I have a couple questions about route tagging.  I don't currently use it but it may help with some issues.  As I understand it: BGP tags routes "automagically" with the AS number EIGRP does not tag routes unless explicitly told to OSPF does not tag routes unless explicitly told to (Actually I do use tagging in a few places but as of now, only to tag static routes, so that I do or do not redistribute them). Questions: Does a tag of "0" indicate an "untagged" route? I.e., using "match tag 0" in a route-map would find ONLY routes not previously tagged? (When I do "sh ip route tag 0" on my EIGRP-only router, this seems to be the case.) If one redistributes a route, say between EIGRP and BGP or vice versa, and you don't *explicitly" tag or retag the route, does the tag it has ever change? Thanks. Paul ... View more

I have been investigating using CDA to get IP->User mapping, to allow us to write User/Group rules on the ASA firewalls.  My server engineers do not want to apply the patches and especially the registry changes on our domains controllers. We were also looking into using ISE (for various things). I looked at some forum posts which seemed to indicate that I might need both ISE and CDA anyway.  Can anyone confirm this? Has anyone had any issues with the Domain Controller changes needed for CDA? Our D/Cs are Windows 2008R2, CDA is 1.0.0.011 with Patch 4. Thanks.   Paul ... View more

I am on CSM 4.4 and just did discovery on our VPN ASA.  CSM nicely told me that the EIGRP and route-map configs needed to be done as Flex Configs (which I have done before).  But it did NOT say that prefix-lists used in the route-maps were in "CLI not discovered" status.  So I assumed that the prefix-lists would be *somewhere* in the CSM policies - I cannot find them.   I saw here that prefix-lists aren't supported, but 4.4 didn't say so.  Does anyone know if they just *vanish*?  Or, where I can find them? Paul ... View more

We have a pair of ASA 5585-SP20 deployed as a 'failover pair' but in Multi-Context mode, with two contexts active on the 'A' device and two on 'B.'  I Discovered 'A' from the network, and then did Discover Policies on it, and now have the 5 contexts (counting 'admin') in CSM.  I then Discovered 'B.'  But when I Discover Policies on 'B' it find nothing more than the device (I *have* checked the NAT Policies|Policies and Objects etc. checkboxes).I am a little surprised that CSM doesn't at least list the 'admin' context for 'B'.    I understand that the Contexts are really the devices, and that CSM deploys to the Active context (and yes I have added IPs etc. for the contexts so it *can* talk to them.)   I also recall reading that the 'active' device for each must be included to deploy to contexts on that device, so do I simply need to remember to include 'B' if I am deploying to one of the contexts active on the 'B' box? Thanks - Paul ... View more