Categorization of Problem Areas


The problem areas of CSA MC can be categorized as follows:

  • Installation and upgrade issues

  • Licensing issues

  • CSA MC launching issues

  • CSAgent communication, registration and polling issues with CSA MC

  • Application issues with CSAgent

  • Report Generation Issues

  • Profiler issues

  • Database maintenance issues

Installation and Upgrade Issues

CSA MC is installed as a component on top of Common Services. Hence, Common Services must be installed before you proceed with the CSA MC installation. Once the CSA MC is installed or upgraded, you can generate and download the CSAgents to install or upgrade on desktops or servers. This section explores both CSA MC/CSAgents installation and upgrade issues.

  • New installation issues with CSA MC

  • New installation issues with CSAgent

  • Upgrade issues with CSA MC

  • Upgrade issues with CSAgent

New Installation Issues with CSA MC

Starting with CSA MC Version 4.5, there are three installation configuration options:

  • Installing CSA MC and the database on the same machine Select the Local Database radio button during the CSA MC installation.

  • Installing CSA MC on one server and the database on a remote server Select the Remote Database radio button during the CSA MC installation.

  • Installing two CSA MCs on two separate machines and installing the database on its own remote server In this case, both CSA MCs use the same remote database. Select the Remote Database radio button during the CSA MC installation.

The following section elaborates on these options.

Local Database Installation

For a local database configuration, if you plan to deploy no more than 500 agents, you have the option of installing CSA MC and the included Microsoft SQL Server Desktop Engine (provided with the product) on the same system. In this case, the CSA MC installation also installs its own version of Microsoft SQL Server Desktop Engine on the system.

For a local database configuration, you also have the option of installing Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided. Microsoft SQL Server Desktop Engine has a 2 GB limit. In this case, you can have CSA MC and Microsoft SQL Server 2000 on the same system if you are planning to deploy no more than 5000 agents.

Note

If you are using SQL Server 2000, it must be licensed separately and it must be installed on the system before you begin the CSA MC installation. Also note that if your plan is to use SQL Server 2000, we recommend that you choose one of the other installation configuration options rather than the local database configuration.


Remote Database Installation with One CSA MC

Use this configuration option if you plan to deploy more than 5000 agents and are using a separately licensed, managed, and maintained SQL Server 2000 database. SQL Server 2000 must be installed and configured on the remote system before you begin the CSA MC installation.

If you are installing CSA MC and the database to multiple machines, be sure the clocks of each machine are in sync. If all clocks are not in sync, unexpected behavior may occur.

Remote Database Installation with two CSA MCs

This is the recommended configuration if you are deploying more than 5000 agents and are using a separately licensed, managed, and maintained SQL Server 2000 database. SQL Server 2000 must be installed and configured on the remote system before you begin the MC installations.

Using this configuration, you can deploy up to 100,000 agents. Having two CSA MCs lets you use one MC for host registration and polling, and another MC for editing configurations. This way, if your network is under attack and a flurry of events is causing one MC's CPU to spike, for example, your CSA MC configuration remains unaffected and you can still push configuration changes to your hosts.

When installing two CSA MCs, the first MC you install automatically becomes the polling and logging MC. The second MC acts as the configuration MC.

During the installation process, the CSA MCs know the order in which the MCs were installed. They direct polling, logging, and management tasks to the appropriate MC. The polling MC can also be used for administration if required.

Now that you are familiar with all the installation options, you are ready to learn the minimum prerequisites of CSA MC installation.

CSA MC Prerequisites

You must fulfill the minimum requirements before you proceed with the CSA MC installation. For the minimum requirements of different versions of CSA, refer to the following link: http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_release_notes_list.html

A summary version of the minimum requirements for CSA MC 4.5 is listed as follows:

  • Hardware RequirementsIntel Pentium 1 Ghz or higher up to 2 processors, 1 GB of RAM, minimum 2 GB of virtual memory, and 9 GB free disk space at all times.

  • Software RequirementsWindows 2000 Server or Advanced Server with Service Pack 3 and all the critical updates (Terminal Services turned OFF).

  • Networking RequirementsStatic IP address or fixed DHCP IP Address. Single NIC interface (Multi-homed systems are not supported for the CSA MC.)

  • VMS version 2.3 with CiscoWorks Common Services must be installed before installing CSA MC 4.5.

  • Other ApplicationNo other applications such as web server, FTP server, and so on.

  • Web BrowsersInternet Explorer 6.x or higher with cookies and JavaScript enabled, and Netscape 6.2 or higher.

  • DatabaseNo other instances of SQL databases installed on the CSA MC server. Multiple instances of a SQL Server database on the server on which CSA MC is being installed pose a security risk to CSA MC and to the server itself. Therefore, a server on which the CSA MC is installed (or about to be installed) that has databases other than CSA MC is not a supported CSA MC configuration.

    Check the registry to be sure there are no references to SQL Server. SQL Server 2000 full edition is available for installation (SQL Server Desktop engine supports up to 2 GB of data) if it is a large-scale deployment.

  • Login AccountYou must log in to the server on which you are installing the CSA MC as a local administrator.

  • File SystemYou must be running New Technology File System (NTFS) file system.

Manually Remove CSA MC

If the CSA MC, for some reason, does not install properly, and you cannot uninstall it via Windows Add/Remove Programs, you will have to manually remove the CSA MC components and reinstall them.

Note

These instructions are for failed installations of the CSA MC and are not meant to recover the CSA MC database, configurations, or other items within the CSA MC. The goal is to install the CSA MC after a failed initial attempt at installing CSA MC.


The following steps remove CSA MC manually. Note that some of these files, services, and registry keys may not exist, depending on how much of the installation completed:

Step 1.

Uninstall CSAgent from the CSA MC server, and reboot the server.

Step 2.

Open Start > Settings > Control Panel > Administrative Tools > Services applet and stop the following services (if applicable):

- Microsoft SQL Server (MS SQL Server)

- Cisco Security Agent Management Console

- CiscoWorks Daemon Manager

- Seagate Page Server

- Seagate Web Component Server

Step 3.

Delete the C:\Program Files\CSCOpx\CSAMC (45) directory.

Step 4.

Delete C:\Program Files\InstallShield Installation Information\{F30535B5-5C0B-11D4-97C0-0050DA10E5AE} file.

Step 5.

Go to Start > Run > regedit and delete the following Registry keys:

- HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CSAMC(45)

- HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CSAgent

- HKEY_LOCAL_MACHINE\SOFTWARE\Seagate Software

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAMC(45)

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebCompServer(45)

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pageserver(45)

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - uninstall the value {F30535B5-5C0B-11D4-97C0-0050DA10E5AE}

Step 6.

Start the MSSQLServer service.

Step 7.

Start the CiscoWorks Daemon Manager Service.

Step 8.

Re-run the setup.exe for CSA MC.

CSA MC Installation Troubleshooting

To troubleshoot installation issues with CSA MC, you need to analyze the log file CSAMC(45)-Install.log, which is in the C:\Program Files\CSCOpx\CSAMC(45)\log directory. This section examines some common issues that you might experience during or after installation:

  • Be sure to go through the earlier section entitled "CSA MC Prerequisites" to fulfill the requirements.

  • If you try to install the MC when you are not logged on as local administrator (domain admin is not sufficient), CSA MC will not work.

  • CSA MC Server's name should be resolvable by DNS. If not, the CSA Agent will not be able to register with CSA MC because the CSAgent needs to resolve the CSA MC via DNS or WINS (not IP).

  • If you attempted to install CSA MC on a server with other databases running on it, the installation will abort because it detects other databases.

  • The CSAgent (that comes with CSA MC) network shim may not be compatible with another application, especially Sniffer or personal firewall software.

  • You must use Internet Explorer 6.x. Previous versions are not supported by VMS 2.3.

  • If for some reason the CSA MC does not install properly, and you cannot uninstall it via Windows Add/Remove Programs, follow the procedure explained in the section entitled, "Manually Remove CSA MC."

New Installation Issues with CSAgent

Depending on the types of CSAgents that you are installing, the procurement process varies. The section that follows discusses how to get the CSAgent for different types of CSAgents and the minimum requirement for the CSAgents installation.

Procuring CSAgent Software

There are two types of CSAgent kits available:

  • Headless CSAgent (for Call Manager)

  • CSAgent managed my CSA MC

For the Headless CSAgent, you can refer to the following link:

http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des

If you are using CSA MC to manage the CSAgent, you can generate the agent kit as follows:

Step 1.

On CSA MC go to Systems > Agent Kits.

Step 2.

Check to see if one of the available agents is what you want to use. If not, click the Add button to create a new one.

Step 3.

Name the new CSAgent and the description.

Step 4.

Under the Configuration section, select groups with which this kit should be associated.

Step 5.

Choose additional options (for example Force reboot after install) under Configuration section.

Step 6.

Then click Make kit.

Step 7.

Click the Generate rules link.

Step 8.

Finally click the Generate button.

