Hi,    New REST API based pxGrid 2.0 is supported in ISE 2.4, and is backward compatible with clients that only support XMPP based pxGrid 1.0 according to this https://developer.cisco.com/docs/pxgrid/#!parity-chart-between-pgrid-1-0-and-pxgrid-2-0/support-legacy-pxgrid-clients   Couldn't find a reference in the docu for FMC 6.4 if it supports pxGrid 2.0 (as a client) or still the old pxGrid 1.0 version. Do we know if FMC 6.4 supports REST based pxGrid 2.0?   Thanks,  Rick.   ... View more

Hi,    The vCM is recently upgraded from 5.3.3 to 5.5.3 to 6.2.3 version. Now, the web GUI is going down every 12 to 14 minutes, and all managed WAAS devices would go from Online to Pending to Online again. The VMware hosted vCM has 2 CPU's and 4GB of memory. In the final minutes before the service restart, the free memory is about 2.2-2.4GB.   vCM#show ver Cisco Wide Area Application Services Software (WAAS) Copyright (c) 1999-2018 by Cisco Systems, Inc. Cisco Wide Area Application Services (universal-k9) Software Release 6.2.3e (build b45 Ju l 8 2018) Version: oe-vwaas-6.2.3e.45 Compiled 04:20:37 Jul 8 2018 by cnbuild Device Id: 00:50:56:b1:33:a1 System was restarted on Thu May 16 16:00:19 2019. System restart reason: Power-on. The system has been up for 22 minutes, 48 seconds. vCM#show cms info Device registration information : Device Id = 12872 Device registered as = WAAS Central Manager Current WAAS Central Manager role = Primary CMS services information : Service cms_httpd is running Service cms_cdm is running vCM#show alarms history detail Op Sev Alarm ID Module/Submodule Instance -- --- -------------------- -------------------- -------------------- 1 C Mi servicedead nodemgr cms_cdm May 16 16:25:16.115 AEST, Processing Error Alarm, #000004, 2000:330004 nodemgr: The cms_cdm service died. 2 R Mi servicedead nodemgr cms_cdm May 16 16:25:05.833 AEST, Processing Error Alarm, #000004, 2000:330004 nodemgr: The cms_cdm service died. 3 C Mi servicedead nodemgr cms_cdm May 16 16:13:43.903 AEST, Processing Error Alarm, #000003, 2000:330004 nodemgr: The cms_cdm service died. 4 R Mi servicedead nodemgr cms_cdm May 16 16:13:33.632 AEST, Processing Error Alarm, #000003, 2000:330004 nodemgr: The cms_cdm service died. The syslog.txt file has this single line repeating for the last 30 minutes.   /local1/syslog.txt 2019 May 16 06:28:57 eahiwcmed01vwa getty[12418]: %WAAS-UNKNOWN-3-899999: ttyS0: tcgetattr: Input/output error       Thanks,  Rick.   ... View more

Hi,   Release notes for vWLC states 'Mobility / Guest Anchor' as unsupported on vWLC -  https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr4.html#wlc-vwlc   Can the vWLC act as a foreign controller, to establish a tunnel to a physical WLC in the DMZ for guest traffic?   Regards,  Rick. ... View more

Hi,    I noticed the default hello/hold timers on FTD (Cisco FTD 4110 6.3) are 60/180 seconds, although the link speed is more than T1 speed - link is 20 Gbps. The other end of my FTD is a Catalyst 9500 with default timers of 5/15 seconds. I can change the FTD timers through FlexConfig. Need to understand why the defaults on FTD are higher and Is it a Cisco recommendation to keep timers higher on the FTD (and potentially match at the other end as well)?   > show running-config all interface Port-channel 1.950 interface Port-channel1.950 mac-address e210.1732.4206 standby e210.1732.4207 vlan 950 nameif Inside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 10.173.242.6 255.255.255.248 delay 100 no authentication key eigrp 18 no authentication mode eigrp 18 hello-interval eigrp 18 60 hold-time eigrp 18 180 split-horizon eigrp 18 > show interface Port-channel 1.950 Interface Port-channel1.950 "Inside", is up, line protocol is up Hardware is EtherSVI, BW 20000 Mbps, DLY 1000 usec VLAN identifