9-15
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter9 Troubleshooting Device Communication and Deployment
Troubleshooting Deployment
This option can be used only on site-to-site VPNs. For remote access VPNs, you need to create an ACL
object that explicitly denies the flow containing VPN traffic and define this ACL as part of a dynamic
rule in the NAT policy. For more information, see NAT Page: Dynamic Rules, page 23-10.
Unable to Deploy ADSL or PVC Policy
Problem: Deployment fails for your ADSL or PVC policy.
Solution: Make sure that you have selected the correct ATM interface card type in the policy definition.
Security Manager cannot properly validate the policy definition without knowing the correct card type,
which can lead to deployment failures.
DHCP Traffic Not Being Transmitted
Problem: DHCP traffic is not being transmitted even after you deploy a DHCP policy to the device.
Solution: Check whether an access rule on the device blocks Bootstrap Protocol (BootP) traffic. Having
such a rule prevents DHCP traffic from being transmitted.
NAC Not Implemented on Router
Problem: Network admission control is not being implemented on the router, even though a NAC policy
was deployed to it.
Solution: Ensure that the default ACL on the router permits UDP traffic over the port defined in the NAC
policy for EAP over UDP traffic. This is the protocol that NAC uses for communication between the
Cisco Trust Agent (CTA), which is the NAC client that provides posture credentials for the endpoint
device on which it is installed and the network access device (NAD; in this case, the router) that relays
the posture credentials to the AAA server for validation. The default port used for EAP over UDP traffic
is 21862, but you can change this port as part of the NAC policy. If the default ACL blocks UDP traffic,
EAP over UDP traffic is likewise blocked, which prevents NAC from taking place.
Deployment Fails with Error Writing to Server or HTTP Response Code 500 Messages
Problem: Deployment to a Cisco IOS router fails and an “Error Writing to Server” or “Http Response
Code 500” error message occurs.
Solution: When you use SSL as the transport protocol for deploying configurations to a Cisco IOS
router, the configuration is split into multiple configuration bulks. The size of this configuration bulk
varies from platform to platform. If Security Manager tries to deploy a configuration bulk that exceeds
the size of the SSL chunk configured on that device, the deployment fails and you get an “Error Writing
to Server” or “Http Response Code 500” error message.
To resolve this, do the following:
1. On the Security Manager server, open the DCS.properties file in the \CSCOpx\MDC\athena\config
folder in the installation directory (usually C:\Program Files).
2. Locate DCS.IOS.ssl.maxChunkSize=<value of the configuration bulk>.
3. Reduce the value of the configuration bulk.
4. Restart the CiscoWorks Daemon Manager.
Related Topics
Chapter 58, “Managing Routers”
Deployment Failures for Catalyst Switches and Service Modules
Following are some potential problems you might encounter when deploying configurations to Catalyst
switches and Catalyst 6500/7600 service modules.