9-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 9 Troubleshooting Device Communication and Deployment
Troubleshooting Deployment
2. Next, configure policy B to replace policy A, but instead of deploying policy B to the device, deploy
it to a file instead. When this deployment completes, Security Manager creates a snapshot with
policy B that replaces the previous snapshot with policy A. However, because you did not deploy
policy B to the device, the CLI commands that are required to negate policy A have not been
deployed. Policy A is still deployed on the device.
3. Deploy again to the device without first copying the changes in the configuration file to the device.
Security Manager cannot generate the commands that are required to negate policy A from the
device because the snapshot with policy A no longer exists.
Because policy A is a router platform policy, any of the following results might occur:
The policy in the latest deployment overrides policy A.
Both policies end up defined on the device.
Deployment fails because the two policies cannot coexist.
Therefore, if you deploy to a file when working on a live device, we strongly recommend that you copy
your configuration changes from the file to the device before performing additional deployments to the
device.
Related Topics
Chapter 24, “Managing Site-to-Site VPNs: The Basics”
Chapter 58, “Managing Routers”
Deployment Failures for Routers
Following are some potential problems you might encounter when deploying configurations to Cisco
IOS routers.
Deployment Fails for Interface Settings
Problem: Deployment fails for interface settings on a router.
Solution: Security Manager cannot validate whether you have the appropriate types of interface cards
or shared port adapters (SPAs) installed on the router, or the appropriate licenses configured, to support
your interface policies. If you add or remove an interface card without changing your interface policies,
you can encounter deployment errors. The best practice is to ensure that you discover inventory from the
router whenever you change interface modules or SPAs so that Security Manager can discover the
appropriate interface features.
Deploying Layer 2 Interface Definitions
Problem: Deployment fails if the interface policy includes a definition for a Layer 2 interface.
Solution: Layer 2 interfaces do not support Layer 3 interface definitions, such as IP addresses. Make
sure that you did not define a Layer 3 definition on the Layer 2 interface.
VPN Traffic Sent Unencrypted
Problem: Traffic that should be sent encrypted over a VPN is instead being sent unencrypted.
Solution: Ensure that you are not performing NAT on VPN traffic. Performing address translation on
VPN traffic prevents the traffic from being encrypted and sent through the VPN tunnel. When defining
dynamic NAT rules, make sure that the Do Not Translate VPN Traffic check box is selected, even when
you perform NAT into IPSec. (This option does not interfere with the translation of addresses arriving
from overlapping networks.)