larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Cisco Network Security Troubleshooting Handbook


  • Sorry, this book is no longer in print.
Not for Sale

eBook (Watermarked)

  • Your Price: $57.59
  • List Price: $71.99
  • About Watermarked eBooks
  • This PDF will be accessible from your Account page after purchase and requires PDF reading software, such as Acrobat® Reader®.

    The eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    Watermarked eBook FAQ

  • Description
  • Sample Content
  • Updates
  • Copyright 2006
  • Edition: 1st
  • Book
  • ISBN-10: 1-58705-189-3
  • ISBN-13: 978-1-58705-189-0
  • eBook (Watermarked)
  • ISBN-10: 1-58705-443-4
  • ISBN-13: 978-1-58705-443-3

Identify, analyze, and resolve current and potential network security problems 

  • Learn diagnostic commands, common problems and resolutions, best practices, and case studies covering a wide array of Cisco network security troubleshooting scenarios and products
  • Refer to common problems and resolutions in each chapter to identify and solve chronic issues or expedite escalation of problems to the Cisco TAC/HTTS
  • Flip directly to the techniques you need by following the modular chapter organization
  • Isolate the components of a complex network problem in sequence
  • Master the troubleshooting techniques used by TAC/HTTS security support engineers to isolate problems and resolve them on all four security domains: IDS/IPS, AAA, VPNs, and firewalls

With the myriad Cisco® security products available today, you need access to a comprehensive source of defensive troubleshooting strategies to protect your enterprise network. Cisco Network Security Troubleshooting Handbook can single-handedly help you analyze current and potential network security problems and identify viable solutions, detailing each step until you reach the best resolution.

Through its modular design, the book allows you to move between chapters and sections to find just the information you need. Chapters open with an in-depth architectural look at numerous popular Cisco security products and their packet flows, while also discussing potential third-party compatibility issues. By following the presentation of troubleshooting techniques and tips, you can observe and analyze problems through the eyes of an experienced Cisco TAC or High-Touch Technical Support (HTTS) engineer or determine how to escalate your case to a TAC/HTTS engineer.

Part I starts with a solid overview of troubleshooting tools and methodologies. In Part II, the author explains the features of Cisco ASA and Cisco PIX® version 7.0 security platforms, Firewall Services Module (FWSM), and Cisco IOS® firewalls. Part III covers troubleshooting IPsec Virtual Private Networks (IPsec VPN) on Cisco IOS routers, Cisco PIX firewalls with embedded VPN functionalities, and the Cisco 3000 Concentrator. Troubleshooting tools and techniques on the Authentication, Authorization, and Accounting (AAA) framework are discussed thoroughly on routers, Cisco PIX firewalls, and Cisco VPN 3000 concentrators in Part IV. Part IV also covers troubleshooting Cisco Secure ACS on Windows, the server-side component of the AAA framework. IDS/IPS troubleshooting on IDS/IPS appliances, IDSM-2 blade, and NM-CIDS blade on Cisco IOS routers are covered in

Part V. In Part VI, the author examines the troubleshooting techniques for VPN/Security Management Solution (VMS) tools used for managing products from all four security domains in greater detail: IDS/IPS, AAA, VPNs, and firewalls.

Cisco Network Security Troubleshooting Handbook prepares you to troubleshoot your network’s security devices and presents step-by-step procedures for tackling issues that arise, so that you can protect your network.

