cancel
Showing results for 
Search instead for 
Did you mean: 

Answer Questions

  • IKEv2 error NO_PROPOSAL_CHOOSEN with Palo alto - ( 08-21-2019 )
  • VPN and AnyConnect
  • Hi, I am trying to set up a site to site VPN for one of our client with palo alto. However VPN phase 1 is not coming up and when I ran debug I am getting NO_PROPOSAL_CHOOSEN error even though both side are configured poperly setup is like below || HQ site - CiscoASA10.1.1.1===> CiscoASA 200.1.1.1|| ===========================||Client palo alto (202.1.1.1)||The IP addresses are exmpleInternal asa private IP address is NATed to public IP address of Internet ASA Palo alto is the client side deviceBoth sides are configured with same algorithms but I could not see any configuration session for prf in palo alto. is it possible to disable it in ASA? whether the palo alto is using a default prf? someone, please help  
    View more
08-21-2019
Cancel Post

  • Catalyst 9800 layer2 acl not working - ( 08-21-2019 )
  • Wireless Security and Network Management
  • I'm having trouble getting an L2 ACL to work on the Cat9800 on XE 16.11.1cI have a WLAN policy profile called nm-test-policy with a specific layer2/datalink acl defined in the running config: wireless profile policy nm-test-policyaaa-overrideautoqos mode voicedatalink acl l2acl-ipv4-onlydhcp-tlv-cachingipv4 dhcp requiredmdns-sd service-policy Airplaysession-timeout 28800vlan 670no shutdown Assumed this would match a mac ACL in XE, so I defined one: Extended MAC access list l2acl-ipv4-only permit any any 0x800 0x0permit any any 0x806 0x0deny any any and we can see that there is a client on that WLAN on a particular AP with a IPv6 address when the l2acl should be only allowing the ipv4,arp ethertypes at layer2 (public IPv6 address has been redacted):  wct-o-test98#show wireless client mac-address b8e8.5627.2fd0 detailClient MAC Address : b8e8.5627.2fd0Client IPv4 Address : 100.66.61.31Client IPv6 Addresses : fe80::855:1c75:9ebf:8c8b2610::X (redacted)Client Username: N/AAP MAC Address : c064.e424.6480AP Name: ap-o-9120axi4AP slot : 1Client State : AssociatedPolicy Profile : nm-test-policyFlex Profile : N/AWireless LAN Id: 64WLAN Profile Name: NM-TestWireless LAN Network Name (SSID): NM-Test 
    View more
08-21-2019
Cancel Post

  • Prohibited access to CSAM. - ( 08-21-2019 )
  • Smart Net Total Care Portal and Collector Discussions
  • Hello people. My client is trying to access the CSAM portal. But you are receiving the following message from the image below. We try to access the following links as well.https://cdceb-prod.cloudapps.cisco.com/csam/https://cdceb.cloudapps.cisco.com/csam/http://cdceb-prod.cloudapps.cisco.com/csam/http://cdceb.cloudapps.cisco.com/csam/  
    View more
08-21-2019
Cancel Post

  • ASA 5520 Subinterface outside - ( 08-21-2019 )
  • Routing
  • I have bundled three ethernet ports of my ASA 5520 into a port channel. I have then created subinterfaces for internal VLANs. All that works fine no issues. My ISP assigns me an IP address with DHCP. Currently, I have a physical ethernet port on the ASA set as the outside interface and it has been configured as a DHCP client. It gets an IP address from the ISP Again this work too. No issues. What I would like is to add the outside physical outside interface port to the channel group of three so that I have four ports in that channel and then set up a subinterface for the outside internet. I hope this makes sense and if it does will it work.
    View more
08-21-2019
Cancel Post

08-21-2019
Cancel Post

08-21-2019
Cancel Post

  • DTP and Portfast together? - ( 08-21-2019 )
  • Switching
  • I have two questions the first is: After a port has became a trunk port is there any way to see if that port was originally set to dynamic desirable, dynamic auto, or just trunk? I am using the sh spanning-tree detail command to identify trunk ports. Then using sh int <specific interface> switchport command to gather more info. But, I am not sure if either of these specify the port's previous state.Switching, Other SwitchingMy next question is can a port be set as portfast and enabled with a trunking protocol? As I use the sh dtp interface command and the sh spanning-tree detail I am discovering a few ports that show up as portfast enabled and listed under the dtp interface with a trunking protocol of 802.1q. Is this normal? My first thought was if a port is portfast it would go errdisable if a switch is connected, so why have any trunking protocol on the port. is my thinking wrong? Thanks 
    View more
08-21-2019
Cancel Post

  • Bandwidth Limiting on Cisco ASA Firewall - ( 08-21-2019 )
  • Network Management
  • I'm trying to limit bandwidth for certain users on a Cisco ASDM 6.4 Firewall. I've tried creating inside and outside policy rules but i'm still struggling to see results. Any advice or tips as to how to do this?
    View more
08-21-2019
Cancel Post