Step 9.

Once the CSAgent creation process is completed, go back to Systems > Agent Kits and be sure that you see your newly created agent kit.

Step 10.

Click on the CSAgent Kit you have just created. In the next window, a link will be provided to download the CSAgent kit.

Step 11.

You can copy the link and go to CSAgent machine, and point your browser to download the newly created Agent kit. This also can be transferred via CD once you download on the CSA MC server itself. To see all the available agents created, point the browser to: https://CSAMC45_Server_Name/csamc45/kits

Once you have downloaded the CSAgent, be sure to fulfill the minimum requirements for the CSAgent installation.

CSAgent Prerequisites

The minimum requirements differ for different versions of CSAgent. For the minimum requirements of a specific version of CSAgent, refer to the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_release_notes_list.html

For CSAgent version 4.5, the following is a summary list of the minimum requirements:

  • Hardware Requirements

    - Pentium 200 minimum for Windows Operating Systems.

    - Sun Solaris 8 64-Bit Ultrasparc running at 400 MHZ or higher.

    - Linux Intel Pentium 500 MHz or higher.

    - Minimum of 128 MB of RAM (256 MB for Solaris 8).

    - 15 MB hard disk.

  • Software Requirements

    - Windows Server 2003 (Standard, Enterprise, Web, or Small Business Editions).

    - Windows XP (Professional or Home Edition) Service Pack 0, 1, or 2.

    - Windows 2000 (Professional, Server or Advanced Server) with Service Pack 0, 1, 2, 3, or 4.

    - Windows NT (Workstation, Server or Enterprise Server) with Service Pack 6a.

    - Solaris 8, 64 bit 12/02 Edition or higher (This corresponds to kernel Generic_108528-18 or higher).

    - Red Hat Enterprise Linux 3.0 WS, ES, or AS.

  • Web BrowsersInternet Explorer 6.x or higher with cookies and JavaScript enabled, or Netscape 6.2 or higher.

  • Networking Requirements

    - CSA MC and CSAgents need to be able to communicate among each other on TCP/443, TCP/5401 and TCP/5402.

    - CSA MC Name must be resolvable via DNS (Domain Name Service) or WINS (Windows Internet Naming System).

Manual Removal of the CSAgent on Windows

You may want to remove the CSAgent manually from the machine because of the one of the following reasons:

  • You are unable to uninstall the CSAgent with Add/Remove programs.

  • CSAgent uninstall failed wholly or partially, leaving CSAgent files on the machine.

  • The machine that has the CSAgent installed continuously shows blue screens and you cannot boot the machine.

Following are some of the steps that are necessary to remove the agent manually:

Step 1.

Boot up CSAgent machine into Safe Mode (usually F8 or F2 during initial boot-up).This will disable all CSAgent drivers. VGA mode is not sufficient.

Step 2.

If you have Windows 2000 or Windows XP, go to Start > Programs > Administrative Tools > Computer Management. Right-click on Device manager > View > Show all hidden devices.

Step 3.

On Windows 2000 Professional or XP, highlight any entries that are under CiscoCSA and uninstall them (right-click on each device and select Uninstall). On the Windows 2000 server, you may need to go under Non-Plug and Play Drivers and remove all the drivers that start with csa.

Step 4.

If asked whether you want to reboot, choose No until the other devices are uninstalled and the rest of this procedure is completed.

Step 5.

Delete the following entries:

  • Program files\Cisco(Systems) directory.

  • Program Files\InstallShield Installation Information\{DE49974667B9-11D4-97CE-0050DA10E5AE}.

  • WINNT\system32\drivers\csacenter*.sys, csafile*.sys, csanet*.sys, csareg*.sys, csatdi*.sys.

  • WINNT\system32\csafilter.dll (Or WINDOWS\system32\).

  • WINNT\system32\csarule.dll (Or WINDOWS\system32\).

  • WINNT\system32\csauser.dll(Or WINDOWS\system32\).

  • All references to Cisco CSAgent in the Start > Programs > Cisco Security Agents menu.

  • All reference of CSAgent from Start > Programs > Startup.

Step 6.

Select Start > Run, type regedit, and click OK to launch the Registry Editor. Then delete the following registry values:

  • HKEY_LOCAL_MACHINE > SYSTEM > ControlSet001 > Control > Session Manager > KnownDLLs > csauser.dll

  • HKEY_LOCAL_MACHINE > SYSTEM > ControlSet002 > Control > Session Manager > KnownDLLs > csauser.dll

  • HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > csacenter

  • HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > csafile

  • HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > csanet

  • HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > csareg

  • HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > csatdi

  • HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > csagent

  • HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > csahook

  • HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services >csafilter

  • HKEY_Local_Machine > Software > Cisco > CSAgent

  • HKEY_Local_Machine > Software > Microsoft > windows > currentversion > uninstall > {DE499746-67B9-11D4-97CE-0050DA10E5AE}

Step 7.

Finally, reboot the CSAgent machine.

For more details on this procedure, refer to the following link: http://www.cisco.com/en/US/customer/products/sw/secursw/ps5057/products_tech_note09186a00801e598b.shtml-#uninstall

CSAgent Installation Troubleshooting

If you encounter a problem with the CSAgent installation, always analyze the C:\Program Files\Cisco Systems\CSAgent\log\CSAgent-Install.log file (refer to "Diagnostic Commands and Tools" section of this chapter). Work through the steps that follow to troubleshoot any installation-related issues with CSAgent:

Step 1.

Fulfill the minimum requirements outlined in the following link (Release notes): http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_release_notes_list.html

Step 2.

Be sure the CSAgent machine does not have a VPN or firewall active when you uninstall/install the CSAgent. Having a VPN or firewall active will make it impossible to install at least the netshim.

Step 3.

Be sure there is no network sniffer software installed.

Step 4.

Be sure there is no load balancing software installed before installing the CSAgent. Some load balancing software (for example, Compaq load balancing) will work with the CSAgent only if the CSAgent is installed first, and the load balancing software installed second.

Step 5.

Be sure that the user has LOCAL administrator privileges. Domain administrator privilege is not sufficient for installing the CSAgent.

Step 6.

Get the log files found in Program Files\Cisco(Systems)\CSAgent\log and look for any errors.

Step 7.

Get log files referencing CSAgent in the TEMP directory of the Agent machine (if applicable). When an install/uninstall fails, log files that are usually transferred from the TEMP directory to the Program Files\CSAgent\log directory are not transferred. Be careful to look at the correct temp directory. This is not usually the WINNT\temp directory. It is usually the temp directory under the user PROFILE.

Step 8.

To find out which temp directory the user was using when the CSAgent was installed/uninstalled, do the following:

a. Log into the machine as the same user as the one that installed the agent (remember, this user needs to have local admin rights to begin with).

b. Open a CMD window and type: set temp (this will tell you the full path to the temp directory that is being used).

c. Go to that directory and find any *.log files that reference CSA.

Step 9.

Based on the error messages in the temp directory log pertaining to CSAgent, look for any bugs.

Upgrade Issues with CSA MC

In this section, while discussing the CSA MC upgrade, you will use CSA MC V4.5, because the upgrade procedure will be the same for future releases of CSA MC. If you install CSA MC 4.5 on top of CSA MC 4.0.x, the installation does not automatically upgrade or overwrite the V4.0.x installation.

Note

Upgrading from versions of the product earlier than version 4.0.x to version 4.5 is not supported.


There are two options when upgrading from CSA MC 4.0.x to CSA MC 4.5.

  • Install V4.5 on the same machine as V4.0.x. (If you select this option, note that you cannot apply any upgrades that may be released to the V4.0.x CSA MC.)

  • Install V4.5 on a different machine with the knowledge that V4.0.x agents will eventually be migrated to the new V4.5 machine.

When you install CSA MC V4.5, a new Security Agents V4.5 menu item appears in your CiscoWorks UI. If you install CSA MC V4.5 on the same machine as V4.0.x, your original Security Agents menu item remains in place and you continue to manage your existing V4.0.x configurations from there as well.

The CSA MC V4.5 installation also creates a new directory structure. (If you install CSA MC V4.5 on the same machine as V4.0.x, your original CSAMC directory structure remains in place, co-existing with the new V4.5 structure.) Note that subsequent releases of CSA MC will continue to include the new version number in the directory structure (Refer to Table 21-1 for Menu Item with the Directory Path).

Table 21-1. Mapping Between the Menu and Directory Path
 

Menu Item

Directory Path

CSA MC V4.5

Security Agents V4.5

CSCOpx\CSAMC45

CSA MC V4.0

Security Agents

CSCOpx\CSAMC


CSA MC Upgrade Process on the Same System

If you're installing CSA MC V4.5 on the same server that is running CSA MC V4.0.x, an XML file containing V4.0.x configuration items and host information is automatically generated by the installation and ready for importing once the install is complete.

