cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Answer Questions

  • NAT Help - ( 05-11-2021 )
  • Routing
  • Hello,I'm having difficulty getting PC9, which is on the outside of NAT rtr 3 to be able to communicate with the rest of the topology on the inside of the NAT. I'm not exactly sure where I'm going wrong but I think it is something to do with the translations and static routes I set.Attached is the PTK file. Thanks all!Routing
    View more
05-11-2021
Cancel Post

  • Use UCS PowerTool to get the PID for a DIMM - ( 05-11-2021 )
  • Unified Computing System Discussions
  • The "Get-UcsMemoryUnit" command provides lots of information, but not the PID. I read somewhere that "Get-UcsCapability" is supposed to provide the PID for the associated ManagedObject but it does not appear to accept Cisco.Ucsm.MemoryUnit even though it is type Cisco.Ucsm.UcsmManagedObject.Cisco.Ucsm.MemoryUnit contains plenty of properties including model, but no PID.Can anyone direct me to the correct way to retrieve the PID for a DIMM?  TypeName: Cisco.Ucsm.MemoryUnit Name MemberType Definition ---- ---------- ---------- AdminState Property string AdminState {get;set;} Array Property uint16 Array {get;} Bank Property uint16 Bank {get;} Capacity Property string Capacity {get;} Clock Property string Clock {get;} Dn Property string Dn {get;set;} FormFactor Property string FormFactor {get;} Id Property uint32 Id {get;set;} Latency Property string Latency {get;} Location Property string Location {get;} LocationDn Property string LocationDn {get;} Model Property string Model {get;} Operability Property string Operability {get;} OperQualifier Property string OperQualifier {get;} OperQualifierReason Property string OperQualifierReason {get;} OperState Property string OperState {get;} Perf Property string Perf {get;} Power Property string Power {get;} Presence Property string Presence {get;} Revision Property string Revision {get;} Rn Property string Rn {get;set;} Sacl Property string Sacl {get;} Serial Property string Serial {get;} Set Property byte Set {get;} Speed Property string Speed {get;} Status Property string Status {get;set;} Thermal Property string Thermal {get;} Type Property string Type {get;} Ucs Property string Ucs {get;} Vendor Property string Vendor {get;} Visibility Property string Visibility {get;} Voltage Property string Voltage {get;} Width Property string Width {get;} XtraProperty Property System.Collections.Generic.Dictionary[string,string] XtraProperty {get;set;}  
    View more
05-11-2021
Cancel Post

