Showing results for 
Search instead for 
Did you mean: 

Expand your Tool Belt with TAC Knowledge Through the Cisco CLI Analyzer - FAQ


This event had place on Thursday 17th, December 2020 at 9:30 hrs PDT

-This Support Talk event is a special session of the “TAC Tools Explained Series”- 


This event provides an introduction to Cisco CLI Analyzer, its features, capabilities, and usage. The Cisco CLI Analyzer is a smart terminal emulator designed with internal TAC knowledge built in. Much like any terminal emulator, the CLI Analyzer provides the ability to store credentials for multiple devices as well as support for SSH and telnet. The CLI Analyzer is built to recognize and provide specific tools based on the Cisco device that you are connecting to. In this session experts covers some of the most useful tools available in the CLI Analyzer, including:

  • Contextual Help and Highlighting (CHH) – access to thousands of overlay elements that provide TAC knowledge, troubleshooting tips, and additional details right in your terminal.
  • System Diagnostics - the ability to analyze a set of commands from a variety of devices to help in resolving the most common configuration issues, address problems that are found, and ensure device stability.
  • Packet Capture Tool – a built-in tool for capturing packets across a variety of devices.
  • TAC Data Collection Tool – easily and quickly capture data requested by the TAC from a device and upload it to your case.
 Featured Speakers
noliver.jpgNick Oliver is a Technical Leader in the Cisco Customer Experience (CX) organization and specializes in Core Routing and Switching Software Architectures. He works primarily on Cisco IOS XE routers and switches and Cisco NX-OS switches. He has spent the past 20 years supporting a wide range of customers and loves solving complex problems. Nick holds a bachelor's degree in computer science from North Carolina State University and a CCIE certification in Enterprise Infrastructure (#21782).

magnus.pngMagnus Mortensen started his career at Cisco in 2006 as a TAC Engineer focusing on our Security product line. He is now a Principal Engineer in our CX organization, still with a focus on Security. His passions around innovation, automation, have fueled his career and led him to create everything from new case handling systems to Cisco CX's core automated problem detection system. Magnus is rarely satisfied with the status quo and is always looking for the next thing to improve.

You can download the slides of the presentation in PDF format here or review the video here

Live Questions

Q: How many devices credentials the CLI Analyzer can remember? I have 25 devices but this number will grow soon.

A: This is a very good question. There is no limit, devices information (IP Address/hostname, credentials) are all stored on your local machine.

Q: Is it possible to create groups of devices? For instance, can I add all devices at a facility to a group? 

A: In CLI Analyzer instead of creating the feature of grouping and the difficulties that can cause, we allow tagging. Then on the left under tags you will see tags that you can use to filter the devices list.
Also, in the search you could type in a "tag" value to filter. So, for example, you could tag devices with security. Then you could also tag with building, etc. and then you have more flexibility to filter the device list. 

Q: Is the data uploaded from the device or does the system running the console capture it and it's uploaded from there? Is it also stored on the local or the system running the console?

A: The data that is uploaded is not saved on your local machine and is not analyzed by CLI Analyzer; now, if you want the data to be stored (shell data) you must enable session logging.
Also, the data is sent to Cisco TAC processing system live, it is processed in a Cisco DC and results sent back. Overall CLI Analyzer is just a conduit to help Cisco TAC automatically process your device data.

Q: If I close the tool results window, how do I get it back?

A: At the bottom left of a session window, sort of muted (Cisco style) you will see the word Results. If you click that, it will be reopened.

Q: Any chance of this tool being available to Linux users, or using a web browser?

A: At the moment, support is limited to Macs & PCs (MacOS and Windows machines). Nevertheless, that idea has been tossed around the development team. The issue you run into Linux is the multitude of available platforms, Debian, RedHat, Ubuntu, etc. and then multiple packaging systems. The amount of testing and resources required are fairly large.

Q: Can you use SNTC to populate the list of devices?

