Answer Questions

Hello,Multi-factor authentication enhances security by requiring users to verify their identity through multiple means, such as a password, a fingerprint, or a one-time code. This added layer makes it significantly harder for attackers to gain unauthorized access, even if one factor (e.g., password) is compromised. As cyber threats evolve, MFA reduces the risk of data breaches and ensures safer access to sensitive systems. It’s an essential tool for businesses and individuals to protect valuable information effectively.Best Regards,James Carty

Hello everyone,I'm reaching out for assistance regarding an email delivery issue we're experiencing. We have a sender whose reputation was checked using MXToolbox, but emails sent to us are still being bounced back. The return message states:"BounceClassification: Reputation; Reason: 554 MYDOMAIN Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.; Type: blocked"We are considering adding the sender's domain to the exception list on our Cisco Gateway C100V. While we've successfully created an address list, we're unable to select the relevant list for the domain exception list.Has anyone encountered a similar issue or could provide guidance on how to resolve this? Any help would be greatly appreciated!Thank you

Migration Using Cisco Catalyst SD-WAN Manager (formerly Cisco vManage) Note1: Specific requirements:Cisco vManage Release 20.4.1 or later•Cisco Integrated Services Routers (ISR)1100 and ISR1100X Release 20.4.1 or later• Note 2: Migration between Viptela OS and Cisco IOS XE is supported in listed platforms:Cisco ISR1100X-6G•Cisco ISR1100X-4G•Cisco ISR1100-6G•Cisco ISR1100-4G•Cisco ISR1100-4GLTE (Cisco ISR1100-4GLTENA and Cisco ISR1100-4GLTEGB ) Migrating from vEdge (Viptela OS) to cEdge (IOS-XE) Step 1: Detach the Template (If Applicable) If a device template is attached, detach it before proceeding with the migration. Step 2: Upgrade the Software In Cisco vManage, navigate to Maintenance > Software Upgrade. Select the target router from the list and click Upgrade. In the Software Upgrade pop-up: Choose vManage as the upgrade method. In the Version field, select the IOS-XE image. Check the Activate and Reboot and Confirm checkboxes. Click Upgrade. The Task View page will display the upgrade progress. The device will reboot automatically after the upgrade (this process takes approximately 20 minutes). Step 3: Verify Migration Completion In Task View, confirm successful migration by checking for: A green tick mark next to the task. The status "Done – Software Install". Step 4: Finalize the Migration In Cisco vManage, go to Configuration > Devices. Locate the upgraded device in the WAN Edge List table. Click More Actions (⋮) > Migrate Device. A warning pop-up will appear, notifying that existing statistics, event history, and configuration will be erased. Click Yes to continue. On the Configuration page, click Refresh. Verify that the Device Model column now reflects the correct operating system: If migrated to IOS-XE, it should display Cisco OS. Post-Migration Note Once migrated, the device operates like any other IOS-XE device. Optionally, use Cisco vManage to apply a new device template for additional configurations.   Migrating from cEdge (IOS-XE) to vEdge (Viptela OS) Step 1: Detach the Template (If Applicable) If a device template is attached, detach it before proceeding with the migration. Step 2: Upgrade the Software In Cisco vManage, go to Maintenance > Software Upgrade. Select the target router from the list and click Upgrade. In the Software Upgrade pop-up: Choose vManage as the upgrade method. In the Version field, select the vEdge image. Check the Activate and Reboot and Confirm checkboxes. Click Upgrade. The Task View page will display the upgrade progress. The device will reboot automatically after the upgrade (this process takes approximately 20 minutes). Step 3: Verify Migration Completion In Task View, confirm successful migration by checking for: A green tick mark next to the task. The status "Done – Software Install". Step 4: Finalize the Migration In Cisco vManage, go to Configuration > Devices. Locate the upgraded device in the WAN Edge List table. Click More Actions (⋮) > Migrate Device. A warning pop-up will appear, notifying that existing statistics, event history, and configuration will be erased. Click Yes to continue. On the Configuration page, click Refresh. Verify that the Device Model column now reflects the correct operating system: If migrated to vEdge, it should display Viptela OS. Post-Migration Note Once migrated, the device operates like any other vEdge device. Optionally, use Cisco vManage to apply a new device template for additional configurations.