To upgrade and migrate V4.0.x agents to V4.5, schedule V4.5 software updates for V4.0.x agents. Schedule this upgrade from the CSA MC V4.0.x system. (Performing the V4.5 installation places a V4.5 software update on the V4.0.x machine.)

Once V4.0.x agents receive the scheduled software update, they will point to and register with the new CSA MC V4.5. The update contains the appropriate new certificates to allow this to occur.

When upgrading 4.0.x agents to software version 4.5, the upgrade program disables the system network interfaces to ensure that the upgrade process is secure. The agent service is also stopped to allow the update to occur. Once the update is complete, the agent service is restarted and the network interfaces are enabled.

This information applies only to 4.0.x to 4.5 software upgrades and not to the earlier versions.

CSA MC V4.5 ships with policies that contain new V4.5 functionality. This new functionality does not match all V4.0.x configurations. Beginning with V4.5, CSA MC Configuration item names are labeled with the release version number to distinguish them from older (or newer) configuration items or items created by administrators.

When you import your V4.0.x configuration, new V4.5 items are not overwritten. You likely will have items from both versions in your CSA MC V4.5. If the import process finds that two items have the exact same contents and the only difference is the V4.5 appended name field, the old V4.0.x item is not imported and the newer V4.5 item is used in its place.

When you import your V4.0.x configurations to the V4.5 system, old V4.0.x agent kits are also imported. When V4.0.x hosts perform software updates and register with the V4.5 system, they are placed in groups according to the group information that was part of their original installation kit.

If you want a host to be placed in a different group when it registers with V4.5, you have the ability to click on the original agent kit now listed along with the new V4.5 agent kits, and change the group association. You must generate rules after you change a group kit association.

Note

Note that when hosts register with CSA MC V4.5, they appear in their assigned group(s), and they also appear in the mandatory V4.5 groups that match their OS type.


CSA MC Upgrade Process on a Separate System

If you are installing CSA MC V4.5 on a server that is different from the server running CSA MC version 4.0.x, after installing V4.5, you must copy and manually run an executable file on the V4.0.x machine to create the XML file needed for importing V4.0.x configuration and host information to V4.5.

If you are installing CSA MC V4.5 on a server that is different from the server running V4.0.x, after installing V4.5, you must copy and manually run an executable file on the V4.0.x machine to create the XML file needed for importing V4.0.x configuration and host information to V4.5.

Once you have installed CSA MC V4.5 and rebooted the system, navigate to the CSCOpx\CSAMC45\migration directory. Copy the file named prepare_migration.exe to your V4.0.x system. (You can copy it to anyplace on the system.)

On your CSA MC V4.0.x, disable agent security and run the prepare_migration.exe file that you copied from the V4.5 system. (You must disable security to run the executable file and create the import XML data.) This launches a command prompt that displays the progress of the migration.

When the prepare_migration.exe file is finished, on the V4.0.x system, navigate to the CSCOpx\CSAMC\bin directory and locate a newly created file named migration_data_export.xml.

From the V4.5 system, import the migration_data_export.xml file to the CSA MC V4.5 machine. Do this either by copying the XML file to the V4.5 system first and then importing it, or by browsing to it from the V4.5 system if you have network shares set up.

You must generate rules once the import is complete. If you do not generate rules at this point, you cannot upgrade and migrate agent hosts.

Naming ConventionAfter Upgrade

Configuration items shipped with CSA MC and provided by Cisco contain a version column with a version number. Administrator-created items have no version number.

When you import configuration items provided by Cisco, if you find that there is already an existing exact match for an item, the new configuration data is not copied over. Instead, the existing item is reused and the name reflects the new versioning.

If the import process finds that there is an existing item with the same name and different configuration components (variables, etc.), the newly imported item is changed by adding a new version number. The new item is always the item that is re-versioned. Existing items are not renamed or reversioned if there is a collision.

Also note that CSA MC automatically appends the name of the export file to any non-Cisco item collision it finds during administrator imports. The imported item is given a different name and both new and old items can coexist in the database.

CSAgent Update Issues

To update your CSAgent with CSA MC, work though the following steps:

Step 1.

Navigate to Maintenance > Software Updates > Scheduled Software Updates on CSA MC.

Step 2.

Click on New to display a window.

Step 3.

Give the update a name, a target OS, and choose the appropriate software update and group to be applied.

Step 4.

Choose the update time frame within which to run the update. This means that when a CSAgent polls in within this time frame and is entitled to an update, it will prompt the user to do so. Setting this time frame to from 00:00 to 23:59 means that any time an agent polls in and is entitled, the update will be run on the CSAgent machine. There is no way to automatically update your hosts immediately.

If for some reason, CSAgent code is not getting updated, work through the following steps to resolve the issue:

Step 1.

Find a host that you want to update and ensure that it can poll in to the CSA MC server. Double-click the CSAgent icon and then click Poll. On the CSA MC, find this host under Systems > Hosts and look at the field Time since last poll. Verify that the agent was able to communicate with the CSA MC.

Step 2.

Ensure that the update you are trying to run on your agents is valid for the version of the agent code installed on your computers.

Step 3.

Identify a host that you want to update and find this host under Systems > Hosts. Make a note of this agent version under Product Information.

Step 4.

Then, go to Maintenance > Software Updates > Available Software Updates and click the update that you wish to run. Ensure that the agent version you recorded from your host is listed under Target Systems.

Step 5.

The update will occur only if the agent polls in during the time specified in the update job. Check your agent poll interval by finding your agent under Systems > Hosts. Under Group Membership and Policy Inheritance, click the group that the host is a member of. Under the group configuration screen you will see the agent poll time. Try reducing this time to ensure that the agent polls within the time frame allowed for the update.

Licensing Issues

There are four possible licenses you may need to deal with for Cisco Security Agent Management Center (CSA MC). You must have common services license (see Chapter 17, "Troubleshooting CiscoWorks Common Services" under "Licensing Issues" for more details) installed before you proceed with any of the following licenses:

  • CSA MC (required)

  • Profiler (optional)

  • Server Agents (specific number)

  • Desktop Agents (specific number)

Each of these licenses can be in one *.lic file or separate *.lic files. The general recommendation is that you copy and paste each of these product license sections into their own separate files (using Notepad) and name them appropriately for better management. For example, a license file named 12345678.lic is not helpful. But if you change the name to server_20.lic, it tells you that this license is for 20 servers.

Caution

Do not attempt to manually change or tamper with the license information in any way, or the license will become invalid.


To give a meaningful name to the license file, you need to be able to read and understand the content of the file (using Notepad). Example 21-4 shows the contents of the CSA MC file, which is required for CSA MC to function correctly. In the example, look for VENDOR_STRING = Count = x, where x is the number of valid seats for the license.

Example 21-4. A Sample CSA MC License

! The following line shows it's an MC license that expires on 10-apr-2006 INCREMENT managementcenter cisco 1 10-apr-2006 uncounted \ !Number of seat shows 1 in the following line     VENDOR_STRING=Count=1 HOSTID=ANY ISSUER="Cisco Systems, Inc." \     NOTICE="<LicFileID>XXXXXXXXXXXXXXXXX</LicFileID><LicLineID>1</LicLineID> \     <PAK></PAK>" TS_OK SIGN=XXXXXXXXXXXX 

Example 21-5 shows a license file for 10 Server Agents

Example 21-5. A Sample CSA Agent License for 10 Servers

! The following line shows that it's a server agent license INCREMENT serveragent cisco 1 10-apr-2006 uncounted \ ! The next line shows this license will allow 10 server agents registration to MC     VENDOR_STRING=Count=10 HOSTID=ANY ISSUER="Cisco Systems, Inc." \     NOTICE="<LicFileID>XXXXXXXXXXXXXXXXX</LicFileID><LicLineID>2</LicLineID> \     <PAK></PAK>" TS_OK SIGN=XXXXXXXXXXXX 

Example 21-6 shows a license file for 25 Desktop Agents.

Example 21-6. A Sample CSAgent License for 25 Desktops

! Following line indicates that it's a desktop license file INCREMENT desktopagent cisco 1 10-apr-2006 uncounted \ ! The next line shows 25 desktops are supported by this license     VENDOR_STRING=Count=25 HOSTID=ANY ISSUER="Cisco Systems, Inc." \     NOTICE="<LicFileID>XXXXXXXXXXXXXXXXX</LicFileID><LicLineID>3</LicLineID> \     <PAK></PAK>" TS_OK SIGN=XXXXXXXXXXXX 

Example 21-7 shows a license file for Profiler.

Example 21-7. A Sample License for Profiler

! The following line indicates that it's a profiler license INCREMENT profiler cisco 1 10-apr-2006 uncounted \ ! The next line indicates its for a single profiler     VENDOR_STRING=Count=1 HOSTID=ANY ISSUER="Cisco Systems, Inc." \     NOTICE="<LicFileID>XXXXXXXXXXXXXXXXX</LicFileID><LicLineID>4</LicLineID> \     <PAK></PAK>" TS_OK SIGN=XXXXXXXXXXXX 

With the knowledge gained from the preceding discussion, you can give meaningful names to the license files. All these files can be in the same file. In that case, be sure that the content of the CSA MC License information is on top of the other licenses. In the next section, we discuss how to procure the license.

