Answer Questions

Hi,I try to implement SRv6 Service Chaining.I have a VRF on a PE routeur with two host on this PE in this VRF.On an other PE (call PE-FW) i have the same VRF with a FW connected on it.I want traffic from host A to go to the PE-FW and go to the FW and going back to host B.Do you know how i can do that in ios-xr with SRv6 ?Thanks in advance.

Hi GuysI am looking to replace some ASA 5545-X firewalls, what is the best model to move to ?I am looking at - FPR-1150 or FPR-2120What is recommended?Cheers

Hi all, I'm trying to understand which router becomes the Active router in an ICCP MC-LAG setup.I've read this post and am struggling to get the basics. If I have this configured:   PE1 ===== redundancy iccp group 1 mlacp node 1 mlacp system mac 0000.1111.2222 mlacp system priority 1 member neighbor 2.2.2.2 PE2 ====== redundancy iccp group 1 mlacp node 2 mlacp system mac 0000.1111.2222 mlacp system priority 1 member neighbor 1.1.1.1   (full ICCP details not shown) Who is the active POA for the MC-LAG group? Sometimes is it PE1, sometimes it is PE2.   RP/0/RP0/CPU0:PE1#sh bundle be1 Thu Nov 7 12:53:19.852 UTC Bundle-Ether1 Status: Up <snip> Port Device State Port ID B/W, kbps -------------------- --------------- ----------- -------------- ---------- FH0/0/0/1 Local Active 0x8000, 0x9001 400000000 Link is Active FH0/0/0/1 2.2.2.2 Standby 0x8000, 0xa001 400000000 Link is marked as Standby by mLACP peer RP/0/RP0/CPU0:PE1#   Now the MAC and priority should match (it'll technically work their priorities are difference, since one is arbitrarily selected by that is beside the point here). So the only differentiating factor is node number. PE1 is node 1. PE2 is node 2. But I've had instances where both are Active regardless of this. I'm even tweaked the port priorities - thinking that the numerically lower port priorities would want to become active and thus prompt their connected PE to take over as the active. But nothing. This becomes crucially important when understanding the various switchover modes (brute-force vs dynamic etc). I've searched the link I posted above, and other documentation, and cant seem to find any correlation. Can anyone assist?

Hello, After activating the boost license on the cisco device, our costumer was having problems receiving mails from gmail, Does it have any security module which causes the issue mentioned?        

Why Cisco Secure add-in isn't available in Microsoft integrated apps ?The only option is to download the add-in manifest file and upload.I believe, because of this reason the end-user submitted suspicious email using Cisco secure add-in isn't visible in Defender portal (security.microsoft.com >> Action Center >> Submissions >> User Reported).This is a major drawback of this add-in and it's important to have this capability. Can you assist. Thanks.

Hi All, This simple thing is still haunting me and no one seems to know the answer.  What is the difference between Local and Running Configuration. Working with Cisco device for more than 2 decades, I know what a running-configuration is. This is the configuration that the router is currently running. But the confusion is on the Local Configuration. People thing the "Local configuration" is the configuration built by vManage using the Templates or Configuration Group. But my tests show differently. If I make a change in CLI (say system-ip), then I see the system-ip updated on both running and local configs. Running-config is fine, but how come vManage updates the local config when CLI changes are made? As per my understanding, Local config is the config generated by vManage the last time the template/CG was deployed. But my tests show the other way. Also, different parameters behave differently. site-id changes go out of sync, but system-ip change syncs with both the configs. I am unable to come to a conclusion. Also, while applying Policy or Configuration Groups, vManage shows two configurations, Local Configuration and New Configuration. Sometimes it is "Old Configuration and New Configuration". See attached screenshots. Why Cisco engineers are not able to make things more consistent and make it easier for the customers to understand! I would appreciate if any one can clarify what the "Local Configuration" really mean. Thanks, Mohan      

I have 3 okta apps setup.Okta app for backendOkta spa appOkta web appThe Okta spa app is able to use the access token it got and pass to Okta app for backend and the token is validated. However, the Okta web app access token when passed to Okta app for backend, could not be validated, thus token is not valid.Anyone know the proper setup for the Okta web app so where its access token can be validated against the Okta app for backend?

