Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Eric R. Jones
07-24-2019
Eric R. Jones
Beginner
Currently living in the Yokohama area of Japan. I work as a Network and Server Admin.
Recent Badges
Stats
Member since
03-31-2011
176
Posts
5
Helpful
3
Solutions
Created by
Eric R. Jones
in Network Management
in Network Management
07-23-2019
02:21 PM
07-23-2019
02:21 PM
I have been trying to google around on the subject but haven't found anything to address it. I'll probably have to open a TAC case. ej
... View more
Created by
Eric R. Jones
in Network Management
in Network Management
07-22-2019
02:48 PM
07-22-2019
02:48 PM
I used the second command and eliminated the standby option after a quick context search. The command does work and we have lowered the number of logs going to the remote log server. So our test works, now we need to establish which logs are the ones we wish to eliminate. We only want to eliminate the logs coming from a specific IP address, those from the proxy server(s). There isn't an option with the command to identify a destination or source IP so that makes it more problematic. Thanks for the information. ej
... View more
Created by
Eric R. Jones
in Network Management
in Network Management
07-21-2019
04:06 PM
07-21-2019
04:06 PM
I have been going down this road trying to figure out how to suppress these log messages. I found 2 commands. 1. logging flow-export-syslogs syslogs disable command: If the security appliance is configured to export NetFlow data, to improve performance, we recommend that you disable redundant syslog messages (those also captured by NetFlow) by entering the logging flow-export-syslogs disable command. 2. no logging message message-number: where "message-number" would be 302013 or 305012. Still looking to see which method is the best. I haven't found what I believe to be the way to do this in the ASDM UI. It may not be there. I did find the URL for the syslog ID messages definitions. 302013,302,014,302015 and 302016 are related to communications tear down and build up for TCP and UDP connections. We have our FW's in HA so I'm not sure if I need to enter the "standby" command at the end of each configuration. config t no logging message 302013 or no logging message 302013 standby no logging message 302014 or no logging message 302014 standby etc... ej
... View more
Created by
Eric R. Jones
in Network Management
in Network Management
07-20-2019
04:30 PM
07-20-2019
04:30 PM
We are supposed to be getting Elastic but not sure when. The issue is we appear to be duplicate logging the traffic from the proxy and the firewall. The logging of the connection build-up and tear-downs are what's overloading the logs. Eliminating those log entries would help tremendously. ej
... View more
Created by
Eric R. Jones
in Network Management
in Network Management
07-18-2019
06:21 PM
07-18-2019
06:21 PM
Hello, we have our new log server up and we're using A10 Thunder to load balance. We have logs from our proxy being sent to the syslog server with no problems. However, we have traffic from our ASA 5585X being sent to the syslog server and some of the data is not wanted. Specifically teardown and buildup traffic for each connection. I have been googling around to see if this type of traffic can be stripped out before being sent to the syslog server, either on the FW itself or via an ACL at the first convenient switch between the FW and the syslog server. Is it possible to do this? I know we can simply create an ACL to block all UDP to 514 but we wish to collect some log traffic from the FW just not overwhelm our syslog server duplicate data. ej
... View more
Labels:
Created by
Eric R. Jones
in Network Management
in Network Management
07-02-2019
05:18 PM
07-02-2019
05:18 PM
ok, I got it to accept the cert. So the way I did it was to: 1. Use the /localdisk/defaultRepo directory to hold the file. 2. Change the name of the file from yvaprm1top t yvaprm1top.cer. (Note. I used the top portion of the file returned from the CA including the: -----BEGIN CERTIFICATE----- Approximately 25 lines of hash -----END CERTIFICATE----- 3. Follow the directions after the upload. 4. Clear cache on the browser(s) and reload the PC.