  • vPC Switch Failure, auto-recovery Behavior - ( 05-11-2021 )
  • Server Networking
  • Nexus 93180YC running 7.0(3)I4(2).  That we need to upgrade notwithstanding, I think what we experienced is a misunderstanding of our understanding of the auto-recovery concept.  We had a hardware failure of the primary vPC switch.  It was a vPC peer link loss first, then keepalive.  Secondary switch suspended its interfaces as expected with loss of PL, but did not react immediately when keepalive failed, despite auto-recovery setting.  Connected host hardware saw network connectivity loss for 2.5 minutes before switch B brought its ports back up. On May 8, at 14:05:22, switch A was vPC primary and experienced a hardware failure.  Its ports began to shut down (Po1 is our vPC peer link): May 8 14:05:22 switch-A : 2021 May 8 14:05:22 PDT: %ETH_PORT_CHANNEL-5-PORT_DOWN: port-channel1: Ethernet1/53 is downMay 8 14:05:22 switch-A : 2021 May 8 14:05:22 PDT: %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel1: first operational port changed from Ethernet1/53 to Ethernet1/51May 8 14:05:22 switch-A : 2021 May 8 14:05:22 PDT: %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/53 is down (Initializing)May 8 14:05:22 switch-A : 2021 May 8 14:05:22 PDT: %VPC-2-PEER_KEEP_ALIVE_RECV_FAIL: In domain 1, VPC peer keep-alive receive has failed Switch B began to react.  It saw the failure of the peer link first, then the keepalive. 2021 May 8 14:05:24 switch-B %VPC-2-VPC_SUSP_ALL_VPC: Peer-link going down, suspending all vPCs on secondary. If vfc is bound to vPC, then only ethernet vlans of that VPC shall be down.2021 May 8 14:05:31 switch-B %VPC-2-PEER_KEEP_ALIVE_RECV_FAIL: In domain 1, VPC peer keep-alive receive has failed We have auto-recovery configured.  Based on this document:  https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf The scenario is exactly as described in Figure 103, save that these are 93180YCs, not 7Ks.  We have auto-recovery configured.  The vPC configuration works as expected in day-to-day operation.  Switch B's configuration: vpc domain 1peer-switchrole priority 8192system-priority 8192peer-keepalive destination 10.1.1.1 source 10.1.1.2 vrf MAIN interval 400 timeout 3delay restore 120peer-gatewayauto-recoveryip arp synchronize So, keepalives every 400 ms, with 3 misses to timeout. switch-B# show vpcLegend:(*) - local vPC is down, forwarding via vPC peer-linkvPC domain id : 1 Peer status : peer adjacency formed ok vPC keep-alive status : peer is alive Configuration consistency status : success Per-vlan consistency status : success Type-2 consistency status : success vPC role : secondary, operational primaryNumber of vPCs configured : 44 Peer Gateway : EnabledDual-active excluded VLANs : -Graceful Consistency Check : EnabledAuto-recovery status : Enabled, timer is off.(timeout = 240s)Delay-restore status : Timer is off.(timeout = 120s)Delay-restore SVI status : Timer is off.(timeout = 10s) The auto-recovery feature says a timeout of 240 seconds. Were we amiss in expecting switch B to take back over immediately upon loss of keepalive communication?  And, if so, then what exactly is the auto-recovery feature for?  And should we manually tune that timeout value? 
    View more
05-11-2021
Cancel Post

  • SDA Fabric 802.1x Onboarding Issues - ( 05-11-2021 )
  • Network Access Control
  • Recently encountered an 802.1x onboarding issue to an SDA fabric after upgrading IOS's to anything above 16.12.4 on multiple 3K/9K platforms. This one took some time to resolve. Here were the following issues: The SDA switch config, 802.1x config, supplicant configs all work with the production IOS (16.12.4) across all of our 3k/9k platforms. We also tested 16.12.3S IOS on multiple platforms, which was also successful with the configurations.   To summarize the following worked in regard to 802.1x onboarding: -Win10 AnyConnect 4.905042 NAM Supplicant with EAP-FAST(EAP-TLS) on 16.12.3S-Win10 AnyConnect 4.905042 NAM Supplicant with EAP-FAST(EAP-TLS) on 16.12.4   And the following did not work until an MTU change (described later):16.12.5/16.12.5B/17.3.3 IOS's do not work with our SDA switch configs, 802.1x, & supplicant configs. Below is a list of tests conducted to aide in troubleshooting while working with TAC (all did not work at first): -Win10 Native Supplicant with PEAP(EAP-TLS) on both 16.12.5/16.12.5B-Win10 AnyConnect 4.905042 NAM Supplicant with EAP-FAST(EAP-TLS) on all - 16.12.5/16.12.5B/17.3.3-Win10 AnyConnect 4.10.00093 NAM Supplicant with EAP-FAST(EAP-TLS) on all - 16.12.5/16.12.5B/17.3.3   Performed captures the following ways:-Spanned client ports from both Cat9k/3k platforms-Wireshark captures from the clients we were testing onboarding with-Multiple ISE TCP Dumps-Checked NAM profile configurations-Checked switch configs between a known good with 16.12.4 IOS and non-working equipment running the following IOS's 16.12.5/16.12.5b/17.3.3.   -Client PCAP files depicted EAPOL START packets every time -Switch debugs always showed this across all platforms/non-working IOS's:%DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (e4b9.XXXX.a39d) with reason (Timeout) on Interface Tw1/0/3 AuditSessionID 49CA070A00000018480CDAA8 Username: host/XXXX -ISE Radius Live logs always depicts this:5440 Endpoint abandoned EAP session and started new   TAC provided us these bugs to test workarounds (Bug Search (cisco.com))(https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy09607).  At first it did not resolve the issue since the MTU change we tested was local to the client on it's respective SVI. Some other internal folks suggested changing the MTU size on the SVI where ISE connects to to reach the fabric underlay (ip mtu 1500).  This actually ended up fixing all issues across the board. Note that in this scenario ISE has a underlay backend connection via the EBNs so the change was conducted on them.    Not sure if anyone else has run into this, but wanted to share as a recent IOS upgrade to half the fabric ENs prevented clients from onboarding via 802.1x (no issues with mab).  However, modifying the SVI on the ISE side (EBN SVIs in this case) did in fact fix the issues since ISE does not support jumbo.  For the record ISE version is 2.7p3. Also, since SDA inception with this customer there have been no similar issues relating to 802.1x onboarding & fabric mtu.  Hopefully this saves time for anyone else planning on upgrades or potentially hitting this issue.
    View more
05-11-2021
Cancel Post

