Answer Questions

We have a Large Video Conferencing room which uses a Codec Pro and 2 Large Leds Boards side by side for Video Calls.Once screen is for local and remote content. And the other screen displays the users that are within the call.Layout Options are simply greyed out on the Touch Panel within the room and also via the Device when logged into the back end of it remotely. The issue is that the Calls always seem to be viewed as Prominent/Active Speaker when users in the room would like to use the grid view option to see all of the users in the call at once. When the Device is not connected to a call, the Layout button is available to select Grid View. But once connected to a call the device reverts back to Prominent.I have checked the settings in "Video / DefaultLayoutFamily". I have tried Auto and also Equal but it doesn't seem to change in room.We are also using the MS Teams CVI if that make a difference to how the call is displayed.Any Help would be amazing.

Hi all, I'm wondering if there is a way to turn off failed authorization logging in ISE? When someone leaves open a stale ASDM session our logs become flooded with failed Auth attempts. I'm guessing this is because the ASDM is trying to keep the rule base fresh with a variety of "show" commands but these are failing due to an expired session.  The logs could be filtered out on the logging server but if there's a way to turn them off within ISE that would be more helpful. Authorization isn't something we're too fussy around.  Thanks,Josh

Hi,What is the difference between pwr-c1-1100wac v01 and v02 power supply?I cannot find any information or specs about it.Thank you in advance,Best regards,Bert

Anybody using this feature on the new 7.2 code for FMC? It allows you to specify an Umbrella DNS policy along with your standard DNS policy in the access policy (policy much?)We got it working in the lab, had to reapply the CA cert from Umbrella. However we haven’t been successful in getting it to work in any prod environments. Seems the FTD never connects to umbrella, as shown thru the CLI command “sh service-policy inspect dns.” On a working install you should get an HTTP 200 message. We never get that message, it’s state just remains “unknown.” All prereqs are met, real head scratcher for me here. Wondering if there’s any “gotchas” that we are missing, but the same steps worked in lab so I don’t think so.

Hi Is there a limit to how many websocket connections a finesse server can handle? Our customer developed his own CTI Adapter using WebSockets. With low number of agents, everything works fine and agents can login via API and connect to notification service via websockets and everything works fine. Once the number of agents trying to login exceeds 100, the CTI Adapter can no longer open a WebSocket connection to the Notification Service We see from both sides (Finesse openfire as well as CTI Adapter side) a NullPointerException Any ideas? Omar

Good day,I am trying to monitor some enterprise traffic with a Cisco 9500 Switch (Software 17.4.1) as exporter and nfcapd/nfdump as collector. It works fine with one issue: The Duration of the flows is always 60s (or sometimes more). The Last Seen timestamp is also always 60 seconds later than the first seen timestamp. It seems like it depends on the set active timeout, this is currently set to 60 seconds, if I set it to 120 seconds all flows are now 120s long. The inactive timeout is set to 10 seconds. I have attached an example of netflows.I have spent the last week trying to find the error, but without success. This specific problem does not seem to have been discussed on the Internet yet. I am glad about any suggestion.

Hi All, Got an issue with the ISE portal builder (https://isepb.cisco.com/#), built a new portal followed the documentation (e.g. downloaded the config/uploader tool) but this tool is not working correctly??.. Filled in the required criteria but apparently ISE is resetting the connection/tool??.. Using an admin (SuperAdmin) account and confirmed access to ISE using a browser.  ISE v3.1 - ISEPB Portal Upload & Config Tool v1.0.10 Raised a TAC case and the Cisco engineer instructed me to gather some debug files, TAC have come back and said - I have checked the Support bundle and pcap. I can see ISE resetting the connection, but this integration is not supported by TAC. Please reach out to isepb@external.cisco.com for further support. Anyone seen errors like this and have a workaround??.. Tried internal and external accounts, the documentation for this tool is virtually non-existent. Not sure what the AD setting at the bottom is for, by default it populates with "Internal" so assume a local admin account is required which I have tried so many times.          