How to Procure the License

To procure your CSA MC and Agent license key, you must use the Product Authorization Key (PAK) label affixed to the claim certificate for CSA MC, which is in the separate licensing envelope.

CSA MC does not run on the 90-day evaluation license that other Common Services applications use. You must register CSA MC and provide the PAK to obtain a valid CSA MC license.

To obtain a production license, register your software at one of the following Web sites. If you are a registered user of Cisco.com, use this Web site: http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl

If you are not a registered user of Cisco.com, use this Web site: https://tools.cisco.com/SWIFT/Licensing/RegistrationServlet

After registration, the software license will be sent to the e-mail address that you provided during the registration process. Retain this document with your VMS bundle product software records.

If you have any difficulties with Web registration, you can send an e-mail to licensing@cisco.com with your PAK number for advice.

How to Import the License

Once you receive the license, you can import the license in two ways to CSA MC:

  • Using a GUI

  • An alternate method

Using a GUI

Work through the procedure that follows to install the license using a GUI:

Step 1.

Save the licenses to a safe location on a local or network drive.

Step 2.

Make a copy of the license and then rename the copies to something more relevant as discussed previously.

Step 3.

Log in to the CSA MC.

Step 4.

Go to the menu item Maintenance > License Information.

Step 5.

Click the Browse button, and locate the .lic file on your local or network drive where license files are saved.

Step 6.

Click the Upload button on the lower-left corner of the screen.

Step 7.

Repeat this for each license file (*.lic) that you have to install.

Step 8.

Finally, click the Generate Rules link to generate the rules for the agents.

Alternate Method

If for some reason the GUI method discussed earlier does not work, or you want to copy the files to the appropriate directory manually, work through the procedure that follows to add the license to CSA MC:

Step 1.

From a command shell execute the following commands to stop the CSA Agent and MC services:

Net stop csagent net stop crmdmgtd 


Step 2.

Remove all .lic files from the Program Files\CSCOpx\CSAMC(45)\cfg directory.

Step 3.

Copy the license file(s) into Program Files\CSCOpx\CSAMC(45)\cfg directory.

Step 4.

Restart the CSA MC and agent services as follows:

Step 5.

Net start crmdmgtd

Step 6.

Net start csagent

Step 7.

Log into CSA MC GUI and check to make sure the license is valid. If it is valid, you will be able to generate rules.

Step 8.

Finally, click the Generate Rules link to generate the rules for the agents.

Determining the Number of Desktop/Server Licenses That Are in Use

For additional licensing information, you may want to investigate whether you are approaching the limit of purchased CSA Agent licenses. From the GUI, you can identify which agents are registered and find the number of agents based on group. But discovering how many server or desktop agents are registered is extremely difficult if you have hundreds of agents registering to your CSA MC. You can follow the procedures shown in Example 21-8 to obtain this information.

Example 21-8. Determining How Many Servers and Agents Are Registered with CSA MC at Any Point in Time

! Open up MS DOS command prompt and enter the following command osql -E <enter> ! For CSA MC 4.5, use csamc45 instead of csamc use csamc <enter> go <enter> ! The following line will query the number of desktops are registered. SELECT COUNT(*) FROM host WHERE  okena_system_type & 8 <> 0 <enter> go ! The following line will provide the number of servers that are registered SELECT COUNT(*) FROM host WHERE  okena_system_type & 16 <> 0 <enter> go 

Troubleshooting Licensing Issues

You may observe two behaviors on CSA MC when you have licensing issues:

  • You see "license invalid" messages when attempting to upload the licenses.

  • Or, you get "Internal Server Error" when logging into the CSA MC.

Work through the steps that follow to make sure you do not run into these licensing issues:

Step 1.

If you cannot import the CSA Agent license, verify that the CSA MC license is installed and valid by going to the Maintenance > License Information screen and expanding the CSA MC license key by pressing the "+" next to the status. If you have a single file, be sure that the CSA MC License information is on the top of the file.

Step 2.

For the CSA MC to load, it is necessary to have a CiscoWorks Common services license (refer to Chapter 17, "Troubleshooting CiscoWorks Common Services" under the "Licensing Issues" section).

Step 3.

When you copy the license information from e-mail to the text file, be sure not to add characters accidentally (for example, the carriage returns on the license file).

Step 4.

Be sure that the all files have the .lic extension.

Step 5.

Do not add the same license twice. This can cause an internal server error.

Step 6.

Try to upload the license files into a different CSA MC to verify their validity.

Step 7.

Be sure that terminal services are disabled by going to the computer's services manager.

After going through the preceding steps, if you still have problems with license import or opening CSA MC, perform the steps that follow to work around the problem:

Step 1.

Stop both CSAgent and CSA MC services with the following commands in the DOS prompt:

net stop csagent net stop crmdmgtd 


Step 2.

Go to Program Files\CSCOpx\CSAMC(45)\cfg and delete all the license files that are showing up as invalid.

Step 3.

Start both of the services with the following commands:

net stop crmdmgtd net stop csagent 


Step 4.

Bring up CSA MC and upload the license key again.

Step 5.

Finally, Generate the rules.

CSA MC Launching Issues

When you try to bring up CSA MC from CiscoWorks, you may encounter two problems:

  • CSA MC does not launch.

  • CSA MC launches slowly.

The sections that follow discuss the typical causes of these two types of problems and how to resolve them.

CSA MC Not Launching

In this section, we examine some possible causes of CSA MC launching issues:

  • DNS issue

  • CSA agent may block access

  • No free disk space

  • Web server is running on the CSA MC server

  • Other management consoles are installed

  • Licensing problem

  • Browser and Java issues

  • Certificate problem

Follow the discussions below for troubleshooting CSA MC launching issues.

DNS Issue

The requirement for correct DNS on both the CSA MC and CSAgent machines cannot be overemphasized. Without the proper name resolution of the CSA MC, agent will not be able to communicate with the CSA MC (this is discussed in detail in the "CSAgent and Communication, Registration, and Polling Issues with CSA MC" section). Also, there will be problems launching CSA MC unless you have the name resolution for the CSA MC server on both your machine from where you are accessing CSA MC, and the CSA MC server itself. If you do not have the name resolution configured by a DNS server for both CSA MC and your machine, then you can modify the hosts file, which is in the C:\WINNT\system32\drivers\etc directory.

CSA Agent May Block Access

Even though this is not very common, your CSAgent that is installed with CSA MC may block accessing the CSA MC from a remote machine. This can happen when the CSAgent that is installed on CSA MC is moved to a different group from VMS CiscoWorks Systems group, or rules are modified on the VMS CiscoWorks Systems group. This group on CSA MC Server should allow full access to the VMS server, yet also protect it. To verify if the CSAgent is blocking CSA MC access, you can stop CSAgent service with command net stop csagent in the DOS prompt of CSA MC Server. If the CSAgent stops the CSA MC access, then create an agent kit from the most up-to-date VMS CiscoWorks Systems group on the CSA MC, uninstall the existing CSAgent, and deploy this new kit on the VMS Server itself, then place it in test mode to watch for what is being blocked. Then you can tune your policies to be less restrictive on the VMS server, if needed. Once you have the policies tuned, you could take the agent out of test mode.

No Free Disk Space

If you have too many events on the database and run short of disk space, you may not be able to access the CSA MC. If everything is working, and suddenly you cannot access the CSA MC, the most likely cause is the free disk space issue. Work through the steps below to reclaim disk space:

Step 1.

Check free disk space

Step 2.

To free some up, try making the pagefile smaller (C:\pagefile.sys)

Step 3.

Refer to the Database Issues section of this chapter to purge and compact the database.

Step 4.

Then immediately do a backup.

Web Server is Running on CSA MC Server

If you have the web server running on the same server as CSA MC, you may be able to log in to all CiscoWorks, but when you try to bring up the CSA MC, it may not come up. Uninstall any web server or FTP server from the CSA MC server.

Other Management Consoles Are Installed

Any other Management Console (for example IDS MC, PIX MC, etc.,) must not be installed on the same server as CSA MC. Installing only Security Monitor along with CSA MC is supported. So, if you have other Management Consoles installed, be sure to remove them, and reboot the server.

Licensing Problems

If you have modified the license file after import or have the duplicate file for the same license (for example, CSA MC license), then your CSA MC may not come up. Refer to the "Troubleshooting Licensing Issues" section under "Licensing Issues" for additional details on how to get around this problem.

Browser and Java Issues

If you do not have the supported version of browser or Java, then you may get a certificate popup and then the browser says "done" in the bottom left hand corner and the page is blank. If so, be sure to fulfill the following requirements:

  • You must be running one of the supported browsers. Refer to the Release Notes or the ReadMe file for the supported browser list. You can find out quickly if your browser is supported on the first page after you login to CiscoWorks.

