS-DEC03RMR-K9

Registration for Common Services License Key

Not required

Refer to Registration for CiscoWorks Common Services

Registration for CiscoWorks Common Services

Not required

Not required. Use existing key from VMS 2.x

Installing the Common Services License Key

Refer to Installing the licensing key for VMS Common Services

Key file name is VMS-SAMPLER.LIC and is located on the CD under license directory

Refer to Installing/Upgrading the License Key for CiscoWorks Common Services

Refer to Installing/Upgrading the License Key for CiscoWorks Common Services

Refer to Installing/Upgrading the License Key for CiscoWorks Common Services

Refer to Installing/Upgrading the License Key for CiscoWorks Common Services

Registration for CSA MC License Key

Not required

Refer to Registration for the Management Center for Cisco Security Agents

Refer to Registration for the Management Center for Cisco Security Agents

Not required

Refer to Registration for the Management Center for Cisco Security Agents

Installing CSA MC License Key

Refer to Installing the licensing key for the Management Center for Cisco Security Agents

Key file name is CSAMC.LIC and is located on the CD under license directory

Refer to Installing the License Key for the Management Center for Cisco Security Agents

Refer to Installing the License Key for the Management Center for Cisco Security Agents

Refer to Installing the License Key for the Management Center for Cisco Security Agents

Refer to Installing the License Key for the Management Center for Cisco Security Agents


The sections that follow contain the registration and installation process of different licenses as described in Table 17-2.

Registration for CiscoWorks Common Services

If you have the VMS Basic CD, you do not need to register. You can find the license key file in the license directory of the VMS Basic CD. The name of the license key file is SAMPLER.LIC.

However, the VMS Restricted and Unrestricted software requires registration on a Cisco Web site. The Common Services component within VMS installs a 90-day unrestricted license by default. The license expires after 90 days and the product will no longer function. It is highly recommended that you register and install a production license immediately.

To obtain a production license for your Common Services software, register your software at one of the following Web sites. You will need to provide the Product Authorization Key (PAK), which is printed on a label affixed to the VMS Management and Monitoring Centers (VMMC) sub-box.

If you are a registered user of Cisco.com, use this Web site: http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl

If you are not a registered user of Cisco.com, use this Web site: http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl

The production license will be sent to the e-mail address that you provided during registration process. Retain this license with your CiscoWorks Common Services software records.

Installing/Upgrading the License Key for CiscoWorks Common Services

After you obtain the production license via e-mail, work through the following steps to license your software or upgrade it from trial to production version:

Step 1.

Copy the new license file to the CiscoWorks Common Services server. Note the name of the file and the directory location of the file.

Step 2.

From the CiscoWorks server menu, select VPN/Security Management Solution > Administration > Common Services > Licensing Information. The License Information dialog box displays. The license type, number of devices supported by the license, and the expiration date of the license display under License Information. Note that the VPN/Security Management Solution drawer is available only if Management Center (MC) applications are installed on your server.

Step 3.

To update your license, follow these steps:

-. Enter the path to the new license file in the Filename field, or click Select to locate the new file that was noted in Step 1. Do not add the CSA license file by mistake. This will result in an error message suggesting a corrupt license. Then follow these steps: Click Update. After the system verifies the license file, a message indicates the status of the license update. To close the message box, click OK. The updated licensing information displays under License Information.

Registration for the Management Center for Cisco Security Agents (CSA MC)

In addition to registering for the VMS Common Services, you also need to register on the Cisco Web site for the Cisco Security Agent (CSA) software.

Web registration is not required if you have the VMS 2.2 kit that includes the VMS 2.2 update 1 (see the label on the VMMC CDthese kits are shipped after January 2004). Registration is also not required if you have the VMS Basic CD.

Older VMS 2.2 kits that shipped before January 2004 require registration for the CSA management console and three server agents that are included with VMS.