A: Today not directly, but if you could get a list of CSV devices, you can import that.

Q: Is it the same as output interpreter?

A: We've leveraged a lot of the existing information from the output interpreter and built it into features like CHH and Systems diagnostics.
The Output Interpreter has been EoL'd after CLI Analyzer become available.

Q: The contextual help doesn't go away when I click the X, the only want to clear the screen seems to be to scroll past it. is this a known issue?

A: That does sound like an issue. Thanks for reporting, we will open a bug request with the development team.

Q: Can you ask the TACbot to send you a TAC "sho Tech" TaskID? or create one if you are trying to create a new case?

A: The TAC Connect Bot is primarily for interfacing with existing cases that have already been opened. Such as requesting case escalations or retrieving current status of the case or RMA. Creating a case from scratch via the Bot is currently not supported.

Q: Does the CLI analyzer integrates with the TAC bot?

A: At the moment, CLI Analyzer is not connected directly with the TAC Connect Bot.

Q: The MAC option provides for 2 versions, 3.6.5 & 3.6.6. Unfortunately, there are no release notes. So what is the recommended version?

A: Hello, 3.6.6 is the recommended version. We are looking to release shortly after the new year.

Q: Are SSH keys supported?

A: If your question is regards configuring (say on Linux) $HOME/.ssh/config and then from a terminal, I would type in ssh <ip> and then associated key and username are automatically filled in?

Q: I am having problem with CCO login in CLI Analyzer but it works with my colleagues id. Not sure is there restrictions to add CCO lD to CLI Analyzer. any help?

A: Which version of CLI Analyzer are you using? Cisco changed their SSO platform and CLI Analyzer in 3.6.6 had to be udpated to support all the new capabilities.

Q: Could this sharing be allowed over say a VPN remotely from someone local to the device? How many shares can you have?

A: If the user VPN'd into the same network as the user you want to share a session with, then yes, you can share. I need to check on # of simultaneous shares.

Q: Our support is thru third-party vendors and we do not have capability to open TAC cases, but we get TAC cases details opened by the third party vendors. With TAC case ID can we use this tool?

A: We need to take this question offline; we need to validate with the TAC Case system you are capable to attach files. We know that TAC supports an anonymous flow for these types of cases. Thus, we’re contacting you via email for review this case. 

Q: Does FMC support works?

A: Similar to support for FTD, you can definitely communicate with FMC the same way as any other terminal program. FMC is scheduled for a future release. CLI Analzyer always works with SSH/Telnet devices, but the extra features require multiple teams.

Q: Can the CLI Analyzer be used with FTD?

A: Any device that supports SSH/Telnet or direct console are technically supported. The question is CHH available for FTD also if there are specific tools available. 

Q: In re FTD/FMC support, I understand I can connect with SSH. However, you are mentioning to be patient and the highlighting and tools may become available over time?

A: That is correct. CHH is provided by TAC engineers and can be updated independently from a CLI Analyzer upgrade. CHH is a component that is data driven and that updated data, as I mentioned, is always checked on every CLI Analyzer launch.

Q: I have had issue when connecting with TAC (CX) and using CLI Analyzer, is there a move in Cisco to ensure all engineers are familiar with it?

A: We're happy to discuss the scenario/issues you ran into. We're contacting you via email to check if it was limited to a specific technology, or perhaps the individual was new to the company.

Q: Now I am using 3.6.4. I'll try to upgrade after this session and test it again. Do we have any contact for login issues in TAC tools? 

A: You can always submit questions via the Feedback button on the left of the CLI Analyzer page. Also there is a TAC team that supports CLI Analyzer.

Q: How do we get TAC to request files using the TAC Analyzer Tool? We had a case yesterday where we had to execute 10 commands manually.

A: I would suggest that in the future for a future case, to request the TAC engineer to send you a TAC Data Collection id. In addition, if you open the case through CLI Analyzer, you can choose to either collect data, or attach files you may have already captured.

