Answer Questions

Hi;As you know, when creating an internal user in ISE, you can force the domain password policy for that user (shadow user). For this purpose, you choose your Active Directory join point or All_AD_Join_Points in the Password Type field, as you can see below:My question is that, how ISE resolves ambiguity problem when I choose "All_AD_Join_Points" option. In other words, if I have two users in my two distinct forests and ISE has joined to them and in these forests I have two users with exactly same common name...Thanks

Hi all, i got confused with these Cisco SDWAN preferences. what is the difference between the TLOC PREF, IPSEC PREF and the OMP PREF. Thank youNaga

Hi, We're currently implementing posture with Cisco ISE, and we've successfully configured policies and used dACLs (Downloadable ACLs) for wired and VPN connections. However, we're facing an issue with ISE Posture on WiFi as we can't use dACLs on the WLC 9800 in FlexConnect mode. To work around this limitation, we've created specific SGTs (Security Group Tags) to manage network access rules via FTD (Firepower Threat Defense) based on posture states (Unknown, Compliant, and Non Compliant). The problem is that the firewall doesn't seem to update the SGT tied to a particular user, even though the posture compliance status is correctly obtained. In the ISE live logs, we can clearly see that the user is assigned the "Posture-Compliant" SGT, but the firewall still sees the user with the SGT "Posture-Unknown," and as a result, their access to internal resources is blocked. Has anyone encountered this issue before? Why isn't the firewall recognizing the SGT change? What should we check or troubleshoot to resolve this?

here is the basic desing Here is the basic design. The reason for using the ONT and OLT is the distance factor.I want to ping the host at 192.168.10.12 from the core switch's access port on VLAN 10 (192.168.10.11).The L2 switch is configured with three VLANs and has a trunk port to pass the VLANs to the ONT. Also, the core switch is configured with SVI. Now, I need help to make the ONT and OLT work in this scenario.Any help would be appreciated. I am new to networking and have these physical devices available.and mgmt on the l2 switch to access it's gui to manage it remotely. 

Hi All,Has anyone come across the following behaviour and how to resolve?TEST#1 no access to windows shares for 30+ minutes over Cisco AnyConnect SessionFrom home on my work laptop, I login using my cached domain login credentials (my ADDS account is in a Company OU with GPO links).I connect to the internet via WIFI, the Cisco AnyConnect Client then successfully connects.I can successfully ping, TCP true for SMB shares:Ping domain controllersTest-NetConnection -ComputerName DC1 -Port 445But cannot:net view \\DC1Using Windows Explorer \\DC1After about 30 minutes I can access DC shares.TEST#2 immediate access to windows shares over Cisco AnyConnect Session:If I login onto the laptop using an AD Account in the Users OU, connect to WIFI and then Cisco AnyConnect, I can immediately:Ping domain controllersTest-NetConnection -ComputerName DC1 -Port 445net view \\DC1Using Windows Explorer \\DC1I'm not sure if this is due to delayed group policy processing, but I note:Computer Configuration\Administrative Templates\System\Group PolicySet Group Policy Refresh Internval for Computers90 minutes for "this setting allows you to customize how often group policy is applied)30 minutes for "This is a random time added to the refresh interval to prevent all clients from requesting Group Policy at the same timeComputer Configuration\Administrative Templates\System\LogonAlways wait for the network at computer startup and logon (not configured)Not configured - Slow Link Detection:Computer Configuration/Polices/Administrative Templates/System/Group Policy/Configure Group Policy Slow Link Detection)Not configured - the specific folder redirection policy processing which tells the folder redirection to apply even if the network is slow:Computer Configuration/Polices/Administrative Templates/System/Group Policy/Configure Folder Redirection Policy Processing)Thanks!Steve

Hi All, Need to enable Validity Check on the Sender's Domain i.e Envelope sender dns verification and Verify the From Header Using DMARC i.e applying an Enforce or Quarantine dmarc profile to Mail flow policy.  Basically i need to know what will be the consequences of enabling above features and what prevention i need to take so my legitimate mails wont be impacted. PFB link and relevant snapshot i need to enable. https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/214844-best-practices-guide-for-anti-spoofing.html    