  • You must be running Java Runtime Environment (JRE) version at least 1.4.0.x. Warnings will pop up that the version is not recent enough.

  • Be sure that you have only one instance of Java installed on your machine. If you have multiple versions of Java installed, uninstall both of them and install the latest version.

  • You must turn off Proxy server on your browser. For example, in Internet Explorer, you can turn it off by going to Internet Explorer > Internet Options > Connections > LAN Settings > uncheck "Use a proxy server for your LAN".

Certificate Problem

If everything else fails as described earlier, you may be running into an issue with certificate corruption. This is a costly procedure, because with the new certificate, your agents will not be able to register with CSA MC unless you copy the new CSA MC certificate over to all the agents. However, if your MC is unmanageable due to the certificate, as a last resort you may try the following procedure with the full consent of consequences:

Step 1.

Stop both Agent and Console services as follows:

net stop csagent net stop crmdmgtd 


Step 2.

Delete the files listed in Table 21-2.



Table 21-2. Files That Need To Be Deleted

Location

Files needed to be deleted

CSCOpx\CSAMC(45)\cfg

sslca.crt,sslhost.crt

CSCOpx\lib\web\conf

root.crt,server.key, server.crt

CSCOpx\mdc\apache\conf\ssl

chain.cer,root.cer, server.key,server.cert

CSCOpx\CSAMC(45)\cfg

Files with .lic extension


Step 3.

Open a DOS window and type cd CSCOpx\CSAMC(45)\bin to change the directory.

Step 4.

Type perl.exe installcert.pl -forceinstall

Step 5.

Start both the CSA MC and agent services with the following commands:

net start crmdmgtd net start csagent 


CSA MC Is Launching, but Slowly

In the preceding section, we have explored how to resolve the issue with launching the CSA MC. This section will look at some of the probable causes of slow response when CSA MC launches up.

Database Size Is High

If your database size is high due to a huge number of events and configuration, the response time for launching CSA MC will be slow. Size is directly proportional to the CSA MC Launching time and query times for events. Refer to the Database Issues section for details on how to check the database size and how to purge, and then compact, the database to reclaim space.

Unsupported Installation

You must ensure that you fulfill all the minimum requirements for both hardware and software for installing the CSA MC. If you install the CSA MC on a server that doesn't fulfill the minimum requirements, you may be able to use the CSA MC, but the performance may degrade badly. In a lab environment for testing purposes this may not be a serious concern, but in production, this should be avoided by all means.

To find out if you are running any unsupported hardware or software configuration, you can analyze the CSAMC(45)-Install.log from CSA MC, which is in the Program Files\CSCOpx\CSAMC(45)\log. A snippet from CSAMC(45)-install.log shows below that CSA MC is running on an unsupported service pack:

Operating system is a server version. Service Pack 4 of Windows 2000 is not installed on this machine. This product is only supported on server versions of Windows 2000 with Service Pack 4 or higher. Do you want to continue? 


Look for Possible Bugs

After making sure that you are not running into any database or the incompatibility issues, look for a possible bug in the code. It is best is to look under the Release Notes of the newer version of CSA MC than that of the version you are running, and see if there is any known bug integrated on the newer version. If so, upgrade the code. One such example is that an SNMP problem may be reported on CSA MC Version 4.0(3.717), which will slow down the launching CSA MC. This issue is being integrated in the latest version of CSA MC 4.5. In the Program Files\CSCOpx\CSAMC(45)\log\csalog, you will see the following messages for the SNMP issue:

[2005-04-21 11:24:10.287] [PID=4501] [Csamcmanager]: Error sending trap to manager at address [2005-04-21 11:24:10.287] [PID=4501] [Csamcmanager]: Error opening snmp session 


Look for these types of error messages for other processes and look for any possible bugs to find out if your version of CSA MC Code is running any software bug.

CSAgent Communication, Registration, and Polling Issues with CSA MC

CSAgents query the MC over SSL on port TCP/5401. If this fails, it will fall back to TCP/443. Profiler uses TCP/5402. If the CSAgent cannot communicate, register, or poll the CSA MC, walk through the following steps to resolve this issue:

Step 1.

Read and learn and fulfill the requirements in the Release Notes from the following link: http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_release_notes_list.html

Step 2.

First be sure network cables are plugged into the machines and into the proper network card. Also make sure the link lights are coming up fine.

Step 3.

Use the iccping utility to perform the connectivity test between the CSAgent and the CSA MC. Work through the steps that follow to perform the iccping utility:

a. Go into Program Files\CSAgent\bin directory from a CMD prompt from the machine that is having connectivity issues.

b. Type iccping.

c. This will give you syntax for running the utility and which ports it uses, as Example 21-9 shows.

Example 21-9. iccping Options Available to Perform the Connectivity Test

[View full width]

C:\Program Files\Cisco\CSAgent\bin>iccping C:\Program Files\Cisco Systems\CSAgent\bin>iccping Usage: iccping <component> [num_pings] [SSL] : to ping a component        Where,                 <component> -> "leventmgr" | "webadmin" ! This will ping 4 times on TCP/80 to the CSA MC. You can define a different # than 4 Example: iccping webadmin 4 => will ping 4 times the remote component 'webadmin'. ! This will ping 4 times on TCP/5401. You can define a different # than 4 Example: iccping webadmin 4 SSL => will ping 4 times the remote component 'webadmin' using  SSL. NOTE: set ICCPING_TIMEOUT=timeout   :in seconds; timeout for the ping transaction. Default=15 NOTE: set ICCPING_INTERVAL=timeout :in seconds; time interval between 2 consecutive pings.  Default=0 NOTE: set ICCPING_SIZE=size        :ping packet size in bytes C:\Program Files\Cisco Systems\CSAgent\bin> 

If the iccping fails, then you know that you have connectivity problem on TCP/443 and TCP/5401, which are required for the connectivity between the CSA MC and CSAgent. If you are running Profiler on CSA MC, then you also need to open TCP/5402.

Step 4.

Be sure the NAME of the CSA MC is resolvable via DNS or WINS. The Agent communicates with the MC via DNS or WINS names, not IP addresses (CSAgent machines can have different IP addresses if the environment is DHCP). If the client for some reason cannot or will not have a proper DNS or WINS setting, enter the IP address and FQDN of the MC manually into the CSAgent C:\WINNT\system32\drivers\etc\hosts file. This way the Agent will be able to resolve the CSA MC name.

Step 5.

Check to ensure that the license file(s) are valid. If the license is not valid or is expired, newly installed CSAgents will not register with the CSA MC and pre-existing CSAgents will be placed into test mode. You might also run out of licenses. You might want to verify what types of licenses you are using, and how many desktop and server machines you have covered by your license by going to Maintenance > License Information (see Licensing Issues section of this chapter for more details). Check the C:\Program Files\Cisco(Systems)\CSAgent\log\csalog.txt file from one of the agents that is failing for errors such as the following, which indicates a license problem.

[View full width]

[2005-05-02 10:21:25.131] [PID=672] [Csamanager]: Registration failed without message Error ?code=2035'


Step 6.

Be sure the CSAgent does not have the same IP address as another CSAgent machine. If it does, the CSA MC will not allow the same IP address to register for an hour.

Step 7.

Be sure the CSAgents and CSA MC have the same time. If not, re-adjust the time, otherwise, you will experience certificate failure, which will result in the registration and Polling failure.

Step 8.

If the CSA MC crashes or the CSA MC Database is renamed with a different DNS name, refer to the Disaster Recovery Plan (DRP) for CSA MC subsection under the Database Issues section of this chapter.

Application Issues with CSAgent

You might run into issues with launching different applications on the desktop or the server where you have installed CSAgent. Another problem, which is common, is to have issues with updating the anti-virus software update. In every incident, the CSAgent generates the events which can be viewed from the Events > Event Log. There are several ways to resolve these interoperability issues with CSAgent. The first part of this section introduces different procedures that we will use in the concluding sub-section of the section, which is "Troubleshooting Steps."

How to Create Exceptions

If you cannot perform certain tasks on the machine where CSAgent is installed, you might want to create exceptions so that the events are permitted. Work through the steps below to create an exception:

Step 1.

Go to Events > Event Log.

Step 2.

Find the Event that is being triggered by a specific CSAgent host.

Step 3.

Click on Wizard of the event.

Step 4.

You can either choose to allow, stop logging, or behavior analysis of the event.

Step 5.

Follow the rest of the intuitive steps to complete the task.

Step 6.

Once finished creating the exception, click the Generate rules link.

Step 7.

Then go to the CSAgent and click the Poll button.

How to Disable Individual CSAgent Shims

To determine if a specific shim conflicts with other installed software, you might want to disable shims. Be sure to save your registry and back it up appropriately before making any changes. Work through the steps that follow to disable the individual CSAgent Shim:

Step 1.

Open the Command prompt and type the following command to stop the CSAgent:

net stop csagent 


Step 2.