Hello, We are seeing below errors when trying to generate .java classes from yang files using jnc pyang -f jnc --jnc-output src/genTraceback (most recent call last):File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 800, in _searchiterate(stmt.i_children, acc)AttributeError: i_children During handling of the above exception, another exception occurred: Traceback (most recent call last):File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 552, in pairwiseitem = next(iterator) # throws StopIteration if empty.StopIteration The above exception was the direct cause of the following exception: Traceback (most recent call last):File "/usr/local/bin/pyang", line 493, inrun()File "/usr/local/bin/pyang", line 462, in runemit_obj.emit(ctx, modules, fd)File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 208, in emitself.generate_from(module)File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 247, in generate_fromgenerator.generate()File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 998, in generateself.generate_classes()File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 1097, in generate_classeschild_generator.generate()File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 1000, in generateself.generate_class()File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 1202, in generate_classfield = self.generate_child(ch)File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 1286, in generate_childchild_gen = MethodGenerator(sub, self.ctx)File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 1884, in initsearch(stmt, yangelement_stmts | leaf_stmts)]File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 804, in searchsearch(stmt, keywords, dict)File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 802, in _searchiterate(stmt.substmts, acc)File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 779, in iteratekey = ' '.join([ch.keyword, camelize(ch.arg)])File "/usr/local/lib/python3.8/dist-packages/pyang/plugins/jnc.py", line 589, in camelizefor character, next_character in iterator:RuntimeError: generator raised StopIteration Please help identify the exact error here. The error is seen for only a handful of yang files. For remaining yang files, the java classes are generated without any errors/warnings. Thanks,Shrikant

Version: 3.1.0.518 Patch 6 and 7 The client can register once on the ISE via EAP-TLS with a certificate - after that problems arise.If you restart the notebook, it works again once.At patch 6Approx. 250 users affected:The ISE log shows that an EKU that we use for authentication is not passed or recognized when authenticating again.This is not a problem with the initial authentication.Only some Windows clients are affected.At patch 7Approx. 1300 users affectedThe ISE log shows that the ISE cannot read the SAN of the certificate correctly. "33047 User name attribute is missing in client certificate" as an error message from the ISEThis is not a problem with the initial authentication.All Windows clients are affected.The certificate-based authentication of our iPhones, on the other hand, works perfectly; we also check for the EKU here.Both problems occur over both LAN and WLAN authentication.   in other words:-    we are having client authentication issues with Cisco ISE version 3.1.0.518 patch 6 or 7 (both issues).With the update to version 6, parts of the certificate EKU were no longer displayed - the authentication therefore no longer works.Since the update to version 7 we get the error 22047 User name attribute is missing in client certificate.Although the certificate has not changed and all settings match when looking at the client certificate. The client can initially log on to the LAN/WLAN once after booting, but no longer after that.   can this fix the issue?    https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/release_notes/b_ise_31_RN.html#concept_lvg_kw1_xsb:~:text=AAA%20Servers.-,EAP%2DTLS%20Authentication%20Might%20Fail%20for%20Certificates%20Using%20TPM%20Module,%5B33%5DEnable/Disable/Current_status%20of%20RSA_PSS%20signature%20for%20EAP%2DTLS.,-Upgrade%20Information    .

HelloI am using Cisco ISE 2.7 in my infrastructure for MAB and 802.1X network access authentication. I have noticed a problem with Cisco Voip phones connected to a switch port. The problem is that after setting up the call to the mobile phone , the person making the call cannot be heard by the person receiving the call (on his mobile phone), call between VoIP phone in officre works fine . It seems that on the ISE and switch side everything is configured correctly, MAB authentication and 802.1x is working correctly.I have the correct policy and profile for Voice VLan configured in ISE:Access type = ACCESS_ACCEPTTunnel-Private-Group-ID = 1:43Tunnel-Type = 1:13Tunnel-Medium-Type = 1:6DACL = ACL_Voicecisco-av-pair = device-traffic-class=voicedACL_Voicepermit ip any host y.y.y.y # CCM_IP_1permit ip any host x.x.x.x # CCM_IP_2permit udp any (VoIP phone IP)  range 16384 32767 //RTP protocolpermit udp any (VoIP phone IP)  range 16384 32767 //RTP protocoldeny ip any anyon each port of the access switch I have added acl on IN : ip access-group ACL-PREAUTH inip access extend ACL-PREAUTH10 permit udp any eq bootpc any eq bootps20 permit udp any any eq domain30 permit tcp any host x.x.x.x eq www  # ISE_1 IP40 permit tcp any host y.y.y.y eq www  # ISE_2 IP50 permit tcp any host x.x.x.x eq 8443 # ISE_1 IP60 permit tcp any host y.y.y.y eq 8443 # ISE_2 IP70 permit tcp any host x.x.x.x eq 443 # ISE_1 IP80 permit tcp any host y.y.y.y eq 443 # ISE_2 IP110 deny icmp any any echo120 deny tcp any any range 22 telnet130 deny icmp any any echo-reply140 deny ip any anyAll problems disappear when I remove the following from the configuration of the switch port to which the Voip phone is connected: ip access-group ACL-PREAUTH inI need an ACL-PREAUTH list on the ports because I want to block ssh ping and telnet for connected PCs that will not be authenticated in ISE. Regards

