69-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Starting Device Managers
All users associated with any of the CiscoWorks Common Services roles have permission to start
device managers from Security Manager, with the exception of the Help Desk role or any of the
predefined Cisco Secure ACS roles. Ensure you have appropriate permissions.
SSL/HTTPS must be enabled on the target device to provide secure communications between
Security Manager and the device. An error message is displayed if SSL is not enabled on the device.
See Understanding Device Communication Requirements, page 2-1 for more information.
You might need to modify Cisco Security Agent, or other anti-virus and network firewall software,
on the Security Manager system and on your workstation to allow the device manager service
(xdm-launcher.exe) to be started.
Ensure that Security Manager is correctly configured for contacting and communicating with the
target device. Specifically verify device properties such as identity, operating system and
credentials. Select the desired device, right-click and choose Device Properties. Verify the settings
on the General and Credentials pages. You can test whether Security Manager can connect to the
device by selecting the Credentials tab and clicking Test Connectivity (see Testin g Dev ice
Connectivity, page9-1).
Device managers can be started for FWSMs and ASAs running in transparent mode (Layer 2
firewall) or routed mode (Layer 3 firewall), and supporting a single security context or multiple
security contexts. For FWSM and ASA devices running multiple security contexts, you must define
a unique management IP address for each security context.
If you get a message saying that the platform is not supported for device manager launch, but you
believe the platform should be supported based on information in this guide, consider the relative
newness of the operating system version running on the device and the age of the Security Manager
software version you are using. If you are using very recent operating systems, but a relatively older
version of Security Manager, you might need to upgrade Security Manager (or apply a service pack),
contact Cisco Technical Support, or simply install the latest device manager on the network device
and use it outside of Security Manager. Before using a device manager outside of Security Manager,
review the information on out-of-band changes in Starting Device Managers, page 69-4.
Multiple Device Manager Sessions Troubleshooting Tips
Starting multiple device managers might affect the performance of both the Security Manager server
and your client. On the client, memory requirements and performance impact are proportional to the
number of device managers launched. On the server, a large number of requests to start device
managers or retrieve current information from the device can have an adverse impact on
performance.
The maximum number of persistent HTTPS connections that can be established with any one device
from all clients depends on the device type and model. An error message is displayed if you attempt
to exceed this limit.
For example, a single PIX 6.x allows multiple clients to each have one browser session open,
supporting up to 16 concurrent PDM sessions. An FWSM (1.1, 2.2, or 2.3) allows up to 32 PDM
sessions for the entire module, with a maximum of five concurrent HTTPS connections per context.
Refer to the appropriate device documentation for information about specific limits.
Access Rule Look-up from Device Managers
A set of access rules is associated with each device interface. These rules are presented in the form of
an ordered list or table. This list is often referred to as an access-control list (ACL), with each rule in the
list known as an access-control entry (ACE). When deciding whether to forward or drop a packet, the