... View more
Created by
Eric R. Jones
in Network Management
in Network Management
07-02-2019
03:52 PM
07-02-2019
03:52 PM
I did figure out I'm using the wrong directory. I moved the files to /localdisk/defaultRepo and now I'm getting a ERROR:Failed to import key certificate and then ERROR: ncs key importsignedcert command failed. rval:256. It may be an issue with the type of file used to import the cert or the naming of the file. I attached the (dot)cer extension to the file by cp filename filename.cer. ej
... View more
Created by
Eric R. Jones
in Network Management
in Network Management
07-02-2019
03:23 PM
07-02-2019
03:23 PM
While trying to import a signed certificate received from our CA, I received the following error. ERROR: In downloading signed certificate file yvaprm1totalcert from repository certificates. Does anyone know of a document that has a good explanation on how to get CA certs created and uploaded to Prime Infrastructure? Also a good explanation as to which portion of the cert gets uploaded, the top portion, the bottom portion or the entire thing minus the comments? I am using the Admin Guide which, in opinion, explains it straight away; however, I'm getting an error. I don't believe the cert is the issue but something in Prime, the reason I think this is another oddity where it won't automatically mount an NFS share when running backups but will allow me to cd into the NFS share and use scripts to copy files in and out. ej
... View more
Labels:
Created by
Eric R. Jones
in Network Management
in Network Management
06-30-2019
06:20 PM
06-30-2019
06:20 PM
Well no joy on this method. I even waited until we migrated the new PI 3.6 server from its temporary IP to the permanent IP replacing the old 3.1 server. It fails to mount the staging url, fails to mount the repo nfs url but if run locally with the script it will run the backup, copy it to the nfs mount and remove the old file. I checked the permissions and ownership of files and directories but nothing appears to be wrong. ej
... View more
Created by
Eric R. Jones
in Network Management
in Network Management
06-23-2019
04:43 PM
06-23-2019
04:43 PM
So far the only difference between you have laid out here and what I have is I didn't have the backup-staging-url configured any longer. I had removed it, then put it back but no matter what the failure output states it can't mount the staging location. If I cd into the mount point /mnt/repos/ I can access the NFS location, manipulate the files and exit. I can create a backup locally on Prime server and then manually cp or mv the file to the NFS share. The rpcinfo -p <IPAddress> returns the expected result. NFS client appears to be working properly based on the output of commands and my ability to access the locations. For some reason it won't mount it. I thought it might have been a permissions issues but it doesn't appear to be. ej
... View more
Created by
Eric R. Jones
in Network Management
in Network Management
06-20-2019
02:55 PM
06-20-2019
02:55 PM
We have had our Prime server on a an NFS share for a few years. We are deploying a new server, Virtual Machine PI 3.6. It's configured and servicing some test switches so it's operational. When I went to configure the repositories from the CLI all went well until I tried to use them. The backup runs but returns the error %Error mounting NFS location. However, I can cd into the directory, /mnt/repos, view what is in the directory and create a new file, view current files and remove files. I'm doing this as the root admin gaining access through the shell first and then running sudo su. I tried changing the permissions on /mnt from 755 to 775 and 777 but no change. I can create an alternative by running the backup command to create a local file and then use the crontab to fire off a job to copy the file from the local repo /localdisk/defaultRepo to the NFS mount /mnt/repo and then delete the local file. I had to do this earlier when the same issue arose. That was solved by having the system guys fix the Windows side and allow the server through. That wasn't changed so I'm not sure what's going on now. Anyone have this issue before? I didn't find anything on a search in the community nor in google. ej
... View more
Labels:
Created by
Eric R. Jones
in Network Management
in Network Management
05-22-2019
02:21 PM
05-22-2019
02:21 PM