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Online Sample Chapter

Troubleshooting Cisco Secure ACS on Windows

Downloadable Sample Chapter

Download - 2.95 MB -- Chapter 13: Troubleshooting Cisco Secure ACS on Windows

Table of Contents

Part I  Troubleshooting Tools and Methodology

Chapter 1  Troubleshooting Methods

Proactive Actions for Handling Network Failure

Types of Failure

Problem-Solving Model

Step 1: Define the Problem

Step 2: Gather the Facts

Step 3: Consider Possible Problems

Step 4: Create an Action Plan

Step 5: Implement the Action Plan

Step 6: Observe Results

Step 7: Repeat if Necessary

Step 8: Document the Changes


Chapter 2  Understanding Troubleshooting Tools

Using Device Diagnostic Commands

show Commands

debug Commands

Test Commands

ping Command

traceroute Command

telnet Command

nslookup Command

Network Analyzers

Trivial File Transfer Protocol (TFTP) Server

FTP Server

Syslog Server

Audit and Attack Tools

Core Dump

Using TFTP

Using FTP

Using rcp

Using a Flash Disk

Additional Configuration

“Exception Memory” Command

 debug sanity Command

Testing the Core Dump Setup

Part II  Troubleshooting Cisco Secure Firewalls

Chapter 3  Troubleshooting Cisco Secure PIX Firewalls

Overview of PIX Firewall

PIX Packet Processing

File System Overview


time-range Keyword


Outbound ACL


Modular Policy Framework (MPF) Objective

Transparent Firewall

Diagnostic Commands and Tools

show Commands

show xlate [detail]

show connection [detail]

show local-host

show service-policy

show asp drop

show cpu usage

show traffic

show blocks

show output filters

show tech-support

Debug Commands

debug icmp trace

debug application_protocol

debug pix process

debug fixup tcp | udp

capture Command

Sniffer Capture



Other Tools

Problem Areas Breakdown

Licensing Issues

Password Recovery Issue

Software Upgrade and Downgrade Issues

Standard Upgrade Procedure

Upgrade using ROM Monitor Mode

Downgrade Procedure

Upgrading PIX Firewall in a Failover Setup

Connection Issues Across PIX Firewall

Configuration Steps

Troubleshooting Steps

Transparent Firewall Issues

Configuration Steps

Troubleshooting Steps

Virtual Firewall

Security Context

How the Virtual Firewall Works

Limitations of Virtual Firewall

Configuration Steps

Troubleshooting Steps

Quality of Service (QoS) Issues


Low Latency Queuing (LLQ)

Troubleshooting Steps

Performance Issues

High CPU Utilization

High Memory Utilization

Large ACL

Reverse DNS & IDENT Protocol

Case Studies

Active/Standby Model

Active/Active Model

Hardware and License Requirements

System and User Failover Group

Initialization, Configuration Synchronization/Command Replication

Configuration Examples

Asymmetrical Routing Support

Troubleshooting Steps

Common Problems and Resolutions

Best Practices

Protecting the PIX Firewall Itself

Protecting Network Resources

Chapter 4  Troubleshooting Firewall Services Module

Overview of FWSM Firewall

FWSM Architecture

Control Plane (CP)

Network Processors (NP)

Packet Flows

Diagnostic Commands and Tools

Show Commands

show Commands on the Switch

show Commands on the FWSM

Debug Commands

Sniffer on the FWSM

Syslog on the FWSM

Sniffer Capture

Analysis of Problem Areas

Licensing Issues

Hardware Issues

Firewall Module Administration Issues


Setting the Boot Device (Route Processor)

Maintenance Partition

Password Recovery Procedure

Upgrading a New Image

Upgrading Software Images

 Connection Problems

Configuration Steps

Troubleshooting Steps

AAA Issues

Virtual and Transparent Firewall

High CPU Issues

Intermittent Packet Drops Issues

Failover Issues

 Failover Operations

Configuration Steps

Troubleshooting Steps

Case Studies

Case Study 1: Multiple SVI for FWSM

Why Change the Existing Model?

Scenario One: DHCP Helper with FWSM 1.1(x)

Scenario Two: Alternate Configuration

Case Study 2: Understanding Access-List Memory Utilization

The Compilation Process: Active and Backup Trees

How Memory Is Allocated: Release 1.1(x) or 2.2(1) in Single Mode

How memory is Allocated: Release 2.2(1) in Multiple Mode

Trees and contexts: A Matter of Mapping

FWSM Release 2.3: The ACL Partition Manager

Examples of ACL Compilation

Access-lists: Best Practices

Common Problems and Resolutions

Best Practices

Chapter 5  Troubleshooting an IOS Firewall

Overview of IOS Firewall (CBAC)

Single Channel Protocol Inspection



Application Layer Protocol (TCP-based) and CBAC

Multi-Channel Protocol Inspection


Port Application Mapping (PAM) and CBAC

Denial of Service (DoS) Detection And Prevention

TCP Syn Flood and DoS Attack Launched by UDP


Real-Time Alerts and Audit Trails

Interaction of CBAC with IPsec

Transparent Cisco IOS Firewall

Diagnostic Commands and Tools

show Commands

debug commands


Packet Capture (Sniffer Traces)