Hi,We upgraded a pair of ASAs from version 9.14.3.18 to version 9.18(4)40. After that, we could not SSH into the ASA. At the moment, we can access the firewall via the console.I turned on debugging on the ASA while I attempted to SSH. The log file indicated that the Reg-mgr limit was reached. I checked with the command 'show ssh sessions,' and there were no SSH connections.Could you help troubleshoot this issue?Below is our log file:olo-fw1/pri/act# SSH_EXT: flow lookup on vPifNum 3SSH_EXT: flow lookup for 216.x.x.x:22<--->10.0.99.11:1995SSH_EXT: flow lookup on vPifNum 2SSH_EXT: flow lookup for 10.0.99.250:22<--->10.0.99.11:1995SSH_EXT: found the flowSSH_EXT: connection on vPif insideSSH_EXT: Registering external ssh/sshdSSH_EXT: vcid 0, Process type 2Reg-mgr limit reached, dropping ssh on vcid: 0SSH_EXT: Response send len 16SSH_EXT: Connection close on fd: 991300522SSH_EXT: io callback performing cleanup for fd: 991300522SSH_EXT: cleanup event for non-session procshow ssh sessionscolo-fw1/pri/act# sh asp table socketProtocol Socket State Local Address Foreign AddressSSL 04d61538 LISTEN 10.0.99.250:443 0.0.0.0:*SSL 005637e8 LISTEN 216.x.x.x:443 0.0.0.0:*DTLS 0015d658 LISTEN 216.x.x.x:443 0.0.0.0:*SSL 022a92f8 ESTAB 216.x.x.x:443 193.37.69.199:43308SSL 02eca868 ESTAB 216.x.x.x:443 185.190.24.177:60097SSL 00a96a88 ESTAB 216.x.x.x:443 94.232.45.152:53152SSL 05246b08 ESTAB 216.x.x.x:443 79.110.62.203:57920SSL 052470c8 ESTAB 216.x.x.x:443

How do you change the camera model on a VSOM camera template in VSOM 7.12.1

I can't seem to find any information / matrices / compatibility guides that include MTP cables from Cisco.  Do they even exist?  Have a customer looking to buy some MTP12 cables, but all we can find are MPO12.  I understand MTP can work in place of MPO every time, but not the other way around.  Does Cisco make MTP12, or is this not something worth worrying about in terms of Cisco branding / certification?

This is an unexpected error that I will share with the community. It was recommended on a previous post that a manual process to update to 2.11.0.2 was needed to be followed. I ran the manual process to update a Collector server from 2.11.0.1 to 2.11.0.2. After running the process for the JeOS and SP files, the version updates show that the two updated successfully to the new version.However, on connecting to the GUI, the following occurs over and over again indicating that there is an error loading the page, please refresh. The server was restarted several times with no change in behavior. I reverted back to the previous snapshot (GUI worked fine) and ran the process once again with the same end result.  The issue was discovered to be that the Firefox browser appears to be caching some type of invalid content on the version change that is not refreshing. Deleting the browser cache or trying from another browser, fixes the issue.   

Hi,I have just recently bought (thanks to recommendation from @ vishalbhandari) Cisco 6841 for my project. It is a test unit. I want to configure it so that it receives Network policy (vlan, pcp, dscp) via LLDP-MED. The switch to which it is connected, is 3-rd party linux switch, which I have configured to bridge between several different ports. Each of the port members accept vlan 100 and vlan 200. The bridge also has PVID 1 set for untagged frames, and all the member ports understand pvid=1. For LLDP, I am using lldpd, which I have configured to send LLD-MED Network Policy TLVs (Vlan 100, PCP: 5, DSCP:36). I have captured traffic to make sure the TLV gets attached to LLDP broadcasts, and it does. My problem is that the phone doesn't seem to 'accept' that configuration. Is there anything specific I need to do or ensure before the phone accepts received config ? How do I tell the phone to use other vlan (e.g. vlan200) for data traffic (i.e. one coming from PC port) ? In order to achieve voice-only policy that I am broadcasting, I have tried:- Fresh out of the box phone,- Set IPv4 address manually,- Set it to IPv4 only,- Disabled CDP,- Vlan Tagging off, I was expecting, that the phone would receive config, and set itself up, accordingly, i.e. start using vlan tagging, with vlan100 for voice. But this doesn't seem to work, i.e. the phone seems to still be using untagged frames. Is directly turning off vlan tagging (with LLDP enabled) still 'stronger' than the config received via LLDP ? Any help would be greatly appreciated. BTW. How do I make direct IP calls from 6841 (i.e. without PBX,etc.) ? 