Run the command regedit from command prompt, which will bring up Registry Editor.

Step 3.

Go to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > csafilter,csahook, csanet, csareg, csatdi. Table 21-3 shows the meaning of each value.

Table 21-3. Values for Network Shim

Registry Key Control Values

Description

csafile

File Interceptorthis is the fileshim.

csafilter

Http Interceptorthis is the http rate-limiting shim.

csahook

System Call Interceptorfor items within the Trojan Detection rule.

csanet

Network Traffic Interceptorthis is the lower level (level 3) network shim. Provides network hardening features such as syn flood and malformed IP packet protectionsimilar to a firewall.

csareg

Registry Interceptorthis is the registry shim.

csatdi

Network Application Interceptorthis is the upper level (level 5) network shim. Controls which applications can communicate with the network.


Step 4.

Highlight the registry key for the shim you want to disable and look for DWORD Enable. If it doesn't exist, follow the next step to create one.

Step 5.

Right-click and create new DWORD value, name it as Enable, and set its value to 0 as shown in Figure 21-2. If you need to re-enable it, just change this value from 0 to 1.

Step 6.

Finally, reboot the CSAgent machine.

Step 7.

Follow steps 1-6 for every shim, one by one, to find which one is causing the interoperability issue with other applications. Be sure that before disabling a new shim (see Figure 21-3), you re-enable the existing disabled one.

Figure 21-3. Disabling Shims


Disabling csauser.dll

Be sure to save your registry and back it up properly before making any changes. Work through the steps that follow to disable casuser.dll:

Step 1.

Open a command shell (Start > Run) and type cmd.

Step 2.

Type net stop csagent to stop the CSA agent.

Step 3.

Type regedit to bring up Registry Editor.

Step 4.

Go to HKEY_LOCAL_MACHINE > Software > Microsoft > Windows NT > CurrentVersion.

Step 5.

Click on Windows to view the content of the keyword.

Step 6.

Change the value of AppInit_DLLs from csauser.dll to csauser.dll.org.

Step 7.

Reboot the machine.

Step 8.

Once the test is completed, change the value of AppInit_DLLs in step 6 from "csauser.dll.org" to "csauser.dll".

Step 9.

Reboot the machine.

Creating Buffer Overflow Exclusions

For any anti-virus software update, there are at least two executable files involved: one executable (.exe) file downloads the actual update file, which is the other executable (.exe) file. There may be more than two .exe files involved with the upgrade process. For example, automatic update for Trend Micro Client/Server Suite 6.5 (OfficeScan 6.5) may be blocked by the CSAgent because the following files may be blocked by the CSA MC: upgrade.exe, tmlisten.exe, spntsvc.exe, and stupdate.exe.

So, if your anti-virus software fails updating, work through the steps that follow to resolve the issue:

Step 1.

On CSA MC, find the event that is triggered by the anti-virus software. Then look for the Wizard button. If you see the Wizard button, create an exception as outlined in the earlier section entitled "How to create Exceptions."

Step 2.

If the Wizard button is absent from the event, then create an application class that has the executables defined as explained in the next step.

Step 3.

For example, to create buffer overflow exceptions for acad.exe, you can create an application called Autocad by going to Configuration > Applications > Application Classes [Windows] and clicking on New. Fill in the needed information (in Bold). Give this application class a name (for example, AutoCad), description, and select the operating system. Then under "Add process to application Class", type **\acad.exe. Then click on Save. You have just created an application class called the AutoCad application, which needs to be applied either on a host or a group.

Step 4.

Find a host that is having the problem (you can apply this in groups as well) and view its configuration by selecting it under Systems > Hosts.

Step 5.

Scroll down in the host window to see all the rules that are applied to this host and find the rules that are of type Trojan Detection Rule. Click these rules to edit them.

Step 6.

Under Accessing system functions from code executing in data or stack space, where it reads Select any application classes to be excluded, scroll down to find the Autocad application, and click on it to select it. If the .exe file has problems with updating the software, instead of just invoking it, define the application class created under the Downloading and invoking executables option, instead of defining the class under executing in data or stack space.

Step 7.

Generate the rules and poll the new rules from the server on a CSAgent.

If the preceding procedure does not work, there might be another application executable that you would have to exclude from your Trojan detection file. Follow the directions that follow to learn how to use a file monitor rule to watch the exact executable that downloaded the file.

Assume that the Event Log shows executable "xyz.exe" is having problems with installation. The procedure explained here is based on the executable "xyz.exe" file. If your Event Log shows a different executable file name, the procedure remains the same. In the Events > Event Log, you see the following event:

The program 'C:\Program Files\CA\Common\ScanEngine\Incoming\xyz.exe' was recently downloaded and attempted to execute. The user was queried whether to allow this operation. The user chose 'Terminate (as default)' 


You need to create an exclusion to exclude the application that is downloading the executablenot the actual executable itself (xyz.exe). The File Monitor rule that you will create here will capture the file that is executed for downloading the xyz.exe file.

Work through the steps that follow to create a file monitor rule and application class:

Step 1.

Open any policy/module that is attached to the group to which the host is attached (or you can create a NEW policy/module and attach it to the group the host is a part of).

Step 2.

Click on the Add Rule link (it is in blue) and select File Monitor for the rule type.

Step 3.

Follow the steps in the explanation section on the values needed for the file monitor rule.

Step 4.

Then once the process runs, the file monitor rule tells you which application wrote xyz.exe.

Step 5.

Once you get the executable file name, go to Configuration > Applications > Application Classes [Windows]. Click the New button and create a new application class with a descriptive name, and then add the EXE that downloaded xyz.exe. For example, the file monitor rule event triggered that bab.exe downloaded xyz.exe file. Hence, you may call the application bab. In the section when created from one of the following executables: type in bab.exe.

Step 6.

Go back to the event in the Events > Event Log, and click on the rule ID (in blue) that generated the event. It will take you to the Trojan detection rule that gave rise to the event. Then in the section of the Trojan detection rule, Downloading and invoking executable files, select Any application classes to be excluded and select the application class you created (in this example, bab).

Step 7.

Click on Save button and then click the Generate rules link.

Troubleshooting Steps

Using the procedures explained in the preceding sections, work trough the following steps to troubleshoot issues with CSAgent with any applications, or issues with updating applications:

Step 1.

First be sure that CSA Agent is causing the application interoperability issue with the application. The quickest way to do that is to stop the CSAgent with the net stop csagent command. With that command, if the application functions well, then restart CSAgent with net start csagent command.

Step 2.

Disable csauser.dll with the procedure outlined in the following section of this chapter: "How to disable csauser.dll."

Step 3.

To find out which shim is causing the problem, follow the procedure outlined in section How to Disable Individual CSAgent Shims in the preceding section.

Step 4.

In CSA MC, go to Events > Events Log, and check to see if the application in question generated any events. If an event is generated and there is a Wizard button, click it to create an exception. If there is no Wizard button, then you need to modify the rule manually.

Step 5.

If there are problems updating anti-virus software, refer to the following section of this chapter: "How to create Buffer Overflow Exclusion."

Step 6.

Look at the logs in the CSA MC for events. If there is an event, use the wizard to create an exception to allow the application to run.

Step 7.

Check Windows Event Log on the affected system (CSAgent) if you do not see the events on the CSA MC.

Step 8.

Decode and analyze the .rtr files in the log directory for rules/policy verification (refer to the "Diagnostic Commands and Tools" section of this chapter). If there are problems in the .rtr files output, poll the rules again on the CSAgent by clicking on the Poll button.

Report Generation Issues

In CSA MC you can generate reports in two ways:

  • Using HTML

  • Using Active X Control

If you are having problems with generating reports, work through the steps that follow:

Step 1.

Supported Browser

Be sure you are running one of the supported browsers. Refer to the Release Notes of the respective CSA MC version at the following location: http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_release_notes_list.html

Step 2.

Correct Browser Settings

If you are running Internet Explorer (IE), check the Internet Options on both Intranet and Internet settings, and be sure that all options are checked as either "enable" or "prompt" for both Active X and Scripting. Also clear the cache and close all open IE windows.

Step 3.

Database size

Check to see if the database is approaching the Max limit (for MSDE the limit is 2 GB). If your database size is very high, then purge the events from the database and compact it with the procedure explained in the "Database Issues" section of this chapter.

Step 4.

HTML Report is working but Active X Report is problematic

If you can run an HTML report, but you are having problems with generating an Active X report in CSA MC, open with Notepad the httpd.conf file (located at Program Files\CSCOpx\MDC\Apache\conf), and take a look at the line that contains servername (close to the end of the page) to determine whether it references hostname.domain.com or just the hostname. Then log in using whatever name the Apache server references, and run the report.

Note

Do not change the name in the httpd.conf file because the name is automatically rewritten on startup. So, if you have just the server name written without the domain name, and your station is unable to resolve the name, then modify your hosts file to add the server name with the corresponding IP address of the CSA MC server.