Actually what Cisco TAC Engineers came up with was different and inventive. #INTERACTIVE crypto pki authenticate $TRUSTPOINTNAME<IQ>Enter<R><MLTCMD>#include("certificate.txt")<IQ>yes/no<R> yes</MLTCMD> #ENDS_INTERACTIVE That section that has #include("certificate.txt") is a file that resides on the Prime server in this folder. /opt/CSCOlumos/conf/ifm/template/resources/templatesystem/ That folder has the crypto key starting with the ----Begin Certificate----- and ending with the -----End Certificate----- and no extra spaces same as you would enter it on the switch. works verfy well and no cumbersome cutting and pasting. I probably should have posted that here but just went right back into the mix. Of course to do this you will have to have shell access, not sudo, to Prime. ej
... View more
05-16-2019
09:39 PM
We looked it up and we shall deploy this change in our next window. Ran out of time this go round. ej
... View more
05-15-2019
02:00 PM
My co-worker isn't here to recreate the issue and I don't have the documentation he created. Basically the primary has management 0/0 with IP/mask. My thought is to create the management 0/1 with the other IP/Mask on the primary unit so it replicates to the standby. This could result in an error of IP overlap, I haven't tried it yet. Since these ports aren't passing data/traffic only management I don't see any confusion on connecting. When I view the standby units management 0/0 port from the CLI I see the same IP anyway. No doubt this is due to primary updating the secondary since you shouldn't/can't introduce changes on the secondary's configuration directly without getting a warning that you will put them out of sync. This may be the error he got when he tried adding the IP to the standby units mgt 0/0 interface. ej
... View more
05-14-2019
07:08 PM
Hello, we have 2 ASA 5585X runnin asa 9.10(1)7and ASDM 7.10(1). We currently have the Gig0/1 interfaces on both devices with separate IP's in the same subnet for mgt purposes. We have created an IP on the mgt0/0 port on the primary ASA for OOB management and would like to do the same on the secondary ASA's mgt 0/0 port using an IP in the same subnet as mgt0/0 on Primary ASA. Right now when we attempt to use the ASDM to configure mgt 0/0 with the IP we get errors. It won't allow us to do this. Must we use a gig port configured to be a routable port or can this be achieved using the dedicated mgt ports? I did some googling but haven't found anything definitive. The ASA Admin guide didn't address this.
... View more
- Tags:
- OOB mgt
07-23-2019
I have been trying to google around on the subject but haven't found
anything to address it. I'll pr...
07-22-2019
I used the second command and eliminated the standby option after a
quick context search.The command...
07-21-2019
I have been going down this road trying to figure out how to suppress
these log messages. I found 2 ...
07-20-2019
We are supposed to be getting Elastic but not sure when. The issue is we
appear to be duplicate logg...
07-18-2019
Hello, we have our new log server up and we're using A10 Thunder to load
balance.We have logs from o...
07-02-2019
ok, I got it to accept the cert.So the way I did it was to:1. Use the
/localdisk/defaultRepo directo...
07-02-2019
I did figure out I'm using the wrong directory.I moved the files to
/localdisk/defaultRepo and now I...
07-02-2019
While trying to import a signed certificate received from our CA, I
received the following error.ERR...
06-30-2019
Well no joy on this method. I even waited until we migrated the new PI
3.6 server from its temporary...
06-23-2019
So far the only difference between you have laid out here and what I
have is I didn't have the backu...
06-20-2019
We have had our Prime server on a an NFS share for a few years.We are
deploying a new server, Virtua...
Created by
Eric R. Jones
in Identity Services Engine (ISE)
06-03-2019
06-03-2019
Hello, this is for folks who are familiar with ACAS but any feedback
would be appreciated.We current...
Created by
Eric R. Jones
in Network Management
05-22-2019
05-22-2019
Actually what Cisco TAC Engineers came up with was different and
inventive.#INTERACTIVEcrypto pki au...
05-16-2019
We looked it up and we shall deploy this change in our next window.Ran
out of time this go round.ej
Public Statistics
| Date Registered | 03-31-2011 05:54 PM |
| Date Last Visited | 07-24-2019 02:49 AM |
| Total Messages Posted | 176 |
| Total Helpful Votes Received | 5 |
.jpg "VIP Advisor"){kind=icon}
.jpg "Hall of Fame Community Legend"){kind=icon}