  • Please help with logging source-interface loopback... - ( 08-21-2019 )
  • Routing
  • I have an issues with using the loopback as source for syslog packets.The second the loopback is used logs are not making iy anymore to the syslog server. Everything works using the Gig interface.The syslog server can reach the loopback and the router can also reach the syslog server using the loopback as source in ping. Could someone please help? Thanks!
    View more
08-21-2019
Cancel Post

  • ASA Upgrade 9.8.(4)3 to 9.9.2.52 - ( 08-21-2019 )
  • Firewalls
  • Is this considered a major upgrade or minor? I need to upgrade my Active / Standby Failover pair with 0 downtime. I will upgrade standby and reboot, when it comes up with 9.9 code, will it break the failover with 9.8(4)3 or stay in failover with error?? I am on Cisco ASA 5516-x
    View more
08-21-2019
Cancel Post

  • ip tcp adjust-mss on FTD with FMC - ( 08-21-2019 )
  • FirePOWER
  • Hi all,I'm working on setting up an IKEv2/IPSec VPN tunnel from an FTD (6.2) managed by FMC to Azure.  The tunnel is up and icmp is working fine but our server engineer is reporting issues with RDP and domain controller replication.We're wondering if MTU or MSS could be causing these issues.  The FTD interface MTU are currently default (1500) but I don't see a way to set ip tcp-adjust mss on the FTD. I'm not sure if there's a way to do this in FMC or via the FTD command line.Thanks.
    View more
08-21-2019
Cancel Post

  • H.323 protocol disappears - ( 08-21-2019 )
  • TelePresence and Video Infrastructure
  • We've got several SX20's, all standalone, not registering to CUCM or any Gatekeeper. We've got H.323 enabled and set as the default protocol. We're on a few different versions of software, ranging from 9.1.4 to 9.7.x. We see it every once in awhile where calls stop working. We look at the codec and there's a message that H.323 is the default protocol but is not configured. In this case, we find the H.323 section has completely disappeared from the device. I don't have a screenshot of it, but it's gone from the list on the left. We do an upgrade or downgrade and with the reboot, H.323 comes back. I have not been able to find anything out there that seems to have this same issue. We've seen it on at least 3 different SX20s. Anyone seen this issue before?
    View more
08-21-2019
Cancel Post

08-21-2019
Cancel Post

  • Cisco UCCX 12.0.1 Caller ID - ( 08-21-2019 )
  • Contact Center
  • Hi Guys, I have 2 questions regarding UCCX 12.0.1: 1. Is there a way to display the Original Calling Number (ANI) on the IP Phone/Jabber, without using the annoying utils uccx icd      clid enable in version UCCX 12.0.1 2. Is there a way to display the Caller ID (Name) of the caller if they call from the CUCM cluster (Internally) on the IP Phone/Jabber ? Thanks, Shachar
    View more
08-21-2019
Cancel Post

  • Virtual FMC sensor max - ( 08-21-2019 )
  • FirePOWER
  • I understand the max number of sensors\devices a virtual FMC (FMCv) can license\manage today is 25. However I hear there is currently beta testing going on that would allow up to 300 devices in the FMCv. Does anyone know if this is true, and if true is there an ETA? We have over 50 ASA's looking to replace with FTD 1000 series devices in the next year.
    View more
08-21-2019
Cancel Post

  • ACI Multipod multiple L3out with Firewall - ( 08-21-2019 )
  • Application Centric Infrastructure
  • Hi, we have plan to migrate legacy Server Farm to ACI Multipod, legacy design have transparent firewall between Server Farm Switch and Core Switch, All Firewall configured as transparent and Standalone, (all active without cluster) route manipulate by ospf cost.each DC and DR has 2 standalone firewall between Server Farm and Core.below is design that we will propose (without change firewall configuration). my questions are :1. is it possible to have multiple L3out like this ?2. can we use L3out ospf cost, and local preference, etc to manipulate route to prevent asymmetric traffic?3. or any other options with this case ? thank you,
    View more
08-21-2019
Cancel Post

  • BUG API - ( 08-21-2019 )
  • Services Discussions
  • Hi! I'm trying to access the BUG API and with client credentials. I got the token with client id and secret from cisco api console. With those, I'm able to get access token. Btw, I'm using Postman. Added token  as part of the header    Authorization:Bearer XXXXXXAccept:application/json   For "hello" service I'm getting  {"helloResponse":{"response":"Hello World!"}}.   For  https://api.cisco.com/bug/v2.0/bugs/bug_ids/CSCdr72939 or for any API call I'm seeing response  <h1>Not Authorized</h1>  I'm internal to Cisco and subscribed my application to all APIs. Since I'm internal to Cisco is there any special on-boarding process and have the appropriate role for accessing the APIs other than registering an application with associated APIs. 
    View more
08-21-2019
Cancel Post

