This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Running vs Startup Config - "certificate self-signed" in Running but not in Startup Config

I noticed a high percentage of out of sync running vs startup configs for my Cisco equipment.  Upon further investigation I see that it is because the self-signed certificates do not show up in startup config as they do in running config.  We use self-signed certificates for SSH encryption.  Is there any way NCM can be configured to ignore the certs, so far s the running vs startup config reports?

  • I have messed around with this a bunch and at this point I can't remember which of the following regexes works, because I left them all enabled. But I no longer have the problem... maybe try them one by one until you get it working.

    ^[^\w]+\bquit\b[\t\r\n\v\f]*
    ^[ \t\r\n\v\f]*certificate[ \t\r\n\v\f]*self-signed
    ^[ \t\r\n\v\f]*[A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9]
    ^[ \t\r\n\v\f]*crypto.*certificate
    ^[ \t\r\n\v\f]*certificate[ \t\r\n\v\f]*ca

     

    Also, I changed from using SSH as the config download method to using SCP. This causes less certificate information to be transferred--this may have been the key change; I don't remember for sure at this point.

  • @jasadell: the one in the config compare :P

    @iswan: all but the last regex-entryare already included in Orion

    I found another solution, I am downloading all running configs just before the config compare and in the config compare I compare "last downloaded config with last running config"

  • Based on my experience and how Cisco has altered their startup vs running configs, currently there is no known way (That is assuming if you are talking about the certs on ISR Routers). I noticed this some time ago after an IOS Upgrade; the startup config just references the location in NVRAM whereas the running shows the config as the hex data. I opened a case with Solarwinds Support, but so far have not gotten anything back of use. Apparently the issue is with the difference in the lines of configuration because of missing hex data in the startup config.

    Has anyone managed to make this work with startup+running config download on routers? I have tried, literally, all possible REGEX combinations (we have a Unix guy who loves regexp!) to try and have NCM ignore the difference, so far no luck!.

    If any of the dev folks are reading this post, it is a hot ticket item for us as the dashboard would continue to report false positives and this is an issue with trying to integrate NCM with our CMdB tool..

  • yea.. even the "workaround" does not seem to work :-\

  • It's been a while since I implemented this solution, so I don't remember whether it was one or all of these exclusions.  What I can tell you is that it has been working for a long time now:

    Ignoring hex data
    ^[ \t\r\n\v\f]*[A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9]

    Ignoring Certificate
    ^[ \t\r\n\v\f]*certificate[ \t\r\n\v\f]*self-signed

    Ignoring quit word line
    ^[^\w]+\bquit\b[\t\r\n\v\f]*

    If you try this and it still doesn't work, run a manual comparison and post what it finds as different.  Maybe we can help you from there.

    JD

  • That did it!

    Hmm I thought I had the exact same strings, but looking at it now, I think I was missing one of the [] in the first compare regexp.

    Thanks JD.

  • I use

    ^[ \t\r\n\v\f]*[A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9][A-Fa-f0-9]

    to ignore hex data which does not seem to work...

    it detects the whole certificate as a change as the running shows the certificate and the startup only shows that it is stored in nvram

  • hmm, I ended up using all three exclusion statements. Try them all together; see if that makes a difference.. (if not do as JD said... post the compare output on where NCM is messing up)