Is there a proven working config for a CBS350 switch for using Microsoft NLB similar to the one available for other Cisco switches like the Catalyst.https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/107995-configure-nlb-00.htmlThe CBS switches have some different options than the Catalyst-6500 and definitely can't do the static arp entries for the multicast mac or add the multicast mac address to the mac address table .   It would be nice if Cisco posted a working config with the NLB like the catalyst document for IGMP MulticastI mistakenly posted this question on the switches forum instead of this one.

Hello Everyone,I need assistance with the Vmanager API, I need to reattach a device that in CLI mode to an existing template. I have used multiple API calls such as https://vmanage-ip-address/dataservice/template/device/config/attachfeature and /attachcli. These calls are being processed by the vmanager but is not moving the device to said template. Can anyone assist with the proper process or calls needed to reattach a device to an existing template? Thank you!

Hello, can the ISA 3000 be configured so that : - when an input contact becomes active, it can enable or disable some specific access lists (firewall rules). - when some specific access lists (firewall rules) are enabled or disabled, reflect that state on output contact to drive a towerlight in the machine (shop floor environment).Typical need is for our operators to use a switch or push button on the electrical cabinet of the machine to allow/deny access to the machine network to remote connections (VPN typically) in case of supplier remote support.Could this be achieved with the ISA 3000 family devices ?Best regards,Benoît.

In Catalyst IOS devices (2960X, 3560CX and older 3560X/3750X) I created a class-map to match against a device type using a simple regular expression based on the local device classifier.  I used this in an IBNS 2.0 policy to cater for the scenario of when the radius servers are down.  The service policy is based on the templates that DNAC uses, plus others I have found online and what has come out of my testing. This is the class-map   class-map type control subscriber match-any AI_PHONE_DEVICE match device-type ".*IP-Phone*"   This would match against any device that had "IP-Phone" in the profile name. With any of the IOS-XE devices, this no longer works as the regular expression isn't valid when viewed with a show command (it was added exactly as above with the .*   match-any AI_PHONE_DEVICE match device-type "./IP-Phone/"   Doing the same show command on the previous IOS switches shows the correct regex (".*IP-Phone*") I found a document that stated use the keyword 'regex' before the ".*IP-Phone*", however this command isn't accepted. I can expand the class-map out to include all potential device types and I've tested this and it works, but there are lots and I'd rather use the wildcard ".*IP-Phone*" Any idea how to do this with IOS-XE switches?  Or is it a 'feature'

Hi Team, On my Windows 2016 Server, I am no longer to backup CSM4.25.0 The daily error message is: ERROR(567): No database files are available for the installed applications; nothing to back up. I have manually run the command with the output C:\>PROGRA~2\CSCOpx\bin\perl C:\PROGRA~2\CSCOpx\bin\backup.pl C:\BACKUP ***********Executing log clean process******************* PURGE_DBBACKUP_LOG days-----------20 The file or directory you are searching does exist : true Purge Db Backup log Success CSM user preferences is successfully backed up. [Wed Nov  6 10:31:43 2024] INFO: CiscoWorks processes are not running. ************************************************************ Backup to 'C:/BACKUP' started at: [Wed Nov  6 10:31:43 2024] [Wed Nov  6 10:31:44 2024]  ERROR(567): No database files are available for the installed applications; nothing to back up. [Wed Nov  6 10:31:44 2024]  Backup failed: 2024/11/06 10:31:54 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

We are trying to implement Guest portal  through spaces but one of the prerequisites is to have sort of "Controlled" Guest network which can be access only by people that have the access code. The access code generation through GUI is fine however, it's not ideal for us that a person needs to be dedicated to generating these codes and providing them to our clients. We already have a preexisting Access portal where access codes would be requested, the code would be generated and the user would be updated in our AD so guest portal would verify against the AD, but given the fact that we can't manage it through AD any longer, we hoped that it would be possible to just redirect the access portal to create access codes in Spaces through API.Seems to me the only thing that is needed to achieve this is to have an API for captive portal but I can't find it anywhere, but maybe I just don't know where to look so I'm looking for an advice from someone who's smarter than me on this topic.Any way to achieve this through some API or perhaps PartnerApps ?