  • NAM installation after Native supplicant - ( 08-21-2019 )
  • Policy and Access
  • Hello, Friends! We used Native Win supplicant earlier with PEAP method.Recently we decided to install AC NAM(with EAP-FAST) on top of it.I see weird behavior after host reloaded.The PC firstly trying to Auth using PEAP, looks like Native supplicant still alive and functional.The second Auth attempt(~200msec later) going through EAP-FAST(the AC NAM wake up =) ) and completes correctly.First attempt through PEAP looks in ISE as abandoned session by supplicant. Is it normal? I thought the AC NAM completely replace native supplicant or wee need to somehow disable it (GPO etc) Thanks,Artyom
    View more
08-21-2019
Cancel Post

  • How to set up and configure RV340-K8 with SG250-10P-K9? - ( 08-21-2019 )
  • Small Business Routers
  • Hi, I am a very beginnerThis is my first experience with deployment of a small office network, based on Cisco equipment. We purchased RV340 router, SG250-10P switch and WAP150 Access Point. The assignment is to arrange VLANs for 3 group of hosts - one for the web-based intrusion system panel and IP cameras, second group for the office PCs, third for the printers. Additionally we are going to configure separate SSIDs for guests and corporate purpose. So, where to start? Should we use LAN ports of the switch only or both of the switch and router? Is it possible to configure everything from the router web-panel or use web-panels of both router and switch, how we should wire switch and router for maximum efficiency? We found many topics how to configure separate router or switch, but looking for the answer how to configure both connected devices.Thx in advance.
    View more
08-21-2019
Cancel Post

  • IM&P v11.5 Cluster Stuck In Failover State - ( 08-21-2019 )
  • Unified Communications Infrastructure
  • I noticed new users are not being assigned to IM&P servers.  When trying to assign them to a presence server in CUCM I received an error stating "Update failed. Cannot assign a user to a server that is not in a valid state".On the IM&P servers there is an error stating "An automatic failover has been initiated due to the peer node being down" on the same day there was a network hardware failure in the core. In CUCM > System > Presence Redundancy Groups for IM&P it shows node 1 as "Running in Backup Mode" and node 2 as "Taking Over".  Both reasons state "Peer Down".They appear to be stuck in this state, and I can't find a document on how to best manually force them back.  I assume it would be as simple as restarting some service(s) but I'm not sure which one(s).
    View more
08-21-2019
Cancel Post

  • Continue session beyond maximum connect time - ( 08-21-2019 )
  • VPN and AnyConnect
  • Hello!We are currently using ASA 5516 and AnyConnect for remote access VPN. The maximum connect time is set to 8 hours with a 30 minute time alert interval. Is there a way to prompt the user if they want to extend their VPN session beyond the maximum connect time without requiring authorization?Thanks for your help
    View more
08-21-2019
Cancel Post

  • Format for Ansible Inventory File - ( 08-21-2019 )
  • Network Management
  • Looking to see how others are formatting their ansible inventory files (hosts) I can't seem to get the INI file formatting to work so I am working with YAML format.  How do you build groups or group devices within this format? I have read the ansible documentation but do not really understand. The output doesn't read as I would expect.  MacBook-Pro:ansible stevenwiliams$ cat hostsall:  hosts:     cisco routers:      hosts:        R01:        R02:        R03:        R04:MacBook-Pro:ansible stevenwiliams$ ansible --list-hosts all  hosts (1):    cisco routersMacBook-Pro:ansible stevenwiliams$
    View more
08-21-2019
Cancel Post

  • BE7000 // CIMC 4.0(2g) // disable Intersight Mgmt from Commandline - ( 08-21-2019 )
  • Unified Communications Infrastructure
  • Hello, Currently inquiring about this issue because we are experiencing some major network lag when trying to perform this action via the web-gui. Not only are we trying to configure a remote site on the other side of the globe.. but we are using a Solaris OS running an old version of FF. This is entirely outside of my control at the moment. I see no reason why "intersight mgmt" can't be disabled via the CLI.. I just have not found the option in any of the hierarchy commands. I'm hoping I just overlooked it. Thanks in advance.
    View more
08-21-2019
Cancel Post

08-21-2019
Cancel Post

  • Embedded Packet Capture on ASR920 - ( 08-21-2019 )
  • Routing
  • Hello, I'm running into issues running a packet capture on an ASR920 (using configurations that work on other router models). When setting up an ip cef capture point, the captures are coming up with no data. Tried testing on a physical interface and a BDI. I was able to capture process switched traffic (by switching the config below from "ip cef" to "process-switched"). So I know my script works. I'm just not able to capture data plane traffic on the ASR920.  I've seen posts online about people having this same issue, but couldn't find documentation from Cisco covering this. Is anyone aware of this? !monitor capture buffer BUF size 1024 max-size 1518 linear!monitor capture point ip cef POINT BDI100 both!monitor capture point associate POINT BUF! Thank you,Steve
    View more
08-21-2019
Cancel Post