  • Problem with the Inter-VLAN function of cisco RV160 routers - ( 05-11-2021 )
  • Network Management
  • Hi, I'm a first year networking student, and I'm currently studying VLANs. My school got new cisco routers, rv160, which the students and teachers have little technical knowledge about. We have a project in progress, which is to create a working environment, with 3 VLANs. To start with, we have 1 server VLAN. This VLAN has a physical machine at 192.168.7.2, which is a VMWare ESXi machine, containing a Debian virtual machine that has no IP for now. The network address of the VLAN is 192.168.7.0 in /26. So the gateway is 192.168.7.62. VLAN ID 2The second VLAN is the "User" VLAN. This VLAN groups all user machines, where they get their IP addresses via DHCP. The network address of the VLAN is 192.168.7.64 in /26. So the gateway is 192.168.7.126. VLAN ID 1, this is the default VLAN.Finally, the DMZ VLAN. This VLAN has a Raspberry PI serving as a DMZ. It's configured in 192.168.7.193. VLAN ID 3The network address of the VLAN is 192.168.7.192 in /26. So the gateway is 192.168.7.254.For educational reasons, not security reasons, we are asked to make Inter-VLANs. But nothing to do, it just doesn't seem to work. I can ping 192.168.7.193, which is the DMZ, but because it's the DMZ, but otherwise, I can't ping what's in the VLAN server for example. It's as if the button dedicated to "Inter-VLAN routing" has no effect, it's not possible to reach the other VLANs. For additional information, NAT is in place, so each workstation/DMZ/servers can access the Internet. Moreover, we tried with ACLs, but it doesn't change anything. Whether it's my classmates or my teacher, we don't know where this problem could come from. I provide you the screenshot of the router VLAN configuration. The router's version is 1.0.01.03 Thank you again for your helpThis will allow us to break the deadlockEDIT : It seems that I can ping the "DMZ" even without being declared as such in the router. This is really a headache, which would mean that one VLAN is accessible but not the other one.
    View more
05-11-2021
Cancel Post

  • Cisco CVA Issue - ( 05-11-2021 )
  • Contact Center
  • Has anyone encountered a certificate issue when trying to use the DialogflowIntent and DialogflowParam elements on UCCE? In the error logs I'm seeing IO exceptions communicating with Google and am getting PKIX errors. Read somewhere that I need to set a Windows Environment Variable as follows but not sure if this is valid or not:set GOOGLE_APPLICATION_CREDENTIALS=KEY_PATH The error I'm getting is: A built-in element encountered an exception of type com.audium.server.voiceElement.ElementException.  The root cause was: com.google.api.gax.rpc.UnavailableException: io.grpc.StatusRuntimeException: UNAVAILABLE: io exception....Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    View more
05-11-2021
Cancel Post