Hi All, after a restore of the cluster, used for MRA, when we try to get active calls details (Status->Calls->Calls) we see the error "we are unable to retrieve the data". Apparently this happens only when there are zero or one call since, according to customer, when two or more calls are being processes, data shows correctly. We tried to reboot the cluster and look for possible sw defects without success. Any idea ? Thanks !

Customer has CUCM cluster and CER cluster.  Both were upgraded to v14 SU2.  Admin Utility on CER pub and sub was reset to version 14.  Everything registers up and *seems* to be correct. CER server has started sending alerts saying CUCM version integrated and version selected on CER admin utility dont match. In looking at the logs, it correctly identifies the version of CUCM as version 14.  That's what the admin utility is set to.  Screen shot of the event log is below.  I'm scratching my head.  The version is 14, it's set to 14....but it doesn't think it matches.  Anyone seen this one?  All cert exchanges done and verified, boxes rebooted, and problem persists.    

I can't find any documentation on how to query the API for small business switches. Anyone know the magic?

Just configured cert map for Anyconnect connection profile autoselection, with no luck. Configuration:Cert map matches subject email field with value "scep@company.com" -- if this condition is true, it should pick profile 2Otherwise if no match is found, it should default to profile 1. So, when configured, the option to select a profile still exists for the user when they click connect.  This seemed unexpected to me.Next I saw there was a checkbox in FMC to disable connection profile selection, so I did this and deployed, and the option to select went away, however I now only get login failures.  Neither the cert map to profile 2, nor the default to profile 1 logic was ever referenced in my testing, so I rolled back. Seems like this feature doesn't work?  Anyone know what I might be doing wrong?  Cert auth works just fine with my profiles, I'm just trying to force users into certain ones based on certificate attributes.

Hello Experts, I am trying to set type 6 password on IOSXR device which apparently can be done only from live-status command. But I am getting an error. This command works from cli ------- admin@ncs# devices device device_name live-status exec any auto-prompts { question ".*Enter new key.*" answer mykey12345 } auto-prompts { question ".*Enter confirm key.*" answer mykey12345 } "key config-key password-encryption"result Thu Jun 1 16:26:04.525 EDTNew password Requirements: Min-length 6, Max-length 64 Enter new key : (auto-prompt mykey12345) -> Enter confirm key : (auto-prompt mykey12345) -> Master key operation is started in backgroundRP/0/RSP0/CPU0:DNJ-DCN#   I am trying this from action in python package:------- device = root.devices.device[device_name] live_status_action_input = device.live_status.exec.any.get_input() live_status_cmd = "auto-prompts { question \".*Enter new key.*\" answer mykey12345 } auto-prompts { question \".*Enter confirm key.*\" answer mykey12345 } \"key config-key password-encryption\""   output_result = device.live_status.cisco_ios_xr_stats__exec[live_status_cmd](live_status_action_input)    But I get an error :-------  output_result = device.live_status.cisco_ios_xr_stats__exec[live_status_cmd](live_status_action_input)  File "/nso-6.0/src/ncs/pyapi/ncs/maagic.py", line 535, in __getitem__     child = self._children.get_by_yang(self._backend, self, name)   File "/nso-6.0/src/ncs/pyapi/ncs/childlist.py", line 184, in get_by_yang     name = self.full_name_from_short_name(name)   File "/nso-6.0/src/ncs/pyapi/ncs/childlist.py", line 210, in full_name_from_short_name     return self.short_name_to_full_name[short_name] KeyError: 'auto-prompts { question ".*Enter new key.*" answer mykey12345 } auto-prompts { question ".*Enter confirm key.*" answer mykey12345 } "key config-key password-encryption"'  

