9-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter9 Troubleshooting Device Communication and Deployment
Managing Device Communication Settings and Certificates
Related Topics
Manually Adding SSL Certificates for Devices that Use HTTPS Communications, page 9-4
Managing IPS Certificates, page 43-10
Adding Devices to the Device Inventory, page 3-6
Chapter 2, “Preparing Devices for Management”
Troubleshooting SSH Connection Problems
For devices that use SSH as the transport protocol, Security Manager automatically detects the
appropriate SSH version (1.5 or 2) to use with each device. During SSH version 2 connections, Security
Manager automatically negotiates encryption algorithms or ciphers with the device. Security Manager
also automatically overwrites the SSH public key for the device if the key changes. Thus, you typically
will not run into SSH connection problems.
If you do have SSH connection problems, consider these fixes:
If the public key on the device changed, and SSH connections are failing due to a key problem,
remove the key for the device from the Program Files/CSCOpx/MDC/be/tmp/.shh/known_hosts file
on the Security Manager server and retry the operation.
Security Manager uses 3DES (Data Encryption Standard) as the default encryption algorithm. If this
is not the correct algorithm for your devices, either change the configuration of your devices, or
update the Program Files/MDC/athena/config/DCS.properties file to indicate the correct algorithm
on the DCS.ssh.encipher property. (Contact Cisco TAC if you need more help). You must restart the
Security Manager daemon manager if you change this file.
Related Topics
Chapter 2, “Preparing Devices for Management”
Device Communication Page, page 11-17
Device Credentials Page, page 3-44
Troubleshooting Device Communication Failures
If Security Manager fails to communicate with a device, for example, by failing to log into it, during
discovery, deployment, or other actions, look at these areas to identify and resolve the problem:
Ensure the device is operational.
Check which transport protocol is selected. You must select a protocol that the device is configured
to accept. For most devices, the protocol is selected on the Device Properties General page (select
Tools > Device Properties > General). For IPS devices, the IPS RDEP mode is selected on the
device properties Credentials page.
For IOS devices that do not have a K8 or K9 crypto image, ensure that you select Telnet as the
protocol.
Some methods of adding devices also allow you to select a non-default transport protocol. To
configure the default transport protocols for classes of devices, select Tools > Security Manager
Administration > Device Communications.