DX NetOps

Hello, wondering if anyone else hit this issue. We just upgraded to Spectrum 10.1 and we are now seeing an issue where all our ASA configuration capture scripts are not working.

Also the host configuration tab is grayed on these devices. Anyone hit this problem and if so what did you do to fix?

TIA!!!

Did you  run the NewMM.pl after your upgrade.?

This remodels the ASAs with a new model type.

I think, there is no default device family for ASAs in Spectrum 10.1 and also in former Versions.

Look at your Configuration Manager: Do you have a (handmade) family for your ASAs?

Add the ASAs again to this family.

I got this to work by Creating my own ncm device family and using a script for startup and one for running config. open a case with support. I uploaded both scripts to my ticket:

Hi Frank, i will respond on Dan's behalf...

Yes, we did run the NewMM.pl script, which changed most of our ASAs from GnCiscoDev to CiscoASA.

We do have custom device families and added the ASAs back but host configuration tab is still grayed out.

Thanks,

muiz

Hi Muiz,

Host Configuration tab is enabled after adding the Cisco ASA devices to custom device family.

The device family that you are adding ASA devices was created before upgrade?

Can you try creating new device family and add ASA devices to it and see if that solves the problem?

Please make sure to remove the ASA devices from existing device family before adding it to the new device family.

Thanks,

Vijay

just noticed something strange. After removing an ASA from custom family, if i try to re-add it spectrum throws following error message - never seen this before:

so we are actually unable to add the firewall back to its original or new family.

I think one option would be to manually certify these to GnCiscoDev instead of CiscoASA and then re-run the NewMM.pl script but there are almost 175 ASAs with various sys oids. We will most likely lose the ASA high availability feature recently added to Spectrum but configuration capture is more important i think.

We ended up reverting all ASA models back to GnCiscoDev from CiscoASA. Config capture is working now.

It would still be interesting to find out if we can use NCM functionality with CiscoASA models as they seem to identify ASA failover and primary/secondary units in HA pair, albeit with some glitches; standalone firewall was getting labeled as 'secondary' unit for some reason.

Thanks,

muiz

I think, you should discuss your problems  with CA support.

Maybe, there is a patch needed to handle ASAs as devices. I'm afraid, with reverting back to GcCiscoDev you will miss all new functionalities for ASAs.

Regards, Frank

Thanks, Frank.

Just thought to update the thread with information from support case:

"

---SOLUTION---
  Unfortunately the Cisco ASA devices have not been certified to work with the NCM.
  There is an enhancement already logged in the engineering backlog to get this changed, however it hasn't been allocated to a Spectrum version yet.
  The enhancement is number "US69073"

The Cisco ASA modeltype will not have the NCM functionality. I hope you can use a different modeltype that is supported by NCM as a "workaround". As per your update i think you already changed to generic devices and working fine, if I am not wrong.

"

That does not sound valid to me. If the modeltype is not working with NCM custom families, (because "the modeltype is not a device"), than it is clearly a bug, even if the modeltype is newly introduced.

Cheers,

Joern