Profiler Issues

The Profiler consists of following three separate components:

  • The Management Console (CSA MC)

  • The Analysis Workstation (Component of CSA MC from version 4.x)

  • The Logging Agent (CSAgent)

All three components can be on the same machine, or two machines. For releases 4.0 and above, Profiler is installed on the same machine as the CSA MC. The Logging Workstation is any CSAgent that can communicate with the CSA MC and the Analysis Workstation.

Work through the following steps to troubleshoot issues with Profiler:

Step 1.

Invalid license or no license

If you cannot see the Profiler menu on CSA MC, be sure that you have a valid Profiler license by browsing to Maintenance > License Information.

Step 2.

Valid license, but still unable to see the Profile Menu

Sometimes, even if you have a valid Profile license, you may not see the Profiler menu. If so, follow the procedure in Example 21-10 to resolve this issue.

Example 21-10. Procedure for Resolving the Profile Menu Not Showing Issues

! Open up DOS prompt and then go to the following directory C:\>cd Program Files\CSCOpx\csaprofiler\bin ! To uninstall and install profiler execute the following two lines C:\Program Files\CSCOpx\csaprofiler\bin>report_install u C:\Program Files\CSCOpx\csaprofiler\bin>report_install i ! Then reboot the server 

Step 3.

Profiler job is not started

The CSAgent must poll after the Profiler job is scheduled. Otherwise, a Profiler job will not start. You need to go to the Agent manually and click the Poll button for on-demand polling.

Step 4.

The job is completed without collecting data

If the Event Log says that the job is completed without collecting data, then the cause of the problem is that the application class selected is not correct (that is, it is misspelled), or the application has not been activated so that it can be analyzed. For example, if you choose notepad.exe as the application class and never launch it, then no data will be collected.

Step 5.

Waiting for log data indefinitely.

If you have scheduled a job and the status of the job says waiting for log data indefinitely, then the port of the profiler may be blocked between the CSA MC and CSAgent. Open the TCP/5402 for the Profiler on the firewall between CSA MC and CSAgent (in both directions).

Database Maintenance Issues

Database maintenance is extremely important on the CSA MC. CSA MC database is the repository of configuration information for both the CSA MC and the agents, and it archives and stores events received from CSA Agents and MC itself. So, you must have a Disaster Recovery Plan (DCP) in place for the CSA MC database. Additionally, you must ensure that the database doesn't outgrow the capacity of the CSA MC server with numerous events. So, along with having the DCP in place, you must ensure that you purge the events and compact the database periodically so that enough space is reclaimed on the database to receive and write new events from the CSA Agent by the CSA MC. This section elaborates on how to perform the following database-related tasks for seamless operations of CSA MC and agents:

  • Disaster Recovery Plan (DRP) for CSA MC

  • Purging events from database

  • Compacting the database

Disaster Recovery Plan (DRP) for CSA MC

The Disaster Recovery Plan for CSA MC (DRP) involves backing up the CSA MC Database and restoring it. The CSA MC has a built-in feature under the Maintenance menu called Backup Configuration. This feature allows you to perform the manual backup or automatic periodic backup of the database, certificates, and license, which saves the files and data necessary to perform a complete system restore quickly. To perform manual backup, go to Maintenance > Backup Configuration >. Select "No database backup" & specify Backup directory. Then click on Backup now. The restore can be done on the same machine or a different machine, if the DNS name and IP address of the new server are the same as the original server's DNS name and IP address. Because the restored configuration contains the original certificates, the Agents will find and communicate with the new Management Console without any problems. The CSA MC will contain all the events, policies, groups, and host information as the original. There are three levels of backup:

  • Low Frequency Backup Full backup once a week, differential once a day, and transaction log every 24 hours

  • Medium Frequency Backup Full backup once a week, differential once a day, and transaction log every 8 hours

  • High Frequency Backup Full backup once a week, differential once a day, and transaction log every 4 hours

You may configure auto backup or manual backup. If the Auto backup is configured by selecting one of the backup types previously listed, you can perform manual backup by clicking on Backup now on the Maintenance > Backup Configuration page.

Note

The backup must be to a local drive (a separate hard drive, for example) when originally saved to ensure that a network being down or another networking problem does not prevent the backup from completing successfully. Once the backup is completed, the files can then be moved to a secure site.


Back up the CSA MC Database

Work through the steps that follow to back up the CSA MC database:

Step 1.

Open the GUI of the CSA MC (via a Web browser) and go to Maintenance > Backup Configuration. Click the Backup button and save the CSA MC Configuration locally. Copy these configuration files to a network drive for easier access. The main database file will be compressed and will be a combination of the database and the transaction logs (*.mdf and *.ldf files, respectively). The backup database file will be approximately 50% smaller than the combined size of the *.mdf and *.ldf files. The certificate, pass phrase file and the license will be saved. If you are running CSA MC version 4.0.x, the backup files are backup.vrs, full_backup_csamc.bak,kleidia, ssl-bundle.conf, sslca.crt, sslca.csr, sslca.key, sslca.sn, sslhost.crt, sslhost.csr, sslhost.key, sysvars.cf, and *.lic files. If you are running CSA MC Version 4.5, the backup files are backup.vrs, full_backup_csaanalysis45.bak, and full_backup_csamc45.bak files. In version CSA MC 4.5, back up the files as shown in Table 21-4.



Table 21-4. Backing up Files to Keep the Certificates on the CSA MC

Directory

Files

CSCOpx\CSAMC(45)\cfg

sslca.crt, sslhost.crt

CSCOpx\lib\web\conf

root.crt, server.key, server.crt

CSCOpx\MDC\Apache\conf\ssl

chain.cer, root.crt, server.key, server.cert


Step 2.

To save the original agent kits that you created, back up the bin directory of Program Files\CSOpx\CSAMC(45)\bin\webserver\htdocs into the same location as the previously listed files. If this is not convenient, then you can re-create default agent kits, but you will lose any custom agent kits you might have created.

Restore the CSA MC Database on the Same Server

You can restore the CSA MC database on the same system or on a different system, with the same IP address or a different IP address. Work through the procedure that follows to restore the database on the same server with the same IP address and DNS name (this is useful if the existing VMS Server crashes and needs to be rebuilt). These directions assume you have only VMS Common Services and the CSA MC installed, and you want to completely reinstall all the components (VMS, SQL Server (or MSDE), and CSA MC). If you have other VMS components installed, you must uninstall all other components after uninstalling the CSA MC before uninstalling VMS.

Step 1.

Be sure the server still has exactly the same machine name as before, and that the machine name is resolvable via DNS (this is required).

Step 2.

Be sure the machine still has the same IP address. This is not absolutely required, but highly recommended.

Step 3.

Uninstall the CSA MC by using Start > Programs > CiscoWorks. Uninstall CiscoWorks and keep the Management Center for Cisco Security Agents checked while unchecking the other components.

Step 4.

When asked, you do not have to back up the files during the uninstallation of the CSA MC, because you have already backed up the files. In addition, the format used for backup during this stage is different than the backup files created via the CSA MC GUI.

Step 5.

Reboot the server.

Step 6.

Uninstall VMS via Start > Programs > CiscoWorks. Uninstall CiscoWorks. (These procedures assume you have no other VMS components on the system. If you have other VMS components, you must uninstall those before you uninstall VMS.)

Step 7.

Reboot the server.

Step 8.

Delete the CSCOpx directory.

Step 9.

Uninstall SQLServer or the MSDE.

Step 10.

Reboot the server.

Step 11.

Delete SQLServer directories and references to SQLServer in the registry.

Step 12.

Install the same version of VMS with Common Services onto the original server. Then reboot the server.

Step 13.

Reinstall the CSA MC onto the original server. Reboot the server.

Step 14.

Check to be sure you can log into VMS and the CSA MC.

Step 15.

Move the backup configuration files that you moved to a network share down locally to the new machine (a folder of your choice).

Step 16.

Uninstall the CSA MC Agent (this CSAgent will no longer be able to register with the correct CSA server). Reboot the server.

Step 17.

Run the Restore Configuration utility located in Program Files\CSCOpx\CSAMC(45)\bin (and point to where the original configuration files are located that you just moved down from the network).

Step 18.

Copy \Program Files\CSCOpx\CSAMC(45)\bin\webserver\htdocs\deploy_kits into the same directory on the new server (thus overwriting the agent kits with the original Agent kits). Reboot the server.

Step 19.

Log into VMS/CSA MC to ensure that all the data is present and all agent kit links work as they did in the original CSA MC.

Step 20.

Check to be sure that all the agents are polling into the reinstalled CSA MC.

Note

Be sure to manually copy over the certificates for good measure. These certificates are crucial in maintaining communication between the Agent and the new CSA MC. Also run the following command via the command line interface to refresh all the default agent kits:

*:\Program Files\CSCOpx\CSAMC\bin\webmgr makekits_refresh 


Be sure that the backup files are not transferred with a CD. To transfer the files, copy the files via a network share or thumb drive, or some other method besides a CD.