  Hi All, I am working on a HLD where I need to extend my ACI multi pod (Site A) to another Site (Site C) which is located 350 miles away from the existing ACI Main POD. Customer is working with Megaport to provide the connection between these sites. But we dont have the direct connection between these sites. I have connection from Site A to Site B (Transit Site and no ACI POD is there, this is just a transit Site), From Site B , I have another WAN connection to Site C. The overall latency is within the 50ms, so we don't see any issues over there. I have the following questions 1. Between my IPN devices in Site A and Site C, there are multiple devices. What protocol and feature should be supported on those devices? (Multicast PIM, routing Protocols, any other?)2. Can anybody share sample configuration for the devices between the IPN and the transit devices?3. We are going to host only one application environment in the new POD. and there will be only 2 Spine and 2 Leaf switches. How to design OOB for these 4 devices, should I go for another WAN link for OOB management? Can this be simplified for cost optimization.4.Customer also want to enable MacSec encryption over the WAN links, is it supported? Can anyone share some sample config template? Thanks and regards,B Senthil Kumar

I need to automate configuration for a Cisco Secure Firewall 3140 Threat Defense running Multi-Instances. The requirements are: using an ether channel interface as the parent interface (which is shared with other instances) and creating subinterfaces via API.I could create the subinterface using the API below, but couldn't find a way to assign it to one of the instances./api/fmc_config/v1/domain/{domainUUID}/chassis/fmcmanagedchassis/{containerUUID}/subinterfacesIs it something possible to accomplish via API?

Hi,We have several small meeting rooms with Cisco Room USB systems.  The user connects the HDMI and USB cables to the laptop and starts the meeting. Now recently on many laptops the camera stops working in a MS Teams call, using the camera of the Room Kit.What can this be? When using webex with the same room USB system, the camera keeps working.In Teams the message is: the camera is not responding or stops working or something like that and the user has to select the laptop camera. Before the meeting the camera is still working (when go into the Teams devices screen), bus as soon as the meeting is started, the camera stops working sooner or later....

.Guys I have a question about. DHCP Replay with anycast gateway.I have been following the instructions from this guide (see link below on the DHCPv4 Relay on IRB section)on how to configure this. and I was able to get it work,L2VPN and Ethernet Services Configuration Guide for Cisco NCS 540 Series Routers, IOS XR Release 7.4.x - Configure EVPN IRB, Distributed Anycast Gateway and E-tree [Cisco IOS XR Software (End-of-Sale)] - CiscoI configured the first subnet with dhcp relay profile, I had to assign two unique IPs on lookback interfaces, one for PE1 and another one for PE2. This works fine. When I added a second subnet I had configured another dhcp profile adding another two unique IPs (one for PE1 and another one for PE2 reachable to the dhcp server) This works fine. When I added a Third subnet I had configured another dhcp profile adding another two unique IPs (one for PE1 and another one for PE2 reachable to the dhcp server) This works fine. Meaning for every network that needs dhcp I had to add two unique IPs (one for PE1 and another one for PE2 reachable to the dhcp server.)  so make this work. If only use the two unique ip address (on the looback interfaces) from the first subnet to relay the dhcp request, I found that second and third subnet or network keeps getting and ip address from the first subnet ip range or pool.It looks like the dhcp server or NCS540 cisco router is not smart enough to see which vlan the request is coming from. I find  that using that many ips just to allow DHCP relay to work on a fabric network it too much config. there has to be a better way of doing this  any ideas  

We have a campus deployment all with Cisco EQ Roomkits We are using Extron SW2 HD 4kPlus in most of the rooms and in some we are using direct C2G switchers that have no configuration possible. We are connecting to the EQ input connector 3 via a Fiber HDMI. Cant nail down how long it takes, but eventually the connection for Input 3 will show no signal.  We have turned off any HDCP settings in the EQ and on the SW2.  When we are in this state I have introduced a new HDMI cable in input 3 and brought it straight to my PC or the users Lenovo all in one desktop pc, and the connection status only goes from "no connection" > "no signal" The only solution has been going into the Navigator settings and restarting the device.  We have a SR and have been pulling logs and updating the ticket but not getting much direction.   At this point a Macro to at least Reboot the device from the home screen so users dont have to go to settings and dodge factory reset would be helfpul.   Ideally a Macro that reboots just the HDMI input connectors would be best. Has anyone experienced this issue and has any solution been found?      