If you are a registered user of Cisco.com, use this Web site: http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl

If you are not a registered user of Cisco.com, use this Web site: http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl

Installing the License Key for the Management Center for Cisco Security Agents (CSA MC)

You must install the CSA MC license before the CSA Agent license installation. Following are the two ways you can install the CSA MC license:

  • During installation During the installation, you are prompted to copy the license into the CSA MC directory. If you choose Yes, you can browse to the license file on the system (or in an accessible file share), save it, and continue the installation. So, once you get the license key file from Cisco, you need to save the file on the same server as CiscoWorks Common Services, or to a shared drive that the CiscoWorks server can access. Alternatively, you can choose No when prompted and copy the license when the installation has completed and the system is rebooted.

  • After installation To install the license file after CSA MC installation, go to VPN/Security Management Solution > Management Center > Security Agents (V4.5) > Maintenance > License Information. The License Information screen displays. You can browse to the license file by clicking the Browse button. Once the license file is located, click the Upload button to copy the file into the CSA MC directory. Ensure that you select the CSA license file and not the Common Services license file. You need to have the license file copied on the client PC from where you are accessing the CiscoWorks Common Services server.

Common Licensing Issues and Work-Arounds

Troubleshooting steps are explained in detail in Chapter 18, "Troubleshooting IDM and an IDS/IPS Management Console (IDS/IPS MC)" under the section entitled "IDS MC Licensing Issues," and therefore the details are not discussed thoroughly in this chapter. Following is a summary of the discussion covered in Chapter 18:

  • Corrupted or expired license There can be primarily two issues with licenses for CiscoWorks Common Services; the license is either corrupted or expired. In either case, you must get a new license from Cisco by sending an e-mail to licensing@cisco.com.

  • Terminal services issue You might receive installation errors with terminal services enabled (remote admin mode) for CiscoWorks or license errors while accessing VMS. To resolve these issues, disable Terminal Services before installing VMS.

Installation Issues

It is beyond the scope of this section to discuss all the details of installation procedures. This information can be found from the following location:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/ig_wincv/instl.htm

This section summarizes the major points and then discusses installation troubleshooting.

The following is the minimum hardware requirement for Common Services:

  • Pentium III minimum 1 GHz

  • Windows 2000 Server

  • Win2k Service Pack 2

  • New Technology File System (NTFS) (recommended)

  • 1 gigabyte physical RAM

  • 2 gigabytes minimum available hard drive space

It is strongly recommended not to install CiscoWorks Common Services on any of the following:

  • Primary domain controller

  • Backup domain controller

  • Terminal Server (If you require a Terminal Server, make sure to turn it off at the time of installation. Once the installation of CiscoWorks common services and other MCs is complete, you can turn this back on.)

The following are the prerequisites for Common Services installation:

  • Minimum hardware.

  • Target partition-formatted NTFS (recommended).

  • Being logged into Windows as a local administrator.

  • Required Microsoft components installed (Service packs, and so on).

  • Removal of all software that uses conflicting ports (for example, HTTP, FTP, etc).

  • Disabling of any hardware-specific services during installation. For example, disable any unnecessary COMPAQ services.

  • Disabling of anti-virus software during time of installation.

Installation Steps

Work through the following steps to install the CiscoWorks Common Services:

Step 1.

Place the CD in the drive.

Step 2.

After Install starts, accept the licensing agreement.

Step 3.

Install in the default directory on the NTFS drive of your choice C:\Program Files\CSCOpx.

Step 4.

Locate the license file and provide it when asked.

Step 5.

Enter the Windows administrator password and confirm the password.

Step 6.

Default values for the Lock Manager (LM) and Frame Management System (FMS or database) are displayed. Do not change these port numbers unless another service on the system conflicts with them. The LM default port is 1272 and FMS is 9652.

Step 7.

Enter the information such as HTTPS port (usually TCP/443), e-mail address of the system admin, and SMTP server information used by the Apache web server.

Generate a certificate with generation input and remember the information in the fields on this page. Input will be used to generate the local security certificate. Fields included are: Country code, State name, Company name, Organization name, Domain name, Certificate password.

Step 8.

Then create a shortcut option display.

Change the passwords as needed: Causer (internal admin user, not visible, use random); Admin (admin); Guest (blank); CMF Database (random).

Step 9.

Finally, you will be asked to restart the computer.