MPLSControl Plane- Routing Protocol, protocolo para alcanzar los nodos.- RIB, tabla de enrutamientos.- LDP, distribución y conmutación de etiquetas.Forwarding Plane, esto se construye a partir de la información del plano de control.- FIB.- LFIB.Los requerimientos anteriores son los mínimos requerimientos para crear MPLS.Otra cosa es que necesitemos crear servicios sobre esta red, por ejemplo:VRF Lite vs MPLS VPNs,- En VRF Lite todos los dispositivos en los caminos de tránsito deben llevar todas las rutas en todas las tablas de VRF.- En MPLS VPN solo los PE necesitan conocer las rutas. Esto se logra con:  - VPNv4 BGP con RD + nn  - MPLS VPN tab/label aquí es donde se agregan más label como la de transporte sobre la de servicios.Por ejemplo si quisiera implementar MPLS L3VPN deberíamos seguir los siguientes pasos:- Estabelecer LSP entre PE es IGP+LDP- Intercambiar rutas con clientes: PE-CE IGP o BGP- Intercambiar rutas entre PE es iBGP+MPLS VPN Label - Intercambiar label switch entre PE es IGP + LDP Transport Label.Cabe recordar que BGP es multiprotocolo, por este motivo podemos llevar varios tipos de servicios sobre redes MPLS. MPLS-SRAhora, para SR, es diferente, porque este mismo protocolo lleva un plano de control completo sobre los FORWARDING PATH para simplificar la red. No requiere protocolo adicional. Como cuales?- IGP distribuye los label binding como OSPF opaque y IS-IS TLV reemplaza LDP.- Esto tiene menor consumo en CP pero el comportamiento es igual en el FC o DP.- Si hay multidominio IGP podríamos trabajar trabajando con BGP-LS.¿Por qué usar SR?.Simplifica TE.En teoría, PCE/PCEP podría automatizar la red.De acuerdo a lo anterior, podemos decir que los label a nivel conceptual su comportamiento es igual pero no se usan "label" sino segmentos. SRv6Para SRv6 tenemos los siguientes beneficios.- SDN-Ready- Configuración mínima.- Balanceo de carga, algo que no hace RSVP-TE.- FRR.- Despliegue Plug-and-Play.¿como logro lo anterior?, así:SEGMENTOS:- Prefix SID asociado a un prefijo en el rango SRGB y distribuido por IS-IS o OSPF.- Prefix Segment asociado a un segmento global y único.- Segmento adyacente asociado dinámicamente al SRLB.DATA PLANE:- Un segmento puede ser asociado directamente a MPLS sin cambios en el DP. - Un segmento se codifica en MPLS label.- Una lista ordenada se cofigica como un stack de label.- El segmento que se procesa cada vez es el que está en la cima del stack donde hace pop del stack cuando se cumple el segmento.SERVICIOS como MPLS:- L3VPN- VPWS- VPLS- EVPN En INGENIERÍA DE TRÁFICO la red NO necesita mantener el estado de flujo por aplicación, solamente envía la instrucción por paquete.SR-TE puede utilizar:- On-Demand SR- Políticas explicitas o dinámicas para los caminos.- PCEP PCCPor otro lado, si queremos tener convergencia podemos usar FlexAlgo y TI-LFA.Si queremos medir el rendimiento de las metricas como Packet loss, delay, jitter y utilización de BW, podemos usar TWAMP por ejemplo. O información de tráfico, usamos SR Traffic Matrix.También si queremos hacer interconexión de redes LDP con SR. Podemos utilizar SR Mapping Server para advertir Prefix-to-SID en IGP a los nodos que nos "entienden" SR.Como último y no menos importante, SR OAM, ayuda a los ISP a monitorear los LSP para aislar rapídamente los problemas y hacer TSHOOT de la red. SR-OAM soporta BGP prefix SID, IGP prefix SIF, Nil-FEC LSP Ping y Traceroute. Ejemplo de ello pueden ser:traceroute sr-mpls prefix/mask fec-type igp isis

