Category: WAAS

WAAS Failed to Fetch Encryption Key from Central Manager

Posted on by J P

Problem: Devices are unable to access the secure store.

#########

2012 Jan 24 10:39:23 WAV01 java: %WAAS-CMS-4-700001: CESecureStoreFacade(main): Failed to retrieve key from key manager.Can’t retrieve key from CM
2012 Jan 24 10:39:23 WAV01 ss_init: %WAAS-CMS-2-700001 Failed to fetch encryption key from Central Manager to open secure store, try 163
2012 Jan 24 10:39:43 WAV01 java: %WAAS-CMS-4-700001: ce(DataFeedPoll): Error processing configuration updates: SecureStoreNotReadyException@com.cisco.unicorn.director.DataFeedAgent.encryptData (DataFeedAge
nt.java:3616) UserConfig_14729:Secure store is initialized but not open. Please open secure store. Failed to encrypt data . Rejecting updates from CM.
2012 Jan 24 10:39:54 WAV01 java: %WAAS-CMS-4-700001: CESecureStoreFacade(main): Failed to retrieve key from key manager.Can’t retrieve key from CM
2012 Jan 24 10:39:54 WAV01 ss_init: %WAAS-CMS-2-700001 Failed to fetch encryption key from Central Manager to open secure store, try 164

#########

This error will show up in the GUI of your central manager as well.

Solution: There are two ways to fix this.

1.(Preferred) Reset the crypto keys and re-initialize the secure store on the device with the error message. The warnings you will get will differ than what I have listed below. You will want to type ‘yes’ to all responses. If the secure store doesn’t initialize, try again. I had a few warnings that I had entered the commands to quickly (seriously.)

#########

WAV01#crypto pki managed-store initialize
Managed store key is set successfully, no need to re-init. Are you sure you want to continue(yes/no)? [no]:yes
All certificate/private keys in SSL managed store will be deleted and optimized SSL traffic will be interrupted. Are you sure you want to continue(yes/no)? [no]:yes

WAV01#cms secure-store init

#########

2. This solution should be tried at your own risk. This is the nuke option. You will need to de-register and then re-register the device with the central manger. This should only be done as a last resort.

####WARNING!#####

WAV01#cms deregister

WAV01#config t
WAV01(config)#cms enable

####WARNING!#####

This is like registering the device as brand new. Any location information will be lost, etc.

 

Verification: Verify the accelerator and the secure store.

#########

WAV01#sh accelerator
Accelerator     Licensed        Config State    Operational State
———–     ——–        ————    —————–
cifs            Yes             Enabled         Running
epm             Yes             Enabled         Running
http            Yes             Enabled         Running
mapi            Yes             Enabled         Running
nfs             Yes             Enabled         Running
ssl             Yes             Enabled         Running
video           No              Enabled         Shutdown

WAV01#sh cms secure-store
Secure-store is initialized and open.

 

WAAS BVI Configuration

Posted on by J P

How to implement BVI on a WAAS device to support the virtual machine features. This is what I came up with for a remote device that is in production. This limits the impact to operations.

WARNING: This is not an inline configuration – I am using WCCP. Do not use this config on an inline configuration.

  • Log into the device using telnet –
  • Run the following command (Put the device name in place of Nameofdevice) –

copy startup-config ftp SERVER-IP Nameofdevice

  • Browse to the directory of the FTP server
  • Open the file and replace the following code –

primary-interface GigabitEthernet 1/0
!
interface GigabitEthernet 1/0
ip address ##IP Address of copied device## ##Subnet Address##
exit
!

  • Put in place (Make Sure to copy the IP Address over!!!)–
  • NOTE: If you are using radius, make sure to copy the radius password into the config. Otherwise you will notice that when you upload the new change, it will not be applied.

primary-interface BVI 1
!
bridge 1 protocol ieee
!
interface BVI 1
ip address ##IP address of copied device## ##Subnet Address##
exit
!
interface GigabitEthernet 1/0
bridge-group 1
exit
!

  • Go back to the telnet session –

copy ftp disk SERVER-IP / Nameofdevice Nameofdevice

Some notes on this command – The “/” stands for the root directory
The first name stands for the remote file name
The second name is what you want it called on the upload

copy disk startup-config Nameofdevice

  • Reboot the device –

reload
Proceed with reload?[confirm]
Proceed with clean WCCP shutdown?[confirm]
Existing connections =    72 Press ^C to skip waiting for clean WCCP shutdown

Note – Let the system reboot on its own, if it asks you to save configuration changes, don’t.

System configuration has been modified. Save?[yes]:no

I rebooted one of my WAE-274 devices; clean reboot of course. It took approximately 6 Minutes 52 Seconds for a full reload – mileage will vary.

Scroll to Top