I need to remove the existing certification on a considerable number of devices and then install\upgrade a new one.Basically on  1- Certification Authority Proxy Function (CAPF) InformationCertificate Operation -> DeleteCertificate Operation -> Install\Upgrade      -> by Existing Certificate(precedence to MIC) After this action put on:2- Device Security Profile -> remove Non-Secure Profile for the required template for the client  Is it possible to carry out this process on a massive scale? 

Hi Team,I am facing issues connecting to the Cisco Secure Client VPN, despite using the correct username and password. This typically occurs when I try to log in for the first time in the day, and sometimes in the evening as well. After 15 to 20 minutes, using the same username and password works fine.Our IT team suggests that the issue may be caused by my username and password being saved somewhere in the browser or on my mobile device, which is trying to authenticate. However, I have cleared all saved passwords from both the browser and mobile, cleared the cache, and reset the password, but the issue persists. The IT team has confirmed that the account gets locked, and they unlock it after seeing it in the logs. Despite these efforts, we haven’t been able to resolve the issue over the past week.Any input or suggestions would be appreciated.Thank you!

Good day, I'm a university student running a simulator project for my semester.Here's the problems I needed to help desperately:1. Smartphone receive the email successfully, but it doesn't show up.2. Lawn sprinkle shows "No remote control API"

We have ISE 3.3 Patch 3. We have two domain-joined posture conditions as follows Azure_AD_Join - This condition checks if the machine is Azure AD joined  Onprem_Domain -  This condition checks if the machine is AD joined  Both condition works as per expectation. In normal conditions, a machine can be part of either domain. Now, We are trying to extract a report listing the machines where both domain-joined conditions failed. (Trying to find any machines which are not domain joined). We know that ISE Reporting  has two reports available to the administrator: Posture Assessment by Condition and Posture Assessment by Endpoint. If we apply a single condition, "Azure_AD_Join", we get a report where the Condition Status is failed, but when checking, we found the machine is part of On-Prem AD and Vice Versa. If we combine both conditions, we get 0 entries, which indicates we don't have any machine where both conditions fail. However, we have a machine where both conditions are failing.  We want to know why this report filter is not working as expected.

Hello,I came across an option to download the server h/w inventory from CIMC. I would like to know if one can download it via an API call?Thanks

Hello,I've couple of questions in this regard,Once these recordings are enabled, what's the max size of these recordings will be saved?Do these recordings get overwritten after reaching the maximum size?Is it possible to enable these recordings using api ?Thanks 

So I ordered a Cisco Unity Connection licenses. I went to update my software and it was telling me I need to be approved for my entitlement. Come to find out some woman from the company I ordered my licenses through had admin access over me on SAMT? She had to approve my access to software entitlement? What is this about? This cannot be normal.

I am making Packet Tracer activity (.pka) files. In the "Instructions" panel, I want to ask students questions and give them text areas in which they can type (and save) their responses.The HTML <textarea> tag makes boxes for text entry. However, any text the user enters disappears when the user clicks the "Check Results" button (at the bottom of the "Instructions" panel), then returns to the activity; and when the user saves the activity, quits Packet Tracer, and reopens the activity.How can I let students enter and save responses in the "Instructions" panel?I am running Cisco Packet Tracer version 8.2.2.0400 on macOS 15.0.Thank you.

Cisco Product Mgr April 24, 2024 This (CSCwb31151) is being tracked alongside CSCwf17700 (CPU spiking during processing of RPL tree) by our team. Reproduction of the issue was done in 4.12, and a fix is targeted for our next release (5.0) in September.