Hi.. I regularly need to upgrade Viptela ios via vManage. Most of the times , I need to upgrade ios of both Primary & Secondary router using only the link connected to secondary router. So Primary router will use the secondary router link using TLOC extension. Everytime I notice that the download speed of ios in Primary router during the upgrade process is very slow and takes a lot of time. The same ios download in secondary router is much quicker. The speed test in Primary router via TLOC extension  (for the link connected to secondary router) is good and shows full bandwidth. Then why is the ios upgrade using TLOC extension so slow? Is there anyway to improve it? Thanks a lot in advance

I'm trying to configure my Windows 10 PC as an SFTP server so I can pull the cluster config files from my sandbox lab.  The PC is the same machine used to access the sandbox.  Here's what I have so far: *OpenSSH installed and service running on Win 10 PC; startup set to AUTO *Installed WinSCP and verified that I can connect to the SFTP server with Win 10 credentials PC's firewall is turned off AnyConnect is running and I can access the Publisher in the sandbox When I add a new back-up device in DRS, I'm using the Win 10 PC's IP address and the same Windows credentials.  I made the device name = the PC's name.  For the path, I've tried /, ./, \, and .\. In AnyConnect, I enabled "Allow LAN access when using VPN" and unchecked "Block connections to untrusted servers". The result is always "Update failed : Unable to access SFTP server. Please ensure the username and password are correct". I must be missing something - has anyone successfully configured this to work? Thanks!

I created this app in Excel with VBA Microsoft forms and using various Cisco API calls.It can quickly copy a lot of phones from one model to a different model.Create new UCCX agents and MACD work, adding or removing a user from a phone. Quick Youtube video demonstration:https://youtu.be/xFEIM6Kxv0w

I want to query IOS XR using RestAPI instead of XML. Where can I find the swagger for IOS XR?

Hi guysI tried to find a way to get notified, as soon as our Cisco DNAC 2.3.5.3 does not receive any telemetry / assurance data from our Cisco WLCs.I asked ChatGPT and got this answer, but was not able to find the menus specified in the given answer:Log in to your Cisco DNA Center web interface using a web browser.Navigate to the "Assurance" tab in the main menu.In the left-hand menu, select "Alarms & Events" and then click on "Alarms."Click on the "Create Alarm" button to start creating a new alarm.In the "Alarm Name" field, enter a descriptive name for the alarm, such as "No Telemetry Data from WLC."In the "Conditions" section, click on the "Add" button to define the condition for the alarm.From the dropdown menu, select "Device" as the type of condition.Specify the criteria for the condition. For example, you can select "Device Family" and choose "Wireless LAN Controller" from the dropdown menu.Scroll down to the "Fault" section and click on the "Add" button to add a fault condition.Select "Telemetry Data Availability" as the type of fault condition.In the subsequent dropdown menu, choose "Not Received" as the condition.In the "Severity" section, select the appropriate severity level for the alarm, such as "Critical" or "Major."Optionally, you can configure other parameters such as the alarm description, additional conditions, and suppression settings based on your requirements.Once you have configured the alarm settings, click on the "Save" button to save the alarm.Does anybody know, where I can find and specify a Cisco DNAC assurance alarm in DNAC 2.3.5?Thanks in advance and best regardsDominic

Our telco provider is sunsetting all of our DS1 services.  We have a considerable amount of specialized equiptment that utilizes point to point T1 service and would be a significant investment to replace for ethernet compatible equiptment.  As a stop-gap, I'd like to try and use a pair of IADs to provide DS1 services to the legacy equiptment.  The IADs are on the same WAN. Where can I find sample documentation on configuring these IAD2431's to provide point-to-point T1 service?  Is there a better way of doing this?  

my hitcount for firewall doesn't goes up even before i apply acl on my switch outgoing interfaceaccess-list permit_ssh_tech line 1 extended deny tcp any any eq 22(hitcnt=0) 0xd3e8c836access-list permit_ssh_tech line 2 extended deny ip any any(hitcnt=0) 0x1b8246d2access-list permit_ssh_tech line 3 extended permit tcp 10.10.1.0 255.255.255.240 any eq 22(hitcnt=0) 0x5c97a83a The Tech vlan are the only ones allowed to do SSH into thecompany routers.  why doesn't it work when i implement the acl in my firewall? tried all sorts of combination and it doesn't work . but if i put teh same exact acl on my L3 Switch, it works.Another thing, why does my web access works for my finance vlan only if I put 'permit ip' but doesn't work when i put in permit tcp xx xxx xxx eq 80?