  • Android - AnyConnect Host address error 'too long' - ( 05-11-2021 )
  • VPN
  • We use very long randomized URLs for our vendor AnyConnect connections. Generally, these are all connected on desktop devices, however we have a vendor now testing on android mobile devices. The Android version currently on Google Play (v4.10.00102) is giving an error when we try to connect one of our vendor URLs: “Invalid Host Address (too long)”I haven't been able to find any documentation on max URL length for connections. Can anyone confirm this so that if we choose to remake our URL, we only have to do it once and it's within scope. 
    View more
05-11-2021
Cancel Post

  • Can´t access CIMC KVM - ( 05-11-2021 )
  • Application Centric Infrastructure
  • Hello guys.Have you guys had problems accessing the KVM of the APIC CIMC? I want to start the KVM to upgrade CIMC, but I get the error that the client was disconnected due a network error and won´t open.I have even tried being on the same subnet as the CIMC IP and nothing. (Have tried all of the 3 APICs)Before I could access, cause thats how I upgraded to version 4.1(2b).Any suggestions?
    View more
05-11-2021
Cancel Post

  • CUIC 12.5 Blank Reports when pulled from Subscribers. UCCE deployment. - ( 05-11-2021 )
  • Contact Center
  • We have a newly deployed 12K UCCE 12.5 that has a primary CUIC publisher with 5 subscribers. When we run Historical reports from the pub, they show reports properly. When we log in to any of the subscribers and pull the same exact reports, they are blank but show "Success" at the bottom. This seems to be only with Historical Reports. Checked the DBReplication and all show 2 (Setup Completed) with no errors and records match. Tried using application administrator or regular user with the same exact results. Datasources show all green. Historical datasource is pointed to the HDS's (not awdb) as this is a 12K deployment and when we pointed to awdb as you normally would reports would error out. Tried both FQDN and IP addresses for URL and different browsers with the same exact results. Any ideas why? TIA
    View more
05-11-2021
Cancel Post

  • VXML Memory Leak Issue - ( 05-11-2021 )
  • Contact Center
  • Hi Experts , last week we had deployed on IVR application two xml file has been modifed and updated , it was working fine for 1 hour after that all appliaction are  impacted . there was call drop on the VRU node in ICM , there was no call hit on VXML application more than 4 hrs , we have taken all application backup and moved to side B , the side B started working and then in Side A we have removed all the application and added one by one then side A also started working on this , now currently few applications are running on side A , Here have attached the tomcat catalina logs for your reference , could you please review and tell us what went wrong on this , why so many threads are struck , what caused it happened .  Thanks!
    View more
05-11-2021
Cancel Post

  • How do you disable a built-in application detection? - ( 05-11-2021 )
  • Network Security
  • We are running FirePower 6.6 and have recently been seeing a lot of bad detections around the "built in" GoDaddy definition.  As GoDaddy is tagged as webmail, these not-really-GoDaddy sites are being blocked by our "block webmail" apps policy. Since the root of my problem is that the GoDaddy application detector seems to be running an overly-broad definition, I wanted to turn it off.  That'd let any other matching definitions still run, and let us still use the protections we intend without the false positives we've been triggering. Problem is, I can't seem to figure out how to disable one of the built-in detectors.  I can go to Policies -> Application Detectors and filter with "GoDaddy"; but at this point I see two policies with the State toggle disabled (can't turn them off). Is there any way to disable a built-in application detector so it stops tripping rules with false positives?(side question, does anyone know what the definition is for this detector -- I'd be interested in finding out why it so easily succumbs to this many false positives)
    View more
05-11-2021
Cancel Post

  • porr security API - ( 05-11-2021 )
  • Automation and Analytics
  • I need to know if this is possible using API over switches 9200Is necessary to verify the "error disable" status in any interface on the switches due to violation by "port security" an them perform shutdown and no shutdown to this interface.
    View more
05-11-2021
Cancel Post

  • Has anyone experienced SDWAN Viptela OS Version 20.4.1(2) and vrrp issue? - ( 05-11-2021 )
  • SD-WAN and Cloud Networking
  • My vEdge 2000 running 19.2.2 for years, just broke its vrrp when upgraded to version 20.4.1.Physical interface works fine, but vrrp address fails to populate arp, so it does not answer. Cisco TAC gave a temp fix of shutting Master device interface, and bring it back up. Has anyone experienced this vrrp issue with version 20.4.1?I can't roll out the upgrade until I find solution.Thanks, 
    View more
05-11-2021
Cancel Post

  • DNA Center and WLC 9800: Missing Netconf Port - ( 05-11-2021 )
  • Cisco Digital Network Architecture (DNA)
  • Hello,i have problems connecting my DNA Center Version 2.1.2.6 to my WLC 9800 Version 17.3.3.I configured Netconf Port 830 in the WLC and added the Port 830 in the DNA discovery.I also checked via ssh if the port 830 is accessible. It worked. However, if i try to connect the WLC to DNA, i get an error because of netconf: Missing Netconf Port But when i look into my WLC log, i see: May 11 15:55:04.725 MEST: %DMI-5-AUTH_PASSED: Chassis 2 R0/0: dmiauthd: User 'dna' authenticated successfully from x.x.x.x:37774 and was authorized for netconf over ssh. External groups: PRIV15 Does anyone have an idea what the problem is here?
    View more
05-11-2021
Cancel Post

  • Providing IT Managers with data for network load/impact during security scans using Stealthwatch - ( 05-11-2021 )
  • Security Analytics
  • I work in an environment using Cisco Stealthwatch.  We have a cybersecurity team that is doing an audit on our systems where they are scanning the network for vulnerabilities and other problems.  I have to provide my management team with the outputted Stealthwatch results.  I need to hone in on specific output. Essentially, this team is just doing passive scans on our network.  They are connecting Gigamon aggregators? and use Nessus to scan the network.  They are just using laptops connected to the switch via an access port.  I need to write up a report to management the network load their putting on the core switch.  I know that their scanning is very low impact, but just need to verify that I am looking at the right tables/graphs to see the overall impact they are putting on the network. Should I just use the Daily Report?  Or is there some other output in Stealthwatch that I should be looking at that would provide more granular results.  I know what ports the cyber team is connected to on the switch, but I don't believe I can actually look at data for those ports, just "index" correct?
    View more
05-11-2021
Cancel Post

  • Cisco ISE Dotx1 Authentication failed - Misconfigured Supplicant - ( 05-11-2021 )
  • Network Access Control
  • Dear community,  Hope all good at your side.  I am working on the configuration of Cisco ISE 3.0 802.1x  in a project and during the process I am facing an issue with Authorization.Cisco ISE shows: 1 Misconfigured Supplicant. The details of this Misconfigured Supplicants are to general as following: Failure Reason: Rejected per Authorization Profile; Resolution: Selected Authorization Profile contains ACCESS_REJECT Attribute. Authorization Profile with Access_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.  The behavior of the RADIUS logs are: three successful AuthZ followed with two failed AuthZ logs. Configuration on the supplicant have been applied with the following idea: Authentication protocol to be used: PEAP. Configurations for PEAP, wiredAutoConfig have been applied as described in almost all blogs online.  The one thing I am unsure about it the ROOT cert that needs to be imported in the supplicant. This cause, on ISE trusted CAs I have the organization public CA imported. Meanwhile I have generated a Subordinate Cert and Signed it for the Distributed Deployment of ISE1 and ISE2. Now I remember the subordinate was checked to be used for EAP Authentication. Do you guys know if this is the Rootcert I need to push  into the Supplicant Trusted CAs. And if yes, do you know how I can download this Subordinate Cert directly from ISE and import it in the Supplicant Trusted CAs Store?  Other than that, I have enabled debug in Switch, but no logs showing there. The show auth sess int g0/1 dot1x shows running and than failed. The unclear thing is that it does not fail to MAB even though its listed as a secondary protocol to be used.   At the end, what I did was the default policy, selected it to allow any. And this is when it failed to MAB. Meanwhile dot1x PEAP still not working.  I am after troubleshooting forms, more logs and a way to see what is happening in the background of the process.  Any guide, recommendation of though would be highly appreciated. Thank you,Laura 
    View more
05-11-2021
Cancel Post

  • Cisco SD-Access ATXs Follow-Up Discussion: Wireless in SD-Access - ( 05-11-2021 )
  • Software-Defined Access (SD-Access)
  • Welcome to the follow-up discussion for Ask the Experts (ATXs) sessions: Feature Overview: Wireless in SD-Access on May 27. Register now: 1:00 PM PT │ 11:30 AM BST │ 2:30 PM SGT Cisco experts Danmu Wu, Dilip Jasutkar, and Johnson Li are available to answer any questions you post between May 28 to June 1st, 2021. Participate and ask the first question!  To read some commonly asked questions with answers, refer to Cisco SD-Access Ask the Experts FAQ: Wireless in SD-Access. You can also review Cisco SD-Access Ask the Experts Resources for the latest guides.   To participate in this discussion, please use thebutton below to ask your questions Post your questions from May 29 to June 1st, 2021   **Helpful votes encourage participation!**Please be sure to rate the Answers to Questions
    View more
05-11-2021
Cancel Post

  • Publish failed - ( 05-11-2021 )
  • Web Security
  • Hello  I have a SMA and two WSA They are all physical appliances and in the latest version.  I am trying to publish the configuration to the appliances, but I get this errorAcceptable Use Control Engine data version on the Web Appliance does not match the version available on the Management Appliance  How could I change the version of Web Categorization Categories List in SMA? Thanks and regards, Konstantinos 
    View more
05-11-2021
Cancel Post

