Cisco Firewall Running vs Startup comparisons

All

We've run into a odd situation involving running vs startup config comparisons for Cisco firewalls. When we do a config comparison we see that on some lines the entry for the startup config shows up two lines down. by the I mean that in the running config the entry might show up on line 40 but in the startup config it shows up on line 42. I can't see any particular pattern to this but in every firewall config comparison we are getting any where fro 10 to 15 entries like this and these show up in the "Overall Running vs. Startup Config Conflicts" chart for NCM. We do not see the same issue with Cisco Routers or Switches. These are all newer Cisco firewalls not the old PIX firewalls. The configs are actually correct just showing as different. Unless we can fix this we're going to have to stop monitoring firewall configs. From my perspective this is not a comparison criteria issue since that is really just a method to ignore lines. Any one have any ideas?

Find more posts tagged with

comparisons

config

firewall

fsm12345

Accepted answers

andy_h

Jeff,

Try changing the Device connection template from Auto Determine, to the specific template that should be used for that device (Cisco ASA for example if this is an ASA device). If you are noticing blank lines being marked as added or removed while comparing running and startups, this might be due to the way in which NCM is downloading the configs via either SSH or Telnet.

Alternatively you could try switching the device to try and download the configs using TFTP. It would bypass the issue entirely, if this is the issue I think it is.

All comments

freid.42

Have you tried anything yet?

I do not see this behavior with our ASA's

andy_h

Jeff,

Alternatively you could try switching the device to try and download the configs using TFTP. It would bypass the issue entirely, if this is the issue I think it is.