Categories of Problem Areas

Selection of Software for IOS Firewall Issues

 Unable to Connect (Inbound and Outbound) across CBAC

Packet Failure to Reach the Router’s Incoming Interface

Misconfigured ACL

Misconfigured NAT and Routing

IP Inspection Applied In the Wrong Direction

UDP Inspection Is Not Configured

Return Traffic Might Not Be Coming Back to the Router

ICMP Traffic Is Not Inspected

There Is a Problem with Inspecting Single Channel Protocol

Required Multi-Channel Protocol is Not Inspected

IP URL Filtering Blocking The Connection

Redundancy or Asymmetric Routing Problems

Performance Issues

Timeouts for TCP, UDP, and DNS

Short Threshold Values for Half-open and New Connections

HTTP Inspection Dilemma

Switching Path

Large ACL

Reverse DNS and IDENT Protocols

Running Older Code

Intermittent Packet Drops

IP URL Filtering Is Not Working

Case Studies

How auth-proxy Works

Method of Authentication

Supported Platform

Configuration Steps

Troubleshooting auth-proxy

Common Problems and Resolutions

Best Practices

Basic Router Security

Anti-spoofing Configuration

Part III  Troubleshooting Virtual Private Networks

Chapter 6  Troubleshooting IPsec VPNs on IOS Routers

Overview of IPsec Protocol

Encryption and Decryption

Symmetric Algorithms

 Asymmetric Algorithms

Digital Signatures

Security Protocols

Authentication Header (AH)

Encapsulating Security Header (ESP)

Transport Mode

Tunnel Mode

Security Associations (SAs)

SA and Key Management with IKE Protocol

IKE Phase 1

Diagnostic Commands and Tools

show Commands

show Command for Phase I

show Commands for Phase II

show Commands for Interface Counters

show Command for Verifying IPsec Configuration

Commands for Tearing Down Tunnel

debug Commands

Analysis of Problem Areas

Basic LAN-to-LAN Troubleshooting

Successful LAN-to-LAN Tunnel Establishment Process

Tunnel Establishment Fails at Phase I

Tunnel Establishment Fails at Phase II

Tunnel Is Established but Unable To Pass Traffic

GRE over IPSec

Configuration Steps

Troubleshooting Steps

Public Key Infrastructure (PKI) Troubleshooting

Configuration Steps

Troubleshooting Steps

Remote Access Client VPN Connection

Configuration Steps

Troubleshooting Steps

Case Studies

DMVPN Architecture

Multipoint GRE Tunnel Interface (mGRE Interface)

Next Hop Resolution Protocol (NHRP)

Configuration Steps

 Troubleshooting DMVPN

NHRP Mapping Problem

Crypto Socket Creation Problem

Crypto VPN problem

Passing Data Across an Established Tunnel Problem

Common Problems and Resolutions

NAT With IPsec Issues

NAT in the Tunnel End Points

NAT in the Middle

Firewall and IPsec Issues

Maximum Transmission Unit (MTU) Issues

Split Tunneling Issues

Best Practices

Stateful Failover

Stateless Failover

Loss of Connection Detection Mechanism

Stateless Failover Mechanism Options

Chapter 7  Troubleshooting IPsec VPN on PIX Firewalls

Overview of IPsec Protocol

Diagnostic Commands and Tools

show Commands

debug Commands

Categorization of Problem Areas

LAN-to-LAN Troubleshooting

Configuration Steps

Troubleshooting Steps

Remote Access VPN Troubleshooting

Configuration Steps

Troubleshooting Steps

Case Studies

Common Problems and Resolutions

 NAT with IPsec Issues

NAT in the tunnel End Point

NAT Device In the Middle of Tunnel End Points

Firewall and IPsec

Maximum Transmission Unit (MTU) Issues

Split Tunneling Issues

Best Practices

Dead Peer Discovery (DPD)

Reverse Route Injection (RRI)