After the server is rebooted, you can point your browser as follows: http://server_name:1741

You can log in to Common Services by entering admin in the Name field. If you have not changed the default password during installation, type admin in the password field. Click Connect or press Enter.

Troubleshooting Installation Problems

Most of the installation-related issues are reported to the console at the time of the installation. Additional information can be found from the installation log, which is discussed under the "Diagnostic Commands and Tools" section. Following is a list of probable causes of installation failure:

  • Not logged in as administrator If you are not logged in to Windows with administrator privileges, you will receive this message during installation: "CiscoWorks Common Services installation cannot proceed because you are not logged in as an administrator." To resolve this issue, log in to Windows with local administrator privileges and try installing again.

  • Installation file corruption When you download the CiscoWorks Common Services software from the Cisco Web site, a transmission error can occur for various reasons. You will get message such as these: "Decompression failed on file. The error was for error code per CompressGet;" or "General file transmission error. Please check your target location and try again. Error number: error code;" or "Severe: Cannot run the dependency handler." In all cases, to resolve the issue, download the software again from the Cisco Web site.

  • File-write operation failure If a file-write operation failed, you will receive this message during installation: "Unable to write infoFile or Unable to create infoFile." Under this circumstance, run the file system checking utility, and then repeat the installation. Verify that you have write permission to the destination directory and windows TEMP directory; then repeat the installation. The environment variable %TEMP% provides the location on TEMP directory.

  • File-open operation failure If the file-open operation fails, it will result in "OpenFile failed: pathname" message. Run the file system checking utility, then repeat the installation. Verify whether you have read permission on pathname, and then repeat the installation.

  • Unable to stop the service During installation, one or more services might not be stopped by the installer, resulting in this message: "Cannot stop service servicename." Under this circumstance, select Control Panel > Services and stop the service servicename manually; then proceed with (un)installing.

  • Windows failed to load Dynamic Link Library (DLL) DLL is supposed to be available at any time for any process. Otherwise, installation will fail with either of these messages: "UseDLL failed for dll"; or "function failed: DLL function not found." Check permissions on the system32 directory under %WINDIR%. If dll is secure.dll or r_inst.dll, check the product installation media for errors or reinstall Windows.

  • Setting file permission failure If you are not logged in as administrator, or if you are installing on a FAT file system, CiscoWorks Common Services cannot provide file security, and the following error message will display during installation: "ProtectFile failed: file: error. WWW admin security may be incomplete."

  • Database corruption If the existing database file is broken, or if the previous version of CiscoWorks Common Services is destroyed, you will see this message: "Launch of isql script failed." Usually this problem occurs during reinstallation. Under this circumstance, you might need to contact the Cisco Support Team for consultation on whether the database recovery is possible.

  • DNS issues If you do not have the DNS name resolution for the server where you are installing the CiscoWorks Common Services or have problems with DNS resolution, you can still proceed with the CiscoWorks Common Services installation. However, you must correct the DNS problem before running the software. DNS might fail for a number of reasons, among which these three are important: the DNS server is not working, DNS is slow, or the host name of this server is not defined in DNS server.

  • Lack of space in the TEMP directory The installer requires temporary workspace. You have less than 8 MB of free space on drive. Please free up some space and try again. There is not enough drive space for temporary installation files. Make more drive space available (%TEMP%), then rerun installation.

  • Trying to install on Primary Domain Controller (PDC) or Backup Domain Controller (BDC) Installing CiscoWorks Common Services is not supported either on PDC or BDC. You must install it on a standalone server.

  • Installing in the wrong directory If you try to install CiscoWorks Common Services in a root directory (for example c:\> or d:\>), the installation will fail. You need to create a directory off the root to proceed with the installation.

User Management Issues

CiscoWorks Common Services provides the flexibility to change the user password and allows you to create or delete users. The following are some of tasks you can perform:

  • Changing Admin Password Select Server Configuration > Setup > Security > Modify My Profile in the navigation tree to change the admin password. Type a new password in the Local Password and Confirm Password fields. Finally, click Modify.

  • Modifying or Deleting a Guest Account Select Server Configuration > Setup > Security > Modify/Delete Users in the navigation tree. Then Select the Guest account and click Delete twice to delete the account.