Hi,I have a hub and multiple spoke. spokes configs are identical and all running EIGRP. only one spokes keep loosing tunnel and EIGRP neighborship every 15-25 min. please assist. here is some logs on spoke and hub:Hub:Spoke: 

i am unable to connect to unable to connect to Catalyst Center Sandbox-20250326T00274176 even after connecting to VPN. Can anyone help. 

For the question above, I don't understand how 192.168.1.30 is the outside local address. Wouldn't the outside local address be 15.16.17.18 since that is the ip assigned to the host on the outside network?I have been searching for the reasoning and have been getting 2 answers that are confusing me.One where it goes Inside local - Outside local  -- Inside global - outside global  (1st pic)and one Inside local - Inside global --  outside global - outside local   (2nd pic)Can you explain to me if there's a difference or if i'm misinterpreting it.Thanks!      

Hello!Our organization has a few applications that we are having some trouble with setting up SSO through Duo. We sync our users through AD and we have username normalization set to simple. However, some of the applications we use take email addresses [username]@[domain] and these applications are not removing the @[domain] from the user when passed to Duo. The error we get is that the user: [username]@[domain] is not found. How can we get these applications to use the simple username normalization?  Additionally, and somewhat related, we have some email accounts that are [firstname-lastname]@[domain]. Is there a way we can automatically alias that FirstnameLastname without the email domain? We've tried userPrincipleName but that still includes the email domain.  Any help would be appreciated, thanks!

Hello! Has anyone with an FTD managed by FMC run into this issue? I am trying to upgrade the FTD os using the FMC wizard. When I go to push out the image file to the devices (2 devices as part of an HA pair) it seems to only push it out to one of the devices, or at least only recognizing it as going to one device, as such, I can not get passed this window. The window says “one or more units are missing the upgrade package.” If I reset the workflow and start again, the same thing happens. I have has a TAC case open for weeks now with no resolution. The TAC tech tells me both devices did indeed receive the upgrade image file, which he can see via CLI. The tech notes the upgrade can be done via CLI, but I am not happy with that solution because something is clearly awry somewhere. I would like to determine why FMC claims the one unit does not have the file. Has anyone seen this before or does anyone have any insight? Thanks!

login details are correct but cant login -no errors are received but in a loop without logging in

Hi All,We are using ASA Version-9.14(4)23 Model - ASA 5555Have observed packets from going via IPSec site to site tunnel towards AWS are getting dropped. Further analysing found that ASA  is sending an encryption domain that was not configured on crypto map and that was causing the traffic to get dropped. So to fix the issue had to change the IPSec config - Connection Type to Bidirectional from Originate-Only. Is this  a known issue ? Below is the access list which was dynamically created and was causing the issue. Crypto map tag: UK-Cloud-Comms_map1,access-list OO_temp_UK-Cloud-Comms_map121 thanks 

Can you please confirm old a and new s/n for the a/m RMA. It seems that there are some discrepancies. Is this RMA correct pls?  

Hi, We need to bring the APIC cluster (APIC-SERVER-M2) 4.2 to 6.0. And Switches 14.2 to 16.0.  My concern is what should we upgraded first. APIC cluster or Switches ? Thanks

Please let me know when the next Cisco customized ESXi8.03 ISO for UCS C-series servers will be released

Hi All, In the event that the admin user needs to be reset on the FDM, the following procedure can be followed. One of the basic requirements is to have a user on which to log in, and it must have conf privileges. Once you have logged in via external authentication, you can perform the actual magic to reset the admin user's password. First we need to access the linux shell and elevate our access rights, by typing expert and elevate via sudo -i followed by the external authentication password - in other words, the same password used to access SSH itself. Once our privileges have been elevated, the fun can begin and we can reset the administration password. Type passwd adminYou will then be asked for your new password, type in the one you wish to use in the future - a confirmation prompt will follow to ensure that the passwords match.   > expert ava-ftd01:~$ pwd /ngfw/Volume/home/bob-admin <--- Verify I am logged in as external user ava-ftd01:~$ sudo -i Password: <Password-of-bob-admin-ext-user> root@ava-ftd01:~# passwd admin New password: <New-admin-password> Retype new password: <New-admin-password> passwd: password updated successfully root@ava-ftd01:~# Once this has been done you’ve successfully recovered/reset the admin password, and you should be able to initiate another SSH session to the FTD and able to login as “admin” with your new password.   > expert admin@ava-ftd01:~$ pwd /home/admin <--- Verify I am logged in as admin user   Notesonce reset with root privileges, it will only work on first access. To make this change permanent, it is necessary to log back onto the Firewall MGMT and reset the password again using the following commands : > configure password will first ask you for the password you have just reset and then for the new one. We have test this procedure on Cisco FPR1140 with vesion 7.2.9 Regards  