Stateful Failover For VPN Connections

Chapter 8  Troubleshooting IPsec VPNs on VPN 3000 Series Concentrators

Diagnostic Commands and Tools

Debug Tool

Monitoring Tool

Administer Sessions

Configuration Files

LED Indicators

Crash Dump File

VPN Client Log

Analysis of Problem Areas

LAN-to-LAN Tunnel Issues

Configuration Steps

Troubleshooting Steps

Remote Access VPN Connection

 Configuration Steps

Troubleshooting Steps

Digital Certificate Issues

Digital Certificate on the VPN Client

Digital Certificate on the VPN Concentrator

Case Studies

Clientless SSL VPN

Configuration Steps for Basic SSL VPN Connection

Troubleshooting Steps for Basic SSL VPN Connection

Configuration Steps for Web Server Access

Troubleshooting Steps For Web Server Access

Configuration Steps for CIFS Access

Troubleshooting Steps for CIFS Access

Thin Client

Configuration Steps for Port Forwarding

Java Applet Debugging

Troubleshooting Steps for Port Forwarding

Configuration Steps for MAPI Proxy

Troubleshooting Steps for MAPI Proxy

Configuration Steps for E-mail Proxy

Troubleshooting Steps for E-mail Proxy

Thick Client (SSL VPN Client)

Configuration Steps for SSL VPN Client

Troubleshooting Steps for SSL VPN Client (SVC)

Common Problems and Resolutions

Best Practices

Redundancy Using VRRP

Redundancy and Load Sharing Using Clustering

Redundancy Using IPsec Backup Servers

Part IV  Troubleshooting Network Access Control

Chapter 9  Troubleshooting AAA on IOS Routers

Overview of Authentication, Authorization, and Accounting (AAA)

AAA Architecture

AAA Communication Protocols



Difference between RADIUS and TACACS+

Diagnostic Commands and Tools

show Commands

debug Commands

   Analysis of Problem Areas

Router Management Troubleshooting

Login Authentication

Configuration Steps

Troubleshooting Steps

Enable Password Authentication

Exec Authorization

Command Authorization


Dialup Networking Troubleshooting

Authentication and Authorization for Dialup Networking

Accounting for Dialup Networking

X-Auth Troubleshooting for IPsec

Auth-proxy Troubleshooting

Case Studies

Router Configuration

LAC Configuration

RADIUS Server Configuration

LAC RADIUS Configuration

LNS RADIUS Configuration

Troubleshooting Steps

LAC Router Troubleshooting

LNS Router Troubleshooting

Common Problems and Resolutions

Best Practices

Chapter 10  Troubleshooting AAA on PIX Firewalls and FWSM

Overview of Authentication, Authorization, and Accounting (AAA)



Authorization for an Administrative Session

Authorization for VPN Connection (X-Auth)


Diagnostic Commands and Tools

show commands

debug Commands


Other Useful Tools

Problem Areas Analysis

Firewall Management with AAA Troubleshooting

Login Authentication Issues

Enable Authentication

Command Authorization

Troubleshooting Steps


Cut-Through Proxy Authentication

Authentication for Cut-Through Proxy

Troubleshooting Cut-Through Proxy Authentication

Authorization for Cut-Through Proxy

Accounting for Cut-Through Proxy

Extended Authentication (X-Auth) Issues for Remote Access
VPN Connection

Configuration Steps

Troubleshooting Techniques

Case Studies

Case Study 1: AAA Exemption

Case Study 2: Virtual Telnet

Configuring Virtual Telnet

Troubleshooting Virtual Telnet

Case Study 3: Virtual HTTP

Common Problems and Resolutions

Best Practices

Chapter 11  Troubleshooting AAA on the Switches

Overview of AAA

Switch Management

Identity-Based Network Services (IBNSs)

IEEE 802.1x Framework

Extensible Authentication Protocol (EAP)

RADIUS IN 802.1x

What Is Authenticated

Machine Authentication



Extension of IEEE 802.1x Standard by Cisco IBNS Initiative

Diagnostic Commands and Tools

Switch Management

 Identity-Based Network Services (IBNSs)

Categorization of Problem Areas

Switch Management Troubleshooting

Login Authentication

Enable Password Authentication



 Identity-Based Network Services (IBNSs)

Configuration Steps


Troubleshooting Steps

Case Studies

Configuring Automatic Client Enrollment on AD and Installing
a Machine Certificate on a Windows Client

Generating and Installing the CA Root Certificate
  on the ACS Server

Generating and Installing an ACS Server Certificate
  on the ACS Server

Common Problems and Resolutions

Best Practices

For Switch Management

For Identity-Based Network Services (IBNSs)

