cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Answer Questions

03-18-2024
Cancel Post

  • Conditional NAT on IOS XE 17 (for purpose of DUAL ISP) - ( 03-18-2024 )
  • Routing
  • I have an ISR 1K with DUAL ISPs (Dialer0 & Cellular) My intention was to implement something similar to this article: https://learningnetwork.cisco.com/s/question/0D53i00000Kt1XYCAZ/nat-failover-with-dual-isp-on-a-router-configuration-example?t=1710370069373In the case the main ISP goes down (e.g. indirect link failure has been noticed by IP SLA), traffic starts going out of ISP2 interface (due to either floating static route or policy-based routing).Since NAT translations are still valid traffic might be natted using ISP1 IP address, which means that return traffic will not come back since link to ISP1 is not available. The article suggest using something like this (where the route-map at the end will ensure there is an exit path available on either interface, no matter which one is currently active.ip nat inside source static 172.168.60.2 12.x.x.x route-map PRIip nat inside source static 172.168.60.2 76.x.x.x route-map SEC route-map PRI permit 10 match ip address LAN match interface Dialer0 route-map SEC permit 10 match ip address LAN match interface Cellular0/2/0 What I have learnt is IOS XE does not allow 'route-map PRI' at the end of the NAT statement, since it handles NAT differently to IOS.My question is - is there a way to do something similar in IOS XE?I have a working EEM script to remove and re-add NAT translations in case of ISP1's availability change, but I have had mixed results and would rather get away from using EEM if possible. Thank you in advance.
    View more
03-18-2024
Cancel Post

03-18-2024
Cancel Post

03-18-2024
Cancel Post

  • CISCO ISE password policy - ( 03-18-2024 )
  • Network Access Control
  • Hi,I'd like to know about the password policy for ISE 3.0.1. both admin and network access password policies are global, not per-user or per-group, although some settings can be done per-user?!2. how will changing those policies to more strict ones (for example, changing from 8 to 12 min. password characters) impact current admins/users- will they be forced to change their password next time they try to login to ISE even if I don't force changing a password or will it only have an impact when their password expires and they try changing it?3. Given that the network user doesn't connect to ISE directly, instead, they try to login into the network device using SSH, for example, how will they be told by the ISE to change their password and can they do it on the spot or they have to contact admin to login into GUI and change it for them? 4. if the user is both a network user and admin, which policy will be applied- admin or will they overlap and more strict setting will be applied?5. if the user has a password expired- which password is that- login, enable or both?  
    View more
03-18-2024
Cancel Post

  • Reflexive ACL on 4507 with Sup8-E running IOS-XE IOS-XE 03.11.07.E - ( 03-18-2024 )
  • Switching
  • I can't find anything about whether 03.11.07.E supports Reflexive ACL on 4507 with Sup8-E. I did find this but does not clearly specify: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/ol-311xe-4500e.html   I cannot drop into config mode to check command syntax without alerting client SecOps team    
    View more
03-18-2024
Cancel Post

  • How to config Router to Manage VLANs - ( 03-18-2024 )
  • Cisco Software Discussions
  • Compliments,Please, I need a help to configure 2 Routers to route packet via distribution layer switches. I know how to achieve this with Multi-layer switch but I want to try it using Router sub-interface. I don't know how with Router. Many thanks.
    View more
03-18-2024
Cancel Post

  • OSPF Interface in vManage - ( 03-18-2024 )
  • SD-WAN and Cloud Networking
  • I am unable to add an interface in the OSPF template for C8000v in vManage. There is no "Add" button that I should be able to press to add the interface. The "Add Interface" on the left just adds another interface to this screen, but not to the OSPF area 0 configuration. Can someone please help me with this?
    View more
03-18-2024
Cancel Post

  • FTTC config in the UK on 887 routers etc - ( 03-18-2024 )
  • Routing
  • Hi AllWe have always had ADSL on most of our routers using the ATM 0 interface and a dialler with PPPOA.We have recently moved one of them to FTTC, still using the RJ11 cable on the back of the router.We ended up using the dialler interface and an sub interface like the belowbba-group pppoe global!!interface ATM0no ip addressshutdownno atm ilmi-keepalive!interface Ethernet0no ip address!interface Ethernet0.101encapsulation dot1Q 101pppoe enable group globalpppoe-client dial-pool-number 1interface dialler 1mtu 1492ip address negotiatedip access-group Access-In inip nat outsideip inspect firewall outip virtual-reassembly inencapsulation pppdialer pool 1dialer-group 1no cdp enableppp authentication chap callin optionalppp chap hostname ****ppp chap password 7 ****How come we dont use the ATM0 interface anymore even though the RJ11 cable is plugged in?Is this now using PPPOE?Why does it use vlan 101, is this standard for FTTC? 
    View more
03-18-2024
Cancel Post

