Hi,    I have a question, I have 2 WLC , one on site A and another WLC in site B,  both have the same settings, everything is already configured and they have the primary and secondary controllers,  all is working fine and the design works perfectly between sites, in fact we have done a failover in the past and it works, but there is just one flex connect group as of now.   There is however, as I mentioned,  just one flex connect group on both controllers, so rest assure that all is working as expected and the scenario is ideal and worked using flex connect group local switching and both flex connect groups have the same SSIDs,    My question is the following, considering it for a testing purposes please,    If I configure a new flex connect group called A  and B on both controllers, when controller for site A goes down, will the access points from site B will be registered on site B flexconnect group B on site A?   obviously, the access points have to be added on each site, say, 50 APs in Flexconnect group A but on the other site B, I have the same flex connect group A (with no APS assosiated yet), would that work when one WLC goes down?   Im just trying to figure it out if that works so I can more visibility for growth purposes, because Image that on each site there is a new small office, say 5 more APs,   I would have to set up a new flex connect group, but in order for me to allow smooth failover, and control over which APs will be joined to which flex group, I wanted to know if that works like Im asking.     I hope I have made myself clear with my explanation, but if you have questions, please ask me, I will be more than glad to answer,    so the idea is that each site has its own flex connect group and when one WLC goes down, all APs will be joined to the same group either A or B depending which site goes down.   Regards,   ... View more

HI,    I have made the backup via ftp for the acs server it downloaded a file acs_backup_31May-190601-0141.tar.gpg How can I see the config inside, like if I want to see if all the network devices and aaa clients are there?   or am I doing the wrong backup? is it normal that extension?   Regards,  ... View more

Hi,    I have been trying to understand and figure it out my self before posting here, but im unable to find a proper answer,    I have been reading some good docs but got more confused with Static Policy NAT and all I want is to allow a server from the outside to communicate with our internal server as the image below:     the external public server subnets (2 subnets) should communicate with the internal server over port 80   I have this config:   object-group network Public_Subnets network-object 66.249.65.0 255.255.255.0 network-object 66.249.64.0 255.255.255.0 object network obj_priv_ip host 192.168.10.10 object network obj_public_ip host X.X.X.X <-------> this is my reserved public IP different from the outside interface but its available   access-list inside-in line 1 extended permit tcp host 192.168.10.10 object-group Public_Subnets eq 80 access-list outside-in line 1 extended permit tcp object-group Public_Subnets host 192.168.10.10 eq 80   nat (inside,outside) source static obj_priv_ip obj_public_ip destination object-group Public_Subnets object-group Public_Subnets no-proxy-arp route-lookup   but I get an error saying that the object does not match or does not exist when I enter the NAT statement   Im running ASA5585-SSP-20,  Version 9.6(4)5    questions:   1- if its Static NAT: do I need the access list to be in place to allow it? on outside ? is itnt enough just the inside ACL?   I have seen some videos where they put simple NAT and the communication is already allowed from outside to inside, possibly Im wrong, but with static nat, do I need a firewall policy rule access list?   2- can you help me with the proper NAT command please?    is there any other way to make it much easier than the way Im trying to do it?   note: in the diagram, I put a single public fake IP from Internet, but in reality, the requirement is 2 public subnets          ... View more

Hi, I have been trying to understand if I missed something or if if there is a limit for the crypto maps when creating a vpn,    there was already up and running a vpn tunnel  crypto map OUTSIDE_map1 9 match address OUTSIDE_cryptomap_9 crypto map OUTSIDE_map1 10 set peer X.X.X.X crypto map OUTSIDE_map1 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES So I tried the create new vpn under the sequence of 10    crypto map OUTSIDE_map1 11 match address OUTSIDE_cryptomap_10 crypto map OUTSIDE_map1 11 set peer X.X.X.X crypto map OUTSIDE_map1 11 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES    and I got the error:   ERROR: Exceeded maximum of 9 ipsec-proposals for crypto map.   and overwrote the crytpos that I have and merged them   ... View more