Hi , one of our customer have multiple 8k routers running sdwan. now they are looking to utilise "SDWAN-UMBADV  Cisco Umbrella for DNA Advantage" provided complimentary by cisco. please suggest how we can use these, what are the features available and what are the pre-requisites. BR.  

This post is to highlight this bug also affects 7.4.2I have had this confirmed by TAC and they are raising a change to update the bug

Hello, I just find out within the event viewer the following event: error:x509: certificate signed by unknown authorityThere is no more explanation neither information on the internet, how can I figure out which certificate my laptop is using, or how can I fix this problem. Several computers within my environment has the same event. Thank you in advance 

Can you please assist me walk me through to setup for Sonos:Log into the router's administration panel and navigate to L2 Switch > RSTP and check 'Protocol Enable' on all ports”What we found was that you need to configure the 'main switch' to use the older 802.1d spanning tree and change the bridge priority to be 4096 to ensure it becomes the root for the topology. We also needed to change the STP port costs of all Sonos connected ports to be 10.THanks

Hello, I'm trying to delete a Fabric from NDFC which was previously monitored with Nexus Insight, and I'm getting the error: "Fabric xxx is registered with ND cluster(s):xx" But now the Nexus Insight cluster no longer exists (It was a PoC and the vms are deleted). Is there a way to force the removal of the fabric? Thanks.        

Hey Community On newer video board and on Webex hub i see the option of "remote access" on board main screen but when trying to use it says "Remote Access is not allowed" Any idea?Already set "Remote Access" on Board to On Any ideas.

We have 1000's of CGR 2010s in service, but now seeing the IR1101 in some roles. We have policy-firewall on both platforms.To see sessions on CGR, I use:  show policy-firewall session | inc Session  <to filter out the uptime and bytes details.On the IR1101, the same 'show policy-firewall' command is there, but deviate quickly from that used on the CGR.txduartedgsub#show policy-firewall sessions platform ?all detailed informationdestination-port Destination Port Numberdetail detail on or officmp Protocol Type ICMPimprecise imprecise informationsession session informationsource-port Source Portsource-vrf Source Vrf IDstandby standby informationtcp Protocol Type TCPudp Protocol Type UDPv4-destination-address IPv4 Desination Addressv4-source-address IPv4 Source Addressv6-destination-address IPv6 Desination Addressv6-source-address IPv6 Source Address| Output modifiers<cr> Just looking for all sessions up between all zones....thanks in advance.