  • Anyconnect client login process stuck, when DAP is enabled - ( 03-18-2024 )
  • VPN
  • I have a brand new pair of Cisco FTD virtual running v7.4.1 code.  When DAP is enabled with hostscan scanning look for Crowdstrike AV >= v5.0 and presence of Windows domain membership registry string, the Anyconnect client gets stuck at the "Please complete the authentication process in the Anyconnect Login window" or sometimes the "Hostscan Mission complete" window.  The Anyconnect login error does not time out for a long time, at least 15 to 20 minutes.  I have a second pair of Cisco FTDv running the exact same code and set of DAP criteria but does not have the same issue.  Hostscan being used is v4.10.08025-k9.  I have verified that my SAML setup against Okta is good.  The minute I take DAP off the remote access policy, everything works, hence SAML setup and remote access group policy are good.The log that I'm able to extract from the endpoint logging in using the 'cscan.log' situated in the c:\users\username\appdata\local\cisco\Cisco HostScan\log directory shows these lines specifically at point of failure.  Hostscan is actually completing, but results fail to send it appears:[Thu Mar 14 10:55:17.530 2024][cscan]Function: log_cb_hostscan Thread Id: 0x2B04 File: c:\temp\build\thehoff\phoenix_mr80.290577643163\phoenix_mr8\posture\asa\cscan\scan.c Line: 53 Level: error :Failed in condition: opSuccess != status   -> this shows that scan is completing successfully.[Thu Mar 14 10:55:18.925 2024][cscan]Function: hs_transport_curl_post Thread Id: 0x2B04 File: c:\temp\build\thehoff\phoenix_mr80.290577643163\phoenix_mr8\posture\common\libhstransport\hs_transport_curl.c Line: 3787 Level: error :libcurl error: 56 Error[Thu Mar 14 10:55:18.928 2024][cscan]Function: asa_post_dap Thread Id: 0x2B04 File: c:\temp\build\thehoff\phoenix_mr80.290577643163\phoenix_mr8\posture\asa\libasa\asa.c Line: 504 Level: error :results send failed; to peer (https://xx.xx.xx.xx).[Thu Mar 14 10:55:20.165 2024][cscan]Function: asa_post_dap Thread Id: 0x2B04 File: c:\temp\build\thehoff\phoenix_mr80.290577643163\phoenix_mr8\posture\asa\libasa\asa.c Line: 514 Level: error :unable to retrieve post response.[Thu Mar 14 10:55:21.177 2024][cscan]Function: scan Thread Id: 0x2B04 File: c:\temp\build\thehoff\phoenix_mr80.290577643163\phoenix_mr8\posture\asa\cscan\main.c Line: 986 Level: error :failed to post scan results.[Thu Mar 14 10:55:21.182 2024][cscan]Function: halt Thread Id: 0x2B04 File: c:\temp\build\thehoff\phoenix_mr80.290577643163\phoenix_mr8\posture\asa\cscan\main.c Line: 83 Level: all :goodbye (0) I have had a case with TAC for over a week now and it's getting nowhere so far.
    View more
03-18-2024
Cancel Post

  • Cisco ISR 1100-Series configuration issues - ( 03-18-2024 )
  • Routing
  • Hello all!A small disclamer here, i am completely new to the cisco environment. And therefore this is my first ever configuration to a cisco router. The router is a ISR-1100 series.I have tried following the start guides and basic configuration, but after a day of it working, it stopped. The symptoms then were that i could not access the WebUI for the router, but i could browse the web. So i copied the running-config to the startup-config, but when i rebooted i lost all internet access.I am not sure what went wrong, as i have configured both NAT and access lists as the forum and guides instructed me to do. But i suspect that i have did something fundamentally wrong.Attached is the running configuration for the router, i have redacted a few things, but everything is there. The plan for the router is to be the new home router, as well as the gateway to my lab. Therefor you will se alot of VLANs in the configuration. For context, 10.3.1.0 is the "home" network and everything else is there to support the lab, the subnets align with the vlan tags (vlan 310 -> 10.3.10.0 etc).This router is placed behind two routers at the moment, the first one is my landlords, and the second one is my main router at the moment. My own router has the subnet 192.168.50.0/24 and my landlords has 192.168.1.0/24 (but it is not connected to that directly at this point, though it will in the future as i replace my main router).Since the router is behind some routers i tried to create a static route, and it worked for a while, but then it stopped. The configuration has been very unstable, and i do not know what to try next.I do realize i may have bit off more than i can chew as i started with all the vlans at once, but at least i tried.PS: As i looked through the configuration, it seems like the WebUI has added alot of lines, and i do not know what they do as i only saw them now.
    View more
03-18-2024
Cancel Post

  • Changelog updated: March 11th, 12th, 14th - ( 03-18-2024 )
  • ThousandEyes
  • There have been updates to the ThousandEyes Changelog over the last few days. You can review the changes here, or by using the link on the right hand side of our forum page titled "Quick Links".  A photograph of the ThousandEyes forum page, with the changelog Quick Link circled in orange.
    View more
03-18-2024
Cancel Post

  • Configuring VS Code to Ignore Validation on Cisco-provided YANG Files - ( 03-18-2024 )
  • NSO Developer Hub Discussions
  • Hello community!I'm currently working with NSO Developer Studio and the Yangster extension in Visual Studio Code for YANG file development and management. While these tools have significantly enhanced my workflow, I've encountered an issue where VS Code reports many problems with YANG files that are directly provided by Cisco. These files are part of NSO Network Element Drivers (NEDs) and, as far as I understand, should not require modifications.This situation leads to an overly cluttered problem pane in VS Code, making it harder to focus on genuine issues within my own YANG models. I've been searching for a way to configure VS Code, NSO Developer Studio, or Yangster to ignore these specific directories or files during validation but haven't found a straightforward solution yet.Does anyone know if there's a way to configure VS Code or the extensions mentioned to ignore certain YANG files or directories during its validation process? Any tips or workarounds that you could share would be greatly appreciated. I'm looking for a method to clean up the validation reports by excluding known good YANG models that are part of the Cisco NED packages.Thank you in advance for your insights and help! 
    View more
03-18-2024
Cancel Post

  • X Series Chassis & Blades - ( 03-18-2024 )
  • Unified Computing System Discussions
  • Hello,We are going to setup X series newly in one of our locations. Just wanted if there are any best practices to be followed and also need to know if this has to be set up in UCSM or IMM Mode as the datasheets for X series 9508 Chassis are having Mgmt as IMM whereas X series 9508 Server chassis has both optional to setup. Below are the photos attached. 
    View more
03-18-2024
Cancel Post

  • File dependency not met although files are available in the folder. - ( 03-18-2024 )
  • Intelligent Automation
  • HiTidal job is looking for *abc* pattern files wherein 5 different types of files following the pattern are to be transferred. The job was working fine until recently there were new files added to the stream and only 2 files are picked. Leaving rest of the files in source folder. As the job is scheduled to run only once even though all files arrive at exact same time and wait period of 3 minutes is defined only 2 files are picked.When we tried rerunning the job remains in waiting on dependency. Why is tidal not recognizing the file when it was working fine before.
    View more
03-18-2024
Cancel Post

  • UCCX 11.5: Need Assistance with Creating Multiple Admin Accounts - ( 03-18-2024 )
  • Contact Center
  • Hello Cisco Community, In our environment, we are running UCCX 11.5, and we've recently outsourced routine administration tasks to a vendor. This vendor has a team of engineers, and we want to provide individual logins to each engineer for better accountability and security. I attempted to address this by creating a local user with administrator privileges. However, despite granting these rights, the engineers are unable to log in to the Serviceability page and RTMT. We are planning to upgrade to UCCX 12.5 soon, and as part of our preparations, we need to resolve this issue. Is there a way to create multiple accounts with full privileges similar to the initial admin account created during installation? I've tried searching online for solutions, but unfortunately, I haven't been able to find any helpful resources. Your expertise and guidance would be greatly appreciated in resolving this matter. Thank you in advance for your assistance! Best regards,Ashwin
    View more
03-18-2024
Cancel Post