Chapter 12  Troubleshooting AAA on VPN 3000 Series Concentrator

AAA Implementation on the Concentrator

VPN Concentrator Management

Tunnel Group and User Authentication

Diagnostic Commands and Tools

Analysis of Problem Areas

VPN Concentrator Management Troubleshooting

Configuration Steps

Group/User Authentication (X-Auth) Troubleshooting

Both Group and User Authentication Are Performed Locally
on the VPN 3000 Concentrator

Group Authentication Is Done Locally and No User Authentication Is Done

Group Authentication Is Done Locally on VPN 3000 Concentrator and User Authentication Is Done with RADIUS Server

Group Authentication Is Done with a RADIUS Server and
User Authentication Is Done Locally

Both Group and User Authentications Are
Performed with the RADIUS Server

User Is Locked to a Specific Group

Dynamic Filters on the VPN 3000 Concentrator

Configuration of Dynamic Filters on CiscoSecure ACS

Troubleshooting Steps

Case Studies

VPN 3000 Concentrator Configuration

Group Configuration on the VPN 3000 Concentrator

Defining the CS ACS RADIUS Server on VPN 3000 Concentrator

CS ACS Windows Configuration

AAA Client Definition for VPN 3000 Concentrator

Configuring the Unknown User Policy for Windows NT/2000
  Domain Authentication

Testing the NT/RADIUS Password Expiration Feature

Common Problems and Resolutions

Best Practices

Chapter 13  Troubleshooting Cisco Secure ACS on Windows

Overview of CS ACS

CS ACS Architecture

The Life of an AAA Packet in CS ACS

Diagnostic Commands and Tools

Reports and Activity (Real-time Troubleshooting)

Radtest and Tactest File

Categorization of Problem Areas

Installation and Upgrade Issues

CS ACS on Windows Platform

CS ACS with Active Directory Integration

Configuration Steps

Troubleshooting Steps

CS ACS with Novell NDS Integration

Configuration Steps

Troubleshooting Steps

CS ACS with ACE Server (Secure ID [SDI]) Integration

Installation and Configuration Steps

Troubleshooting Steps

Replication Issues


Troubleshooting Steps

Network Access Restrictions (NARs) Issues

Configuration Steps

Troubleshooting Steps

Downloadable ACL Issues

Downloading ACL per User Basis Using Filter-id

Using Cisco AV-Pair

Using Shared Profile Components

Troubleshooting Steps

Case Studies

Back Up and Restore the CS ACS Database

Creating a Dump Text File

User/NAS Import Options

Import User Information

Import NAS Information

Compact User Database

Export User and Group Information

Common Problems and Resolutions

Best Practices

Part V  Troubleshooting Intrusion Prevention Systems

Chapter 14  Troubleshooting Cisco Intrusion Prevention System

Overview of IPS Sensor Software

IPS Deployment Architecture

IPS Software Building Blocks




Communication Protocols

Modes of Sensor Operation

Inline Mode

Inline Bypass Mode

Promiscuous Mode

Combined Modes

Hardware and Interfaces Supported

Diagnostic Commands and Tools

show Commands

show version

show configuration

show events

show statistics service

show interfaces

show tech-support

cidDump Script

tcpdump command


packet Command

Classification of Problem Areas

Initial Setup Issues

User Management Issues

Creation and Modification of User Profiles

Creating the Service Account

Software Installation and Upgrade Issues

Obtaining Sensor Software

IPS Software Image Naming Conventions

Installing or Re-imaging the IPS Appliances System Image

Disaster Recovery Plan

Upgrading Major/Minor Software or Service Pack/Signature Update

Upgrading to IPS 5.0

Licensing Issues

How Do I Know if I have A Valid License?