Restore the CSA MC Database on a Different Server with a Different Name and IP Address

To restore the database on a different server (for example, test machine) with a different name and IP address, use the following procedure:

Step 1.

Be sure that the test machine has a different machine name and IP address.

Step 2.

Install VMS and the CSA MC onto the new machine.

Step 3.

Move the backup files from the network to a local drive.

Step 4.

Run the Restore Configuration utility in Program Files\CSCOpx\CSAMC(45)\bin (and point to where the original configuration files are located that you just moved from the network).

Step 5.

Create new certificates with the procedure in Example 21-11.

Example 21-11. Creating a New Certificate

! Stop the agent and MC services in DOS prompt net stop csagent net stop crmdmgtd ! Delete the following files ! In directory CSCOpx\CSAMC\cfg    delete files sslca.crt,sslhost.crt ! In directory CSCOpx\lib\web\conf delete files root.crt, server.key, ! server.crt ! In directory CSCOpx\MDC\Apache\conf\ssl delete files chain.cer, root.crt, ! server.key, server.cert ! From the DOS prompt change the directory to following cd CSCOpx\CSAMC(45)\Bin !Type the following command ..\..\bin\perl.exe installcert.pl -forceinstall !The preceding command generates new certificate in CSAMC cfg directory and !copies them in the appropriate files in the CMF and core apache. If you run it !from the CMD as specified above, you will clearly see where it copies the files. ! Start the agents and MC services net start crmdmgtd net start csagent 

Step 6.

To refresh the kits, got to the CSAMC(45) bin directory and type webmgr makekits_refresh without the quotes.

Step 7.

Log into VMS/CSA MC to ensure that all the data is present.

Step 8.

Replace the sslca.crt file in the agent protecting the CSA MC (net stop the csagent and then replace the sslca.crt in Program Files\Cisco(Systems)\CSAgent\cfg with the one from the CSA MC's Program Files\CSCOpx\CSAMC(45)\cfg).

Step 9.

Install an agent and be sure it works.

Purging Events from the Database

Purging allows you to remove events from the database. If there are a huge number of events occupying the database, you need to purge and then compact the database as discussed in the next section. Before considering purging, it is useful to know when to do it.

There are several methods to determine the size of the database, which will indicate when to purge the events. These methods are listed as follows:

  • Based on number of events Based on the number of events in the event log, you can determine if your database needs to be purged. If the total number of events is well over a million, you need to consider purging. Example 21-12 shows a sample of finding out the number of events in the event log file.

    Example 21-12. Finding the Number of Events in the Event Log File in CSA MC Version 4.5

    ! Open a DOS prompt on the CSA MC server and type the following command. ! Make sure to type upper case E, this is case sensitive. C:\>osql -E ! If you are running CSA MC 4.5, run the following command. If earlier version, then ! need to replace csamc45 with csamc. 1> use csamc45 ! The following line will query the database to find out the number of events 2> select count (*) from formatted_event_log 3> go  -----------           61 (1 row affected) 1> 

  • Based on database file size A quick way to find the size of the database is to check the csamc(45).mdf file located in Program Files\CSCOpx\CSAMC(45)\db and right-click on this file to see how large it is. If it is close to 2 GB, you need to delete events from the database.

  • Using a GUI You can determine the size of the file as listed in the previous item by going to Maintenance > Database Maintenance.

Once you know the size of the database and have decided to purge the events from the database, there are three options:

  • Automatic purging

  • On-demand purging

  • Purging using CLI

Automatic Purging

With this option you can schedule the time for purging. Work through the steps below to accomplish this task:

Step 1.

Create a new task that will purge the events. To do so, go to Events (Monitor on older version) > Event Log Management.

Step 2.

Then click the New button.

Step 3.

In the new window from Step 2, choose an event, set to delete, and set the deletion time.

Step 4.

Finally, click the Save button to save this Event Managing Task.

This procedure will delete the events from the database as specified.

On-demand Purging

This type of purging allows you to remove the events when you want it. Work through the steps that follow to accomplish this task:

Step 1.

Go to Events (Monitor) > Event Sets

Step 2.

Choose an existing event or create a new one.

Step 3.

After defining your event, click on Purge events at the bottom of the screen to purge them immediately.

Purging Using CLI

To purge the event correlation queue using the CLI, you can use the sql command in the example that follows. This sql command will delete some of the events in the event correlation queue. You can use the following syntax in the DOS prompt of your CSA MC server:

[View full width]

c:\>Program Files\Microsoft SQL Server\80\Tools\Binn\osql -d csamc(45) -E -Q "delete from event_host delete from event_queue"


As previously mentioned, after purging, consider compacting the database as discussed in next section to reduce the physical size of the database files.

Compacting the Database

Regardless of whether you use the built-in MSDE or the full version of SQL Server 2000, you should compact the database after you have deleted large amounts of data from the CSA MC database (csamc.mdf and csamc_log.ldf), such as removing large numbers of events from the event log. This is because purging the events from the database does not really reduce the size of the database unless compacting is performed. This is very similar to an Outlook *.pst file after deleting e-mails. Compacting the database recovers disk space, increases efficiency, and reduces query time.

Caution

Always back up the CSA MC database under the CSA MC GUI's maintenance section as discussed before purging events and compacting the database.


Compacting MSDE (CSA MC Built-in Database)

The MSDE, which ships with the CSA MC, does not have a Graphical User Interface (GUI), so database maintenance must be done through the command shell tool osql -E. Run these scripts as shown in Example 21-13 via the command shell when you are ready to shrink the database:

Example 21-13. How to Shrink the Database of CSA MC When MSDE Is Used

! Press <enter> after each line. E must be upper case as case sensitive osql -E ! csamc45 in the case of CSA MC version 4.5. Earlier version used csamc. use csamc45 backup log csamc45 with no_log go dbcc shrinkdatabase (csamc45) go update statistics host with fullscan go update statistics group_host with fullscan go update statistics event_log with fullscan go update statistics formatted_event_log with fullscan go update statistics rule_program_distribution with fullscan go 

Compacting Full Version Of SQL Server 2000

The full version of SQLServer 2000 has a GUI called Enterprise Manager. There are many tools that can ease the maintenance of the database.

Work through the steps that follow to shrink the database via Enterprise Manager:

Step 1.

Expand a server group, and then expand a server.

Step 2.

Expand databases, right-click on the csamc database to shrink it, point to All Tasks, and then click Shrink Database.

Step 3.

Specify how much to shrink the database. For the maximum free space in files after shrinking, enter the amount of free space you want left in the database after shrinking. Use the Database Size, Space free value as a guideline.

Step 4.

Select Move pages to beginning of file before shrinking to cause the freed file space to be retained in the database files, and pages containing data to be moved to the beginning of the database files.

Step 5.

Click Schedule to create or change the frequency or time when the database is automatically shrunk.

Step 6.

Click Shrink files to shrink an individual database's files.

Note

You cannot shrink a database smaller than the size of the model database. Also, do not use the Enterprise Manager's autoshrink option, as this can cause database lockup.


Checking and Repairing the CSA MC MSDE Database

If your CSA MC is not functioning properly, for instance, if you cannot launch the CSA MC GUI or are unable to get the events, check to see if your CSA MC's MSDE database is working properly. There is a quick way to check that. Enter the following URL in the Web browser to perform the database check.

https://server_name/csamc/webadmin?page=db_checks

If the database check reports any error, you need to repair your MSDE database with the following procedure:

Step 1.

Stop both Ciscoworks Daemon Manager and the sqlserver service.

Step 2.

Launch DOS CLI and execute the following commands:

cd program files\microsoft sql server\mssql\binn sqlservr.exe -c -m 


Step 3.

Launch a second DOS CLI and execute the following commands to launch the osql tool, and check if there is any report corruption issue on the database:

osql -E alter database csamc set single_user go dbcc checkdb ('csamc') go 


Step 4.

Review this report to see if it reports corruptions, and if it does, run the following:

DBCC CHECKDB ('csamc', repair_rebuild) with all_errormsgs go 


Wait until this completes.

Step 5.

If you get an error saying it can't be fixed, you may have to allow data loss and run this:

DBCC CHECKDB ('csamc', repair_allow_data_loss) with all_errormsgs 


This will allow a repair with some loss of data (most likely the event log data). Another option for repairing the database is repair_fast. Each time you run DBCC CHECKDB, it will suggest which repair command to run. It might be repair_allow_data_loss or repair_fast or both.

Step 6.

Then run repair_rebuild as follows to rebuild your database indexes:

DBCC CHECKDB ('csamc', repair_rebuild) with all_errormsgs 


Step 7.

After Step 6 completes, run the following commands:

alter database csamc set multi_user go quit 


Step 8.

Then go to the first DOS CLI window and terminate the SQL Server session by pressing ctrl + C on your keyboard.

Step 9.

Say YES to the prompt and reboot the machine.



Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net