  • POE ring topology - ( 03-18-2024 )
  • Other Network Architecture Subjects
  • Dear Team, We are having POE Pds and the Team is looking to connect the POE PD devices in Ring topology. 1. Is the POE PSE ports are one to once connection or possible to connect multiple PDs into one PSE2. Please suggest POE PSE support Ring topology..3. Does Cisco have Non standard POE switch to suggest for this ring topology 
    View more
03-18-2024
Cancel Post

  • Cisco Catalyst 8000v as an ISP Edge - ( 03-18-2024 )
  • Other Service Provider Subjects
  • We have a requirement to have a virtual router in a Colocation Data Center in Europe. The model we were given by the provider is Catalyst 8000v Autonomous Mode.We need to connect an IPT to it and receive multiple full BGP table instances (multipath) on this router, which is going to be part of our International Network.Can this particular model be used for the aforementioned or is it not capable enough to handle that?
    View more
03-18-2024
Cancel Post

03-18-2024
Cancel Post

  • Installing MUltiple AP's IOS - ( 03-18-2024 )
  • Cisco Software Discussions
  • HI there, I have more than 50 ap's 3702I-E_K9 and all are completely wiped no ios, i want to install all in one go or bunch of 10, please help me to setup that lab how to install multiples AP's simultaneously. Kind Regards,Sher Dil Khan
    View more
03-18-2024
Cancel Post

  • phoneDevSpecific Key:Mute - ( 03-18-2024 )
  • Call Control
  • Hi,I've successfully sent a device specific XSI command to a phone using JTAPI:var str = "<CiscoIPPhoneExecute><ExecuteItem Priority=\"0\" URL=\"Key:Mute\"/></CiscoIPPhoneExecute>";terminal.sendData(str.getBytes()); Our application must use Windows TAPI for call control, I was unable to find the correct structure that shall be sent to the tapi functionhttps://learn.microsoft.com/en-us/windows/win32/api/tapi/nf-tapi-phonedevspecificI tried several buffer structure, could you explain me how the parameter block shall be filled?Checking at the Cisco TSP logs I found the following logs:10:21:35.275 |-->SelsiusTSP::TSPI_phoneDevSpecific(0xC7E7EC50)10:21:35.275 |-->CSelsiusTSPDeviceList::IsValidTapiPhoneHandle()10:21:35.275 | CSelsiusTSPDeviceList::IsValidTapiPhoneHandle() Found mapping for device(0xC7E7EC50) to deviceHandle(0x000002B0)10:21:35.275 |<--CSelsiusTSPDeviceList::IsValidTapiPhoneHandle()10:21:35.275 |-->CSelsiusTSPDevice::PhoneDevSpecific(): [0x000002B0]10:21:35.275 | CSelsiusTSPDevice::PhoneDevSpecific(): [0x000002B0] *ERROR* Dev Specific Ext unavailable : Ext Ver = 0x0000000010:21:35.275 |<--CSelsiusTSPDevice::PhoneDevSpecific(): [0x000002B0] thaksLeonardo 
    View more
03-18-2024
Cancel Post

  • Why the need for nat hairpin? - ( 03-18-2024 )
  • Cisco Start India
  • Can someone please explain the exact need for nat hairpin. When server01 is published to the inrernet and server02 is in the same subnet, they can both communicate using their private ip but server02 can't reach server01 public IP Is it because server01 dropping the packet or is it because the firewall dropping the packet due to asymmetric routing or any other reason. Can someone please explain the exact flow?
    View more
03-18-2024
Cancel Post

  • Registering ASA FTD to On-Prem Smart License server - ( 03-18-2024 )
  • Network Security
  • HejWe have just upgraded our ASA 1150s to FTD software. Before the upgrade we used "call-home" to direct Smart-license registration to our On-Prem smart license serverBut now that we have upgraded to FTD I can not find the option to register our devices with the on-prem license server. It looks like only the cloud is available. I can not figure out how to point the registeration to our On-prem serverI saw some example for FMC but we do not use it. We are only using FTD right now.I would appreciate the helpRegards
    View more
03-18-2024
Cancel Post

03-17-2024
Cancel Post

03-17-2024
Cancel Post

  • 1
  • 2
  • ..
  • 1953