How to Procure The License Key From

Licensing the Sensor

Communication Issues

Basic Connectivity Issues

Connectivity Issues Between IPS Sensor and IPS MC or IDM

Connectivity Issues Between IPS Sensor and Security Monitor

Issues with Receiving Events on Monitoring Device

SensorApp Is Not Running

Physical Connectivity, SPAN, or VACL Port Issues

Unable to See Alerts

Blocking Issues

Types of Blocking

ACL or VACL Consideration on the Managed Devices

Supported Managed Devices and Versions

Proper Planning for Blocking

Master Blocking Sensor (MBS)

Configuration Steps for Blocking

Configuring Steps for the Master Blocking Sensor (MBS)

Troubleshooting Steps for Blocking

TCP Reset Issues

Inline IPS Issues

Configuration Steps

Troubleshooting Steps

Case Studies

Capturing IPS Traffic with a Hub

Capturing IPS Traffic with SPAN

SPAN Terminology

SPAN Traffic Types

SPAN on Catalyst 2900/3500XL

SPAN on Catalyst 2950, 3550 and 3750

SPAN on Catalyst 4000/6000 with Cat OS

SPAN on Catalyst 4000/6000 with Native IOS

Capturing IPS Traffic with Remote SPAN (RSPAN)

Hardware Requirements

Configuration Steps

Capturing IPS Traffic with VACL

Capturing IPS Traffic with RSPAN and VACL

Capturing IPS Traffic with MLS IP IDS

Common Problems and Their Resolution

Best Practices

Preventive Maintenance

Creation of Service Account

Back up a Good Configuration

Recommendation on Connecting Sensor to the Network

Recommendation on Connecting the Sniffing Interface
þþof the Sensor to the Network

Rating IPS Sensor

Recommendation on Connecting Command and Control Interface

Recommendation on Settings of Signature on Sensor

Recommendation on Inline-Mode Deployment

Chapter 15  Troubleshooting IDSM-2 Blade on Switch

Overview of IDSM-2 Blade on the Switch

Software and Hardware Requirements

Slot Assignment on the Switch

Front Panel Indicator Lights and How to Use Them

Installing the IDSM-2 Blade on the Switch

Removing the IDSM-2 Blade from the Switch

Ports Supported on IDSM-2 Blade

Diagnostic Commands and Tools

show Commands in Both Modes

show Commands in CatOS

show Commands in Native IOS

Common Problems and Resolutions

Hardware Issues

IDSM-2 Hardware Issues on Native IOS

IDSM-2 HW Issue on CatOS

Communication Issues with IDSM-2 Command and Control Port

Configuration Steps

Troubleshooting Steps

Failing to Get Traffic from the Switch with Promiscuous Mode

Configuration Steps

Troubleshooting Steps

Issues with Inline Mode

Not Generating Events Issues

TCP Reset Issues

Case Study

How to Re-image the IDSM-2 with System Image

How to Upgrade the Maintenance Partition

How to Upgrade the Signature/Service Packs/Minor/Major
Software Upgrade

How to Upgrade the IDSM-2 Blade from IDSM 4.x to 5.x

Common Problems and Resolutions

Best Practices

Chapter 16  Troubleshooting Cisco IDS Network Module (NM-CIDS)

Overview of NM-CIDS on the Router

Software and Hardware Requirements

Front Panel Indicator Lights and How to Use Them

Slot Assignment on the Router

Installing NM-CIDS Blade on the Router

Removing NM-CIDS Blade from the Router

Ports Supported on NM-CIDS

Diagnostic Commands and Tools

Common Problems and Resolutions

Hardware Issues

 NM-CIDS Console Access Issues

Assigning IP Address to the IDS-Sensor Interface on the Router

Connecting to NM-CIDS

Disconnecting from NM-CIDS

Troubleshooting Console Access Issues

Communication Issues with NM-CIDS Command and Control Port

Issues with Not Receiving Traffic from the Router
Using the Sniffing Port

Configuration Steps

Troubleshooting Steps

Managing NM-CIDS from an IOS Router

Software Installation and Upgrade Issues

Case Studies

CEF Forwarding Path

IPS Insertion Points

Network Address Translation (NAT)


Access List Check

IP Multicast, UDP Flooding, IP Broadcast

Generic Routing Encapsulation (GRE) Tunnels

Address Resolution Protocol (ARP) Packets

Packets Dropped by the IOS

Forwarding the Packets to the IDS at a Rate Higher
Than the Internal Interface Can Handle