05-11-2021
Cancel Post

  • Start Before Logon host selection - ( 05-11-2021 )
  • VPN
  • We have two ASAs working separately for working from home access. The extra pair were set up last year due to working from home pressures of covid.  SBL was set up with half staff connecting to one - half to the other. However - a year later, and I need to set up a third profile. No one can remember how host selection was achieved and - no matter what I do - when using AnyConnect and SBL, always the same host is chosen. We have 'remote' connecting to one ASA, 'remote2' connecting to our vASA - I need 'remotena' to connect also to the vASA using SBL. This works fine AFTER logon - all three are added as hosts in the main profile xml as follows ( located in c:\programdata\cisco anyconnect secure mobility agent\profile  <?xml version="1.0" encoding="UTF-8"?><AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> <ClientInitialization>   <UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>   <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>   <ShowPreConnectMessage>false</ShowPreConnectMessage>   <CertificateStore>All</CertificateStore>   <CertificateStoreMac>All</CertificateStoreMac>   <CertificateStoreOverride>true</CertificateStoreOverride>   <ProxySettings>Native</ProxySettings>   <AllowLocalProxyConnections>true</AllowLocalProxyConnections>   <AuthenticationTimeout>12</AuthenticationTimeout>   <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>   <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>   <LocalLanAccess UserControllable="true">true</LocalLanAccess>   <DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>   <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>   <IPProtocolSupport>IPv4</IPProtocolSupport>   <AutoReconnect UserControllable="true">true    <AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>   </AutoReconnect>   <SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>   <AutoUpdate UserControllable="true">true</AutoUpdate>   <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>   <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>   <LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>   <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>   <LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>   <AutomaticVPNPolicy>true     <TrustedDNSServers>10.xxx.x.xx,10.xxx.x.yy</TrustedDNSServers>     <TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>    <UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>    <AlwaysOn>true     <ConnectFailurePolicy>Closed      <AllowCaptivePortalRemediation>true       <CaptivePortalRemediationTimeout>10</CaptivePortalRemediationTimeout>      </AllowCaptivePortalRemediation>      <ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules>     </ConnectFailurePolicy>     <AllowVPNDisconnect>true</AllowVPNDisconnect>    </AlwaysOn>   </AutomaticVPNPolicy>   <PPPExclusion UserControllable="false">Automatic    <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>   </PPPExclusion>   <EnableScripting UserControllable="false">false</EnableScripting>   <CertificateMatch>    <MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU>    <ExtendedKeyUsage>     <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>   </ExtendedKeyUsage>  <DistinguishedName>     <DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled" MatchCase="Enabled">       <Name>CN</Name>       <Pattern>xxxxxxxx.xxx.xxxxx.xxx.xx</Pattern>     </DistinguishedNameDefinition>   </DistinguishedName>  </CertificateMatch>  <EnableAutomaticServerSelection UserControllable="true">false    <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>    <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>   </EnableAutomaticServerSelection>   <RetainVpnOnLogoff>false   </RetainVpnOnLogoff>   <CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>    <AllowManualHostInput>true</AllowManualHostInput>  </ClientInitialization><ServerList><HostEntry>  <HostName>xxx xxx Windows Network Admin</HostName>  <HostAddress>remotena.xxxx.xxx.xx</HostAddress>  <UserGroup>NetAdmin</UserGroup></HostEntry><HostEntry>  <HostName>xxx xxx Windows vASA</HostName>  <HostAddress>remote2.xxxx.xxx.xx</HostAddress>  <UserGroup>windows</UserGroup>​ </HostEntry><HostEntry>  <HostName>xxx xxx Windows</HostName>  <HostAddress>remote.xxxx.xxx.xx</HostAddress>  <UserGroup>windows</UserGroup></HostEntry></ServerList></AnyConnectProfile> I choose one from the drop down list and it becomes the default for AFTER logon connections - and the hostname is referenced in c:\programdata\cisco anyconnect secure mobility agent\preferences_global.xml)?xml version="1.0" encoding="UTF-8"?><AnyConnectPreferences><DefaultUser></DefaultUser><DefaultSecondUser></DefaultSecondUser><ClientCertificateThumbprint></ClientCertificateThumbprint><MultipleClientCertificateThumbprints></MultipleClientCertificateThumbprints><ServerCertificateThumbprint></ServerCertificateThumbprint><DefaultHostName>remotena.xxxx.xx.xx</DefaultHostName><DefaultHostAddress>y.y.y.y:443</DefaultHostAddress><DefaultGroup></DefaultGroup><ProxyHost></ProxyHost><ProxyPort></ProxyPort><SDITokenType>none</SDITokenType><ControllablePreferences><LocalLanAccess>true</LocalLanAccess><EnableAutomaticServerSelection>false</EnableAutomaticServerSelection></ControllablePreferences></AnyConnectPreferences> For example, my pc, when using SBL ALWAYS connects to remote2.xxx.xxx.xx whatever the settings above.If I delete all references to remote2.xxxx.xxx.xx from all the XML files where I have found it - SBL still tries to connect to remote2.nottscc.gov.uk but then fails. Any ideas how to point my AnyConnect to the new host entry???      
    View more
05-11-2021
Cancel Post

  • Cisco ISE WLC SkipSessionRemoval True attribute - ( 05-11-2021 )
  • Network Access Control
  • Hello community.We have ISE 2.6 p3 and WLC 8.3.143, SSID with 802.1x. Last time i see that some sessions on ISE are in Started state, but there is account STOP message. In the body of ACC-STOP message I found Cisco-AvPairs field with SkipSessionRemoval=True attribute. And base license for this session didn't release. But some devices have correct accounting STOP without this attribute.How can I fix that? Best regard,Dmitry
    View more
05-11-2021
Cancel Post

  • Starting Guestshell (Python scripts) takes a long time - ( 05-11-2021 )
  • Network Management
  • We are trying to convert all our TCL scripts to Pyhton script on the new 9200 and 9300 catalyst switches. We tested around with the guestshell and could run some scripts already. The only issue we have is, every time we start a script by following command:  switch#guestshell run python3 /flash/guest-share/hostname.py It takes around 2min to start the "guestshell" engine and then run the script. This is not an alternative to TCL that was running instantly. Is there some tweak we can do to make the script run immediately (similar to NX-OS)? I know of a way to give the guestshell a seperate IP and connect directly to it and run scripts from there. But we extend the CLI with alot of small TCL scripts and want to be able to start them in the same CLI along commands like 'show ip int brief'
    View more
05-11-2021
Cancel Post

