This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Crpyto Comparison Criteria working on some, not on others

Just got NCM up and running, (yay). Having a lot of fun with it, so far pretty easy to use and makes sense. I've run into a problem where some of my devices are ignoring Crypto for change management as they should, while others are not. Some are the same device, same ios etc. Here's the rule (default from NCM):

Ignoring crypto lines

^[ \t\r\n\v\f]*crypto.*certificate

I thought that meant ignore lines that start with cypto and certificate. Here's the output of one of the failed configs:

058
 certificate self-signed 01                                                                                                 
058
   certificate self-signed 01 nvram:IOS-Self-Sig#1.cer  

Not sure why, but it brings those up as a changed even though they both start with certificate. It's happened on 2800's, 3560's running base. So no real common ground on the device.

  • I believe the above pattern will only match lines that contain both "crypto" and "certificate".

    Try adding this pattern below to ignore the certificate.

    ^[ \t\r\n\v\f]*certificate[ \t\r\n\v\f]*self-signed

    Zak Kahl

    Loop1 Systems

    http://www.loop1systems.co

  • Went ahead and added it, I also put the same pattern in without the ^ because of a previous post I found that said it was causing problems. I'll have t osee tonight if it worked.

    I am almost tempted to do a ^crypto as one pattern and a ^certificate as another. The only two lines I see are crypto pki on my devices. Bill Corgey was able to help me set up a ^! to get rid of all the comments comparison. Thinking that may work the same.

    In case anyones following this and is as green as I am here's a link to the expression lists:

    http://www.solarwinds.com/NetPerfMon/SolarWinds/wwhelp/wwhimpl/js/html/wwhelp.htm#href=OrionNCMPHCompCrit.htm

  • Got to talk with Bill Corgey at SolarWinds NCM.

    Here's what he found:

    1. The ^ needs to be removed from the REGEx line.

    2. Quit is the key word, in addition to certificate and self-signed

    So you need:

    (because I have such an awesome network with so many really cool devices dating back the 1800's... *insertsarcasmhere* I had to run it both with the ^ and without so I have a crypto line 1 and 2 rule for compliance that covers both systems that recognize and don't recognize it. You'll have to play around in your environment and see which works for you.)

    [ \t\r\n\v\f]*certificate[ \t\r\n\v\f]*self-signed

    ^[ \t\r\n\v\f]*certificate[ \t\r\n\v\f]*self-signed

    To ignore the start certificate/self-signed

    and

    ^[ \t\r\n\v\f]*quit[ \t\r\n\v\f]*

    [ \t\r\n\v\f]*quit[ \t\r\n\v\f]*

    to ignore the word quit at the end.