Several user databases can be used to authenticate and authorize the user who needs to access the CiscoWorks Common Services using a browser. These databases are considered external databases to CiscoWorks Common Services. One of the most popular of these databases is Cisco Secure Access Control Server (CS ACS). In the "Case Studies" section of this chapter, we will explore how to configure the CiscoWorks Common Services with the CS ACS server for user authentication when accessing the CiscoWorks Common Services.

Database Management Issues

This section examines how to run a backup and a restore on a CiscoWorks Common Services server for disaster recovery, or just to back up the data from one server to the other.

Depending on the configuration of the server, you might need to back up one or more of the following databases:

  • CiscoWorks Common Servers database containing the user information created in Common Services for login purpose.

  • Management Console database (Sybase).

  • CSA MC database, which is handled differently and is totally independent of the other MC database.

The sections that follow explain how to back up the CiscoWorks Common Services databases. The other components of database backup and restore procedures are explained in their corresponding chapters.

CiscoWorks Common Services Backup

You can schedule automatic database backup or choose an immediate backup of the CiscoWorks Common Services database. Database options work within the current version only and do not support other versions. Work through the following steps to configure automatic backup:

Step 1.

Select Server Configuration > Administration > Database Management > Schedule Backup. The Set Backup Schedule dialog box displays.

Step 2.

Enter the following information:

- Backup Directory Location of the backup directory. It is recommended that your target location be on a different partition than where CiscoWorks is installed.

- Generations Number of database backup copies to retain. The system keeps only the number of copies you specify.

- Time From the drop-down lists, select the time for the backup to occur. Use a 24-hour format.

- Frequency Select the backup schedule:

  1. - DailyThe database is backed up every day at the time specified.

  2. - WeeklyThe database is backed up once a week on the day and time specified. Select the day of the week from the drop-down list.

  3. - MonthlyThe database is backed up once a month on the day and time specified. Select the day of the month from the drop-down list.

Click Finish. The Schedule Backup message verifies your schedule and provides the location of backup log files.

The database backup file name structure is as follows:

/generationNumber/suite/directory/filename

An explanation of the meaning of each field follows::

  • generationNumber Number of backups. For example, 1, 2, and 3, with 3 being the latest database backup.

  • Suite Application or suite. CiscoWorks server suite is cmf. Other optional suites are supported.

  • Directory What is being stored. Directories include databases and any suite applications.

  • Filename File that has been backed up. Files include database (.db), log (.log), version (DbVersion.txt), manifest (.txt), tar (.tar), and data files (datafiles.txt).

You can back up data on demand instead of waiting for the next scheduled backup by using this option. We recommend that your target location be on a different hard disk or partition than where CiscoWorks is installed. Database options work within the current version only and do not support other versions.

Follow these procedures to perform on-demand backup:

Step 1.

Select Server Configuration > Administration > Database Management > Back Up Data Now. The Back up Data Now dialog box displays.

Step 2.

Enter the pathname of the target directory.

Step 3.

To begin the backup, click Finish. This process could take some time to complete.

CiscoWorks Common Services Restore

You can restore your database by running a script from the command line. Database options work within the current version only and do not support other versions.

Note

If you restore the database when CiscoWorks server is enable for Secure Sockets Layer (SSL), the backed up Server Certificate and Private Key will also be restored. Your existing Certificate and Private Key will be overwritten. Restoring the database from a backup permanently replaces your database with the backed up version.


Work through the following steps on Windows platform to restore the CiscoWorks Common Services database:

Step 1.

At the command line, make sure you have the correct permissions.

Step 2.

Stop all processes: net stop crmdmgtd

Step 3.

Restore the database: %NMSROOT%\bin\perl %NMSROOT%\bin\restorebackup.pl [-force] [-s suite] [-gen generationNumber] -d backup directory, where %NMSROOT% is the CiscoWorks installation directory.

Step 4.

To restore the most recent version, enter the following command:%NMSROOT%\bin\restorebackup.pl -d drive:\var\backup\%NMSROOT%\log\restorebackup.log

Step 5.

Restart the system: net start crmdmgtd



Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net