Hi, Just as a side question, but what ip device tracking global command did you use? I have a network with Mitel 5320 phones and they are not responding to device tracking arps. I suspect they dont like source 0.0.0.0 but wanted to know if you have seen similar for this phone? ... View more

Our FMC keeps throwing in the same VPN status event "VPN tunnell between FWA/peerip/subnetX and FWB/peerip/subnetY is inactive due to to Deleted backup session" Firstly any idea what a backup session refers to? If its a VPN SA, well I've checked the Firewalls and the VPN SA for these subnets is ok on each side. Traffic is being encrypted/decrypted, SPIs match. I have no inactive SAs on the FTDs. So why does FMC keep reporting this? Secondly, since it'sthe same message every 2-3 mins including the subnets in question,  shouldn't the Health Events Value column count increment instead rather than generating a new message? ... View more

How do you identify a Windows Server Connector from the Connector ID in Cloud Web Security? On the WSA its easy. It shows you the Connector ID for the WSA on the WSA System Status web UI or type 'version' at the cli. ... View more

Ok I occassionally get the ACS - System Errors message which is usually reporting about 'Missing log messages'. This seems to repeat ad infinitum unless you acknowledge the alarm. If I run the ACS System Diagnostics report linked to the alert, it shows me a value of the missing log message. MissingLogMessages=<some value>. What is <some value>? A reference or actual number of missing log messages? What can be done about it? It's a distributed environment where the source of the log messages being reported is the Primary AAA server and the actual Log Collector for running Reports/Monitoring.is the Secondary AAA server.. ... View more

ASA 9.1 code.....I've imported two CA certs as TrustpointB and TrustpointC. TrustpointB is an Intermediate CA, TrustpointC is the Root CA for this. I'm now trying to import a wildcard identity certificate (so no CSR) as TrustpointA. This is issued by the intermediate CA. The Identity is a .pfx file , which I believe is a pkcs12 file. The identity cert installs successfully according to ASDM, but from cli if I type "show crypto ca trustpoint", the Identity Trustpoint says it's not authenticated. If I try 'authenticating' this trustpoint, using "crypto ca authenticate TrustpointA" I get a message saying "ERROR: You must specify an enrollment URL for this CA before you can authenticate it.". So how do you authenticate an imported Identity certificate in pkcs12 format?  ... View more

Hi This advisory published on 2015 April 8: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa suggests 9.1(6.1) as fixed code. This advisory published on 2014 October 8 but last updated on 2015 July 9: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa suggest 9.1(5.12) as fixed code. So which code to go for? Would 9.1(6.1) have any of the fixes in 9.1(5.12) or vice-versa? Or are they on parallel release trains? I would like all the security fixes covered by both these advisories, so which code should I be looking to use? cheers ... View more

Hi I'm after some clarification here. With the seperate HostScan package enabled on the ASA (which then enables CSD as well) and combination with  endpoint assessment, does that mean hostscan can do AV/AS checks on webvpn connected clients as well as AnyConnect clients?  If so, any caveats other than client system requirements and licensing? ... View more