  • Reading the specific object using NSO action - ( 05-10-2021 )
  • Metro
  • Hi, I am trying to read a specific data from nso py action (single read txn). Below is the NOS output and from the xml output I need data <chassis-id>C405-4725</chassis-id> I want to use something like this but it is not working with the path expression itself. How Can  I achieve this?I have some other example working to read specific data but not this one.         with ncs.maapi.single_read_trans('admin', 'python') as t:            root = ncs.maagic.get_root(t)            device = root.devices.device[input.device]            lldp_neighbors_check = device.live_status['ethernet-lldp-oper:lldp'].nodes.node['0/0/CPU0'].neighbors.details.detail.interface_name[input.interface] admin@ncs# show devices device ar3.BLB live-status ethernet-lldp-oper:lldp nodes node 0/0/CPU0 neighbors details detail interface-name TenGigE0/0/0/0 | display xml<config xmlns="http://tail-f.com/ns/config/1.0"><devices xmlns="http://tail-f.com/ns/ncs"><device><name>ar3.BLB</name><live-status><lldp xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ethernet-lldp-oper"><nodes><node><node-name>0/0/CPU0</node-name><neighbors><details><detail><interface-name>TenGigE0/0/0/0</interface-name><device-id>LON-SC-000112</device-id><lldp-neighbor><detail><network-addresses><lldp-addr-entry><address><address-type>ipv4</address-type><ipv4-address>10.91.245.227</ipv4-address></address><ma-subtype>1</ma-subtype><if-num>3</if-num></lldp-addr-entry></network-addresses><peer-mac-address>00:15:ad:43:5e:15</peer-mac-address><system-name>LON-SC-000112</system-name><system-description>AMO-10000-LT-S, FW: AMO-10000-LT_7.9_22663, HO: Dry-contact Input</system-description><time-remaining>117</time-remaining><system-capabilities>N/A</system-capabilities><enabled-capabilities>N/A</enabled-capabilities><media-attachment-unit-type>0</media-attachment-unit-type><port-vlan-id>0</port-vlan-id></detail><mib><rem-time-mark>0</rem-time-mark><rem-local-port-num>60</rem-local-port-num><rem-index>10</rem-index><chassis-id-sub-type>1</chassis-id-sub-type><chassis-id-len>9</chassis-id-len><port-id-sub-type>1</port-id-sub-type><port-id-len>7</port-id-len><combined-capabilities>0</combined-capabilities></mib><receiving-interface-name>TenGigE0/0/0/0</receiving-interface-name><device-id>LON-SC-000112</device-id><chassis-id>C405-4725</chassis-id><port-id-detail>PORT-5</port-id-detail><header-version>0</header-version><hold-time>121</hold-time><enabled-capabilities>N/A</enabled-capabilities></lldp-neighbor></detail></details></neighbors></node></nodes></lldp></live-status></device></devices></config>
    View more
05-10-2021
Cancel Post

  • Windows default FTP service firewall rule on ASA - ( 05-10-2021 )
  • Network Security
  • We do enable firewall rule for one side on FTPs, from source IP/FTP client to destination IP/FTP server with destination port/TCP/21, but looks like Windows default FTP connection works like the FTP server establishes the data connection by TCP/20 to the Client FTP, and it worked without enabling the reverse side rule by TCP/20, suddenly it blocked recently, and TAC this supposed to be open from the first, anyone experienced same thing?
    View more
05-10-2021
Cancel Post

  • FMC preprocessor(GID:122) portscan detection question - ( 05-10-2021 )
  • Network Security
  • Hi Teams, Preprocessor(GID:122) are rule about portscan detection.These rules are disabled defaultly(Snort's base policyl:Maximum Detection also).So, for catch attacker's portscan, I have to enable these rules manually. Why are these rules disabled? I have no clue!Because of FTD's performance?Or false positive? Thank you.
    View more
05-10-2021
Cancel Post

  • 1
  • 2
  • ..
  • 3423