Hello I have just upgraded the ASA to 9.14(4)24 and ASDM 7.22(1). No issues or drama. However, it coming clear the MD5 hash is out of Sync between ASDM and the ASA and this is impacting the ASDM's ability to show the Top 120 Access Rules in the main Dashboard but also in the ACL hit counts displayed on the firewall access rules screen. I have validate via the CLI that the counts are present and correctly incrementing on a test environment.ASA# show access-listaccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)alert-interval 300access-list Outside_access_in; 1 elements; name hash: 0xe796c137access-list Outside_access_in line 1 extended deny icmp any any inactive (hitcnt=0) (inactive) 0x3b75655eaccess-list Inside_access_in; 9 elements; name hash: 0xa231c4d3access-list Inside_access_in line 1 extended permit ip object VLAN10 any (hitcnt=1055) 0x3b75655eaccess-list Inside_access_in line 1 extended permit ip 99.100.10.0 255.255.255.0 any (hitcnt=1055) 0x3b75655eaccess-list Inside_access_in line 2 extended deny ip object VLAN20 any time-range KillInternet inactive (hitcnt=0) (inactive) 0x3b75655eaccess-list Inside_access_in line 2 extended deny ip 99.100.20.0 255.255.255.0 any time-range KillInternet inactive (hitcnt=0) (inactive) 0x3b75655eaccess-list Inside_access_in line 3 extended permit ip object VLAN20 any (hitcnt=502) 0x3b75655eaccess-list Inside_access_in line 3 extended permit ip 99.100.20.0 255.255.255.0 any (hitcnt=502) 0x3b75655eaccess-list Inside_access_in line 4 extended permit ip object VLAN30 any (hitcnt=250) 0x3b75655eaccess-list Inside_access_in line 4 extended permit ip 99.100.30.0 255.255.255.0 any (hitcnt=250) 0x3b75655eaccess-list Inside_access_in line 5 extended permit ip object VLAN31 any (hitcnt=0) 0x3b75655eaccess-list Inside_access_in line 5 extended permit ip 99.100.31.0 255.255.255.0 any (hitcnt=0) 0x3b75655eaccess-list Inside_access_in line 6 extended permit ip object VLAN40 any (hitcnt=141) 0x3b75655eaccess-list Inside_access_in line 6 extended permit ip 99.100.40.0 255.255.255.0 any (hitcnt=141) 0x3b75655eaccess-list Inside_access_in line 7 extended permit ip object VLAN50 any (hitcnt=0) 0x3b75655eaccess-list Inside_access_in line 7 extended permit ip 99.100.50.0 255.255.255.0 any (hitcnt=0) 0x3b75655eaccess-list Inside_access_in line 8 extended permit ip object VLAN99 any (hitcnt=61) 0x3b75655eaccess-list Inside_access_in line 8 extended permit ip 99.100.99.0 255.255.255.0 any (hitcnt=61) 0x3b75655eaccess-list Inside_access_in line 9 extended permit ip 99.100.70.0 255.255.255.0 any (hitcnt=1) 0x3b75655eI have tried a reboot and not joy, using OpenJRE.bin validated checksum, different devices and dialog boxes confirm ASDM 7.22(1) suspect there is a simple fix and looking for any suggestions or support.   

I am running into this issue. Could I configure a fake proxy ip address and then use the ignore host field to bypass that fake proxy configuration? We do not have a proxy IP address in my organization. The proxy is transparent and is not directly addressable.

Simple quick question -  The screenshot below of a C927- LTE version - and as you can see items 1 and 11 are Antennas. Does anyone know, if at all, if there is a 'master' / 'slave' or more 'Primary / Secondary' ? Or basically - what is the working when using two aerials ? For our issue - we have the small local one, and an extension lead with an aerial on the roof of the building. Do the aerials work in tandem ? or what ? as we seem to be getting 'varied' signalling speeds. Because if you look closely - the 'markings' under the port (11) are more than the one under port (1)       and      Could this be an indication of Primary ? Secondary ? TIA.      

Dear esteemed Cisco Community I am currently a student at Cisco's Netacad, specifically the course "Network Security". However, I have found several errors in the course and I would like to contact the relevant department or team that can look into these claims and possible rectify them. I tried using the (my apologies) useless chatbot, Morgan, who claims I need to go through my Netacad instructor, but he never replies. I tried sending the Cisco Networking Academy a message on LinkedIn a month ago, and no reply. When I Google for the contact-us page for Netacad, I get a 404 Not Found. Does anyone have any idea how to get in touch with Netacad?Thanks in advance! Sincerely,Lasse E. Jensen

Hi, 2 issues have arose the past week where the firepower has been blocking legitimate SMTP traffic.ISSUE 1I upgraded from SNORT 2 to SNORT 3.  Most of our Company emails were then blocked (Incoming & outgoing).  The Intrusion logs showed this traffic was blocked due to:SMTP_RESPONSE_OVERFLOW (124:3:2) and SMTP_COMMAND_OVERFLOW (124:1:2). To workaround this I set these rules to Alert not block.Isnt this now a security concern.  Traffic that would have been correctly blocked by the IPS is now allowed also.  Is there any other way around this.  What could cause these false positives in SNORT 3.ISSUE 2A few days later I noticed some emails coming in were blocked again.  Not by the IPS, but APP ID. Our SMTP rule is application based and allowed traffic in via application SMTP & SMTPS. Traffic logs showed the Application Protocol as 'SMTP,' and Client as 'SMTP Client'. However, now a lot of legitimate traffic is blocked and the traffic logs show Application Protocol as 'Unknown'.  To temporarily fix this I have had to change the rule to allow port 25, as opposed to using app ID.  The only thing that has changed was Cisco VDB 405 being applied to the device over the weekend.  I cant see anything on those release notes for SMTP changes.  Any reason why this would suddenly occur.  I don't want to leave the rule filtering on port 25, but rather use app id, again for Security concerns.Any advice would be appreciated.Thanks

Hi  I've change the outgoing interface from TenGigabitEthernet2/4 to interface vlan 222.  Since then, the IPTV is not working. output of sh ip mroute 239.192.1.2 before change (*, 239.192.1.2), 15w6d/00:03:19, RP 10.10.10.10, flags: SIncoming interface: Null, RPF nbr 0.0.0.0Outgoing interface list:TenGigabitEthernet2/4, Forward/Sparse, 14w3d/00:03:19 (10.4.9.2, 239.192.1.2), 15w6d/00:01:43, flags: TIncoming interface: Vlan109, RPF nbr 0.0.0.0Outgoing interface list:TenGigabitEthernet2/4, Forward/Sparse, 14w3d/00:03:19   Output of sh ip mroute 239.192.1.2 after change (*, 239.192.1.2), 16w2d/stopped, RP 10.10.10.10, flags: SPIncoming interface: Null, RPF nbr 0.0.0.0Outgoing interface list: Null (10.4.9.2, 239.192.1.2), 16w2d/00:02:56, flags: PTIncoming interface: Vlan109, RPF nbr 0.0.0.0Outgoing interface list: Null   why outgoing interface list Null?  

Hello,We are in the process of replacing our Cisco ACI switches with Arista switches and need to gather detailed information about the interfaces on our current ACI fabric. Specifically, we need to collect the following information for each interface:Deployed EPGsVLANs assigned to the interfaceInterface operational status (up/down)Mode (e.g., trunk, access)Any other configuration details such as Port Channel or VPC statusWe are planning to use the Cisco ACI API for this task. Could anyone please guide us on how to retrieve this data programmatically from ACI? We would appreciate examples or suggestions on how to construct the appropriate API calls and queries.Thank you in advance for your help!Best regards,

Latest version of Cisco Secure Client does not allow windows to enter lock/sleem mode after configured time due inactivityWe've installed it on 100+ devices and now none of them goes into auto lock/sleep

I'm trying to setup a test lab for DNA Center to talk to Catalyst 9000v switches in a virtual environment, and then to automate then for SD-Access.I'm making slow progress on getting it working, but keep hitting more and more unexpected errors as I go along.Has anyone here successfully got this to work, maybe for a CCIE Enterprise lab or similar?If so, maybe there are some pointers along the way of what works and doesn't work in the virtual environment?