Hello,I'm currently trying to install asr9k-x64-7.11.2.CSCwk15658.tar on two different systems:- 9904 with A9K-RSP880-LT-SE- 9912 with A99-RP2-SEI've tried different ways, but it always ends with an inconsistent software state and a complete rebuild of the OS.Here is one example from the 9904:- every older SMU, that is not superceded, is installed- there are no superceded packages- only the packages that are needed for installation are inactive- install prepare was successful- just to be sure, I did clear configuration inconsistencyLog:2024-11-05 14:02:04 Install operation xx started by xxx:install prepare id xx2024-11-05 14:02:04 Package list:2024-11-05 14:02:04 asr9k-iosxr-os-64-1.0.0.1-r7112.CSCwk15658.x86_642024-11-05 14:02:04 asr9k-iosxr-infra-64-1.0.0.4-r7112.CSCwk15658.x86_642024-11-05 14:02:04 asr9k-common-pd-fib-64-1.0.0.2-r7112.CSCwk15658.x86_642024-11-05 14:02:10 Action 1: install prepare action started2024-11-05 14:02:10 Install operation will continue in the background2024-11-05 14:02:31 The prepared software is set to be activated with system reboot2024-11-05 14:02:53 Start preparing software for local installation2024-11-05 14:03:03 Action 1: install prepare action completed successfully2024-11-05 14:03:06 Install operation xx finished successfully2024-11-05 14:03:06 Ending operation xx2024-11-05 14:04:23 Install operation xx started by xxx:install activate2024-11-05 14:04:24 Action 1: install activate action started2024-11-05 14:04:24 The software will be activated with system reboot2024-11-05 14:04:24 This install operation will reboot the sdr, continue?[yes/no]:[yes] I yes2024-11-05 14:04:27 Install operation will continue in the background2024-11-05 14:04:37 Packages will be activated in the following sequence:2024-11-05 14:04:37 1: asr9k-common-pd-fib-64-1.0.0.2-r7112.CSCwk15658.x86_642024-11-05 14:04:37 2: asr9k-iosxr-os-64-1.0.0.1-r7112.CSCwk15658.x86_642024-11-05 14:04:37 3: asr9k-iosxr-infra-64-1.0.0.4-r7112.CSCwk15658.x86_642024-11-05 14:04:38 Activating package asr9k-common-pd-fib-64-1.0.0.2-r7112.CSCwk15658.x86_642024-11-05 14:08:49 Activating package asr9k-iosxr-os-64-1.0.0.1-r7112.CSCwk15658.x86_642024-11-05 14:10:22 Activating package asr9k-iosxr-infra-64-1.0.0.4-r7112.CSCwk15658.x86_642024-11-05 14:11:55 activate operation completed for all package(s)2024-11-05 14:11:57 Action 1: install activate action completed successfully2024-11-05 14:12:08 Installed software verification failed on 0/RSP1/CPU02024-11-05 14:12:08 Use 'reload location 0/RSP1/CPU0 force' to recover2024-11-05 14:12:08 Installed software verification failed on 0/RSP1/CPU02024-11-05 14:12:08 Use 'reload location 0/RSP1/CPU0 force' to recover2024-11-05 14:12:10 Installed software verification failed on 0/RSP0/CPU02024-11-05 14:12:10 Use 'reload location 0/RSP0/CPU0 force' to recover2024-11-05 14:12:10 Installed software verification failed on 0/RSP0/CPU02024-11-05 14:12:10 Use 'reload location 0/RSP0/CPU0 force' to recover2024-11-05 14:12:11 Installed software verification failed on 0/1/CPU02024-11-05 14:12:11 Use 'reload location 0/1/CPU0 force' to recover2024-11-05 14:12:11 Installed software verification failed on 0/1/CPU02024-11-05 14:12:11 Use 'reload location 0/1/CPU0 force' to recover2024-11-05 14:12:12 Installed software verification failed on 0/0/CPU02024-11-05 14:12:12 Use 'reload location 0/0/CPU0 force' to recover2024-11-05 14:12:12 Installed software verification failed on 0/0/CPU02024-11-05 14:12:12 Use 'reload location 0/0/CPU0 force' to recover2024-11-05 14:12:12 Install operation failed after point-of-no-return, system might be in an inconsistent state. Please reload the system which will rollback to committed software before you proceed with next Install operation.2024-11-05 14:12:13 Install operation xx aborted2024-11-05 14:12:13 Ending operation xxAny hints or ideas?Thanks, Torsten

Want to know if Cisco API console @https://apiconsole.cisco.com/ has support for PSS CSPC? We would like to perform API calls from a MuleSoft application to our Cisco PSS Collector, and want to know if we can do this via Cisco API console.

Hi all...So I have a third party softphone (MicroSIP) that I have configured with a CUCM 15, so that I can easily see what SIP messages are being sent via pcap taken from my machine.  Calls from this softphone are fine, and there are no issues with calls to other DNs on the CUCM.I also have a SIP trunk configured, that is pointing to a media application server (dialogic XMS), which is operating fine, as I am able to fire calls down that trunk to the gateway and then answer those calls.I am trying to get early media operating over that sip trunk.  I have captured a pcap from where the softphone is running, and a pcap of where the media application is running.  I can see the INVITE being sent to the CUCM with a SIP/SDP, and I can see the corresponding SIP INVITE being sent from the CUCM down the trunk to the media application, however there is no SDP with that message... only SIP.  Due to there being no SDP, it means I cannot get early media working properly.Here are some config settings from the sip profile being used for the trunk...What am I doing wrong here with my config?  Shouldn't the SDP be sent with the INVITE down to the media application at the end of the trunk with the above settings, specifically the REL1xx options and MTP?

I'm currently setting up Google Workspace as an IdP for SAML authentication for AnyConnect VPN access on a Firepower 1120. Could anyone provide guidance on the attribute mapping, specifically which attributes the Firepower device expects?many thanks

Hi, I would like to know if it is possible to enable TLS 1.2 on sf200-48 port switch  Thanks