Consistency Check

The Consistency Check command enables you to monitor your security system for inconsistencies, such as routing discrepancies, invalid port numbers, and invalid IP addresses. You can configure Consistency Check to monitor your security system automatically. You can perform on-demand Consistency Checks. You also have the option of disabling Consistency Check.

In this chapter you will find the following topics:

The Consistency Check Feature

Consistency Check ensures that configuration discrepancies do not alter or impede security system functionality and thus lead to network security risks. You can enable Consistency Check to monitor your entire system, looking for inconsistencies and discrepancies in network traffic routing as well as in IP addresses and port numbers. It also searches for invalid network hosts and IP address ranges. Consistency Check also verifies that there is at least one valid administrative account and provides assurance that Policy Distribution Points and their associated Policy Enforcement Points are functioning appropriately.

After a Consistency Check has occurred, the system items involved and brief descriptions of the related inconsistencies appear in the System Inconsistencies panel in the View pane. You can refine the display of these error message by including messages generated by external agents, such as the Cisco Secure VPN Client and the control agent elements running on the Policy Distribution Points within your system. For external agents, you can specify that you want to refresh every five seconds the messages that they generate. In addition, you can specify whether to organize all messages for a single item entry under a single instance of that item and how often to refresh the messages for external agents.

You can configure Consistency Check to occur automatically whenever you select a node in the Navigator pane or to occur automatically with each Save or Save and Update operation that you perform. You can also disable Consistency Check altogether. You can also initiate an on-demand Consistency Check.

Example: If you have a network with the IP address 192.168.10.x and try to create a host under it with an address 192.168.12.x, the system informs you of the inconsistency in a dialog box (if Always is selected under Automatic Checking in the System Inconsistencies panel) and with an entry in the System Inconsistencies panel in the View pane.

Note Consistency Check will not allow you to save any work in progress if it contains errors in consistency. To save any work in progress that may contain such errors, you will need to disable Consistency Check.

Task List for Consistency Check

You can use Consistency Check to perform the tasks listed below.

Configuring Consistency Checks

You can configure Consistency Check to occur every time you make a change or save changes in the GUI client. You can also disable Consistency Check altogether.

To configure Consistency Check, perform the following task:

Step 1 To access the System Inconsistencies panel, click Consistency Check on the Tools menu.

Result: The System Inconsistencies panel appears in the View pane.

You can also click Consistency Check on the main toolbar to access the System Inconsistencies panel.

Step 2 To refresh the System Inconsistencies list, click Refresh.

Result: Another Consistency Check is performed on the system, and the new results appear in this list.

Step 3 To refine the display of the messages within Consistency Check, select one or more of the following options in the System Inconsistencies panel.

You can select one of three options.

Include external messages. This option includes messages generated by external agents within the Cisco Secure Policy Manager system.
Refresh external messages every 5 sec. This option refreshes the external messages every five seconds unless you perform some edits within the GUI client in the interim.
Show message detail. This option disables the organization of messages based on a particular object or external agent, such as a particular tunnel group definition or Policy Enforcement Point. Instead of displaying a collapsible list of messages associated with a particular node, the list displays all messages with no nesting.

Step 4 To configure Consistency Check to perform automatic checks on the system, select an option under Automatic Checking in the System Inconsistencies panel.

You can select one of three options.

Always. This option initiates a consistency check each time you select a node in the Navigator pane. Only the node is subject to the consistency check. This option includes At File Save, at which time all nodes are checked for inconsistencies.
At File Save. This option initiates a Consistency Check each time you save your Cisco Secure Policy Manager settings.
Disabled. This option suspends the Consistency Check command.

Step 5 To accept your changes and close the panel, click OK. To reject your changes and close the panel, click Cancel.

Step 6 To save all changes to the Primary Policy Database, click Save on the File menu.

Performing an On-Demand Consistency Check

Consistency Check locates inconsistencies within your Cisco Secure Policy Manager configurations that might lead to instability of the security system. These inconsistencies include IP address and port number conflicts, naming conflicts, and routing discrepancies.

To perform an on-demand Consistency Check, perform the following task:

Step 1 To initiate an on-demand Consistency Check, click Consistency Check on the Tools menu.

Result: The System Inconsistencies panel appears in the View pane.

You can also click Consistency Check on the main toolbar to access the System Inconsistencies panel.

Step 2 To refresh the System Inconsistencies list, click Refresh.

Result: Another Consistency Check is performed on the system, and the new results appear in the System Inconsistencies list.

Step 3 To access the panel for the system item involved in any inconsistency, double-click that item in the System Inconsistencies list.

Result: The panel for the system item appears in the View pane.

Step 4 To close the System Inconsistencies panel, click OK.

Table of Contents