Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Hi,
I have redundant cisco ise deployment (primary and secondary).To test redundancy i disable network for ise-1. Than i shut/no shut interfaces on switch where dot1x and mab is configured.
I see on console/debugs that switch mark ise-1 as DEAD, and ...
Hi,
I have Anyconnect on Cisco FTD. It is integrated with Microsoft AD via LDAP and i do LDAP attribute mapping based on AD group and FTD policy so different user have different privileges. I need to setup to this user 2FA with DUO so i installed Duo...
Hi,
I have dmvpn network with 2 hubs and spokes. Spokes have 2 separate mgre tunnel to the each hub (primary and secondary). For routing i am using eigrp.On the Primary Hub i see route to the network which is network between secondary hub and spokes ...
Hello,
I have dmvpn with hub and spoke topology. I route all traffic from spoke to HUB. So i have phsyical wan interface in vrf internet, point tunnel interface source vrf Internet, and have default route in that vrf internet. When i test speed it is...
Hello,I have scenario like on picture below:So like you see we only have 2 different ISP on Hub/central location but only 1 ISP on spoke location. Is it possible to bring 2 autoVPN tunnel from Spoke Wan1 interface and play with sd-wan policises for v...
Hi @Htonieto I read that suplicant can start proces with eapol start, but also that switch can start authentication with eapol request identity.The switch initiates authetication when link change state from down to up or periodicaly. I am not sure j...
Hi @Htonieto This makes sense. Because i have setup after 4 tries to mark server as DEAD, and really capturing packets after shut/no shut interface i see 2 acc requst and 2 auth request. After that 4 messages and timeout really ise-1 is marked DEAD. ...
Hi @Stefan Mihajlov
Sorry for late reply and sorry for the longer answers but this is observing from debugs and wireshark.
Regarding your first part of answer icmp unreach and skips retransmission i didnt understand who is sending to who icmp?This s...
Hi @Stefan Mihajlov
Thank you for information in the first part of your answer, i didnt know that and now have sense. Is there any special reason why ise-2 is droping packets and need more time?
Regarding the timers,radius-server retransmit 3 and ra...
Hi,
on primary tunnel going to hub1 i dont modify delay. I modify and make delay higher on secondary tunnel. So spoke always use route to DC network advertise by hub1 because it has lower cost. When hub1 failed, or wan connection on hub1 failed, eigr...