Common Problems and Resolutions

Re-imaging the NM-CIDS Application Partition

Performing the Re-image of Application Partition

Troubleshooting Steps

Configuring Time on the NM-CIDS

Default Behavior for Time Setting on NM-CIDS

Using Network Time Protocol (NTP) Server

Best Practices

Chapter 17  Troubleshooting CiscoWorks Common Services

Overview of CiscoWorks Common Services

Communication Architecture

User Management on CiscoWorks Common Services

Diagnostic Commands and Tools

How to Collect mdcsupport on a Windows Platform

Categorization and Explanation of MDCSupport-Created Log Files

Categorization of Problem Areas

Licensing Issues

Registration for CiscoWorks Common Services

Installing/Upgrading the License Key for CiscoWorks Common Services

Registration for the Management Center for Cisco
Security Agents (CSA MC)

Installing the License Key for the Management Center for
þþCisco Security Agents (CSA MC)

Common Licensing Issues and Work-Arounds

Installation Issues

Installation Steps

Troubleshooting Installation Problems

User Management Issues

Database Management Issues

CiscoWorks Common Services Backup

CiscoWorks Common Services Restore

Case Studies

Common Problems and Resolutions

Best Practices

Chapter 18  Troubleshooting IDM and IDS/IPS Management Console (IDS/IPS MC)

Overview of IDM and IDS/IPS Management
Console (IDS/IPS MC)

IDS/IPS MC and Security Monitor Processes

Communication Architecture

Diagnostic Commands and Tools

Audit Reports

MDCSupport File

How to Collect MDCSupport on a Windows Platform

What to Look for and What Is Important in the MDCSupport File

Enable Additional Debugging on IDS/IPS MC

Analysis of Problem Areas

Important Procedures and Techniques

Verifying Allowed Hosts on the Sensor

Adding Allowed Hosts on the Sensor

Verifying the SSH and SSL Connection Between IDS/IPS MC and
þþa Sensor

Resolving SSH and SSL Connection Problems Between IDS/IPS MC and
þþa Sensor

Verifying If the Sensor Processes Are Running

Verifying That the Service Pack or Signature Level Sensor Is Running

Verifying the Service Pack or Signature Level on IDS/IPS MC

Verifying That the IDS/IPS MC (Apache) Certificate Is Valid

Regenerating IDS/IPS MC (Apache) Certificate

Resolving Issues with the IDS/IPS Sensor Being Unable to Get
þþthe Certificate

Changing the VMS Server IP Address

Manually Updating the Signature Level on the Sensor

Unable to Access the Sensor Using IDM

IDS/IPS MC Installation and Upgrade Issues

IDS/IPS MC Licensing Issues

Corrupted License

Determining If a License Is Expired

Importing Sensor Issues with IDS/IPS MC

Configuration Steps

Troubleshooting Steps

Signature or Service Pack Upgrade Issues with IDS/IPS MC

Upgrade Procedure

Troubleshooting Steps

Configuration Deployment Issues with IDS/IPS MC

Configuration Steps

Troubleshooting Steps

Database Maintenance (Pruning) Issues

Case Study

Launch the Attack and Blocking

Troubleshooting Steps

Common Problems and Resolutions

Best Practices

Chapter 19  Troubleshooting Firewall MC

Overview of Firewall MC

Firewall MC Processes

Communication Architecture

Diagnostic Commands and Tools

Collecting the Debug Information (Diagnostics)

Using GUI

Using CLI

What Does the CiscoWorks MDCSupport Utility Generate?

Other Useful Log Files Not Collected by mdcsupport

Analysis of Problem Areas

Installation Issues

Installation Verifications

Installation Troubleshooting

Initialization Issues

Browser Issues

Authentication Issues

Firewall MC Authenticated by the Firewall During Configuration
þþImport and Deployment

Firewall MC Authenticated by the Auto Update Server During
þþConfiguration Deployment

Firewalls Authenticated by the Auto Update Server During Configuration or
þþImage Pulling

Activity and Job Management Issues

Unlocking of an Activity

Stopping a Job from Being Deployed

Device Import Issues

Configuration Generation and Deployment Issues

Firewall MC is Unable To Push the Configuration to the AUS

Getting “Incomplete Auto Update Server contact info.” Message when
þþPushing The Configuration to AUS