Q: Can we import sessions from Putty, SecureCRT, MobaXterm? I use SecureCRT and have well over 1000 devices configured and would like to keep the two sync'd.

A: CLI Analyzer does support import from SecureCRT. In the "Devices" panel, you see an arrow pointing up with a line above, you can click that to choose to import from Putty, csv and secure CRT.

Q: Are there any plans to support UCS platforms?

A: UCS B&C Series are supported.

Q: Having IOS-XE is the only condition to support packet capture? For instance, does an ISR4000 supports it?

A:The Packet Capture Tool is supported for the following underlying CLI based tools:
Embedded Packet Capture (both IOS and IOS-XE Routers and Switches)
ASA Packet Capture
CPU Queue Debugging (4500 Switches)
Ethanalyzer (NX-OS Switches)
ELAM (Nexus 7000)
So the short answer is yes the ISR4000 also supports it. Additional details on using it are available here:

Q: Which port needs to be opened on our Perimeter firewall to allow the CLI tool to work? 

A:The reaching back to Cisco for "System Diagnostics" and other tools leverage HTTPS (TCP/443), and it is an outbound connection (like a web browser would). The only "inbound" connection would be for CLI Session Sharing and the that would likely require some port forwarding, etc. You can see the default port in Settings -> Connections... it is TCP/8090, so if you wanted to have someone external to your firewall connect to a session share hosted internally, you would need to likely open port TCP/8090 and do some additional NAT to forward that port to some host within your network. If two CLI Analyzers are on the same LAN and Layer-3 reachable, then Session Sharing should work fine. During the demo, NIck's laptop and mine were able to reach one another through Cisco's network so we didn't need to open any firewall rules/ports on the devices between us.

Q: What version of tool this is, I have 3.6.6 it does not show briefcase icon?

A: The briefcase icon is shown based on your association to a contract covering the device. If the target device you have in your CLI Analyzer, if it doesn't have a contract, then briefcase will not be shown. But also, if the device is covered, but you are unfortunately not associated to the contract, the briefcase will not be shown. In addition to Scott's answer, if you know the device is covered, you can confirm and/or request the contract get associated with your CCO Profile with Cisco's Profile Manager Tool.

Q: Do you have any plans to help visualize IBNS2 for DOT1X setups?

A: Currently there are no plans for that.

Q: Can we use this tool completely offline to analyze our Cisco MDS switches from show tech support?

A: The CLI analyzer itself will work offline where you can get into the device, you can use it as a terminal
Any of the tools however are going to require a connection back to Cisco to be able to utilize those
So, if you don’t have access for wherever you’re doing your troubleshooting to get to Cisco that is when you’re going to want to download the file and use the file analysis to be able to upload that. 

Q: What are the ports to be opened for the session sharing to work?

A: The port to be opened is defined in the settings of CLI Analyzer. The default is 8090. If you navigate to Settings -> Connection Under Session Sharing you can enable this functionality. Sharing must be disabled to change port value.

Q: What happens if some of the commands are incorrect?

A: I would suggest that you submit those issues via Feedback in the CLI Analyzer. Also, those commands are not programmed into the CLI Analyzer, they are driven by back end systems that are completely independent of the CLI Analyzer. So these types of issues can be identified and fixed without requiring CLI Analyzer upgrades.

Q: Just tried accessing the device using CLI Analyzer tool. This looks great. One thing - I was able to login to the device while on VPN but got DNS error when I was on Zscaler Private Access. Any comments? 

A: It's possible some of the sites may be getting blocked by your proxy server or firewall. You'll want to make sure the following urls are allowed:

Q: I have two questions related to the demo: How did Nick initially gave permission to Magnus to access 3 devices? And, having added 3 devices, would he be able to access a 4th device as well

A: Find more details at the Ask Me Anything forum of this session here

Related Information

Content for Community-Ad

This widget could not be displayed.