Memory Issues with Firewall Services Module (FWSM) during þþDeployment

Database Management Issues

Backing up and Restoring Databases

Scheduling Checkpoint Events for the Database

Compacting a Database for Performance Improvement

Disaster Recovery Plan

Common Problems and Resolutions

Best Practices

Chapter 20  Troubleshooting Router MC

Overview of Router MC

Router MC Processes

Communication Architecture

Features Introduced on Different Versions of Router MC

Diagnostic Commands and Tools

Setting the Logging Level

Collecting the Debug Information (Diagnostics)

Using a Graphic User Interface

Using a Command Line Interface

Collecting the Router MC Database

Using the Log Files


Analysis of Problem Areas

Installation and Upgrade Issues

Initialization Issues

Browser Issues

           Authentication Issues

Authentication Issues with the Router MC

Authentication Issues with the Managed Device Using SSH

Activity and Job Management Issues

Device Import Issues

Configuration Generation and Deployment Issues

Database Management Issues

Backing up and Restoring Database

Troubleshooting Router MC Backup/Restore Operations

Case Study

Understanding User Permissions

CiscoWorks Server Roles and Router MC Permissions

ACS Roles and Router MC Permissions

Setting up Router MC to Work with ACS

Step 1: Define the Router MC Server in ACS

Step 2: Define the Login Module in CiscoWorks as TACACS+

Step 3: Synchronize CiscoWorks Common Services with the
þþACS Server Configuration

Step 4: Define Usernames, Device Groups, And User Groups in ACS

Best Practices

Chapter 21  Troubleshooting Cisco Security Agent Management Console (CSA MC)
and CSA Agent

Overview of CSA MC and Agent

Management Model for CSAgent

CSA MC Directory Structure

Communication Architecture

How Cisco Security Agents Protect Against Attacks

Diagnostic Commands and Tools


Windows System Information

Server Selftest Information

CSA MC Log Directory

CSA Agent Log

CSA Agent Log Directory

Turning on Debug Mode

Details Log—csainfo.log file

Logs for Blue Screen

Rtrformat Utility

Additional Logs Controlled by the file

Categorization of Problem Areas

Installation and Upgrade Issues

New Installation Issues with CSA MC

New Installation Issues with CSAgent

Upgrade Issues with CSA MC

CSAgent Update Issues

Licensing Issues

How to Procure the License

How to Import the License

Determining the Number of Desktop/Server Licenses That Are in Use

Troubleshooting Licensing Issues

CSA MC Launching Issues

CSA MC Not Launching

CSA MC Is Launching, but Slowly

CSAgent Communication, Registration, and
þþPolling Issues with CSA MC

Application Issues with CSAgent

How to Create Exceptions

How to Disable Individual CSAgent Shims

Disabling csauser.dll

Creating Buffer Overflow Exclusions

Troubleshooting Steps

Report Generation Issues

Profiler Issues

Database Maintenance Issues

Disaster Recovery Plan (DRP) for CSA MC

Purging Events from the Database

Compacting the Database

Checking and Repairing the CSA MC MSDE Database

Common Problems and Resolutions

Best Practices

Recommendation on Installation

Test Mode

Disaster Recovery for CSA

Chapter 22  Troubleshooting IEV and Security Monitors

Overview of IEV and Security Monitor

Communication Architecture

How Does It Work?

RDEP/SDEE Collector Management

XML Parsing

Alert Inserter

IDS/IPS MC and Security Monitor Processes

User Management for Security Monitor

Diagnostic Commands and Tools

Categorization of Problem Areas

Installation Issues

Issues with Launching

DNS Issues

Issues with Enabling SSL

Getting Internal Server Error While Opening Security Monitor

Security Monitor Takes a Long Time to Launch

Page Cannot Be Found Error While Trying to Launch Security Monitor

IDS/IPS MC Launches But Security Monitor Does Not

Security Monitor Behaves Strangely

Licensing Issues

Device Management Issues

Importing IDS Sensors from IDS/IPS MC

Adding Other Devices

IEV and Security Monitor Connect with Sensor

Notification Issues

Event Viewer Issues

Launching the Event Viewer

Using the Event Viewer

Generating Events for Test

Troubleshooting Steps

Report Generation Issues

Report Generation Fails

Report Fails to Complete

Database Maintenance Issues

Proactive Measures Immediately After Installing the Security Monitor

Reactive Measures During Run Time

Case Study

Configuration Steps

Troubleshoot E-mail Notification

Common Problems and Resolutions

Best Practices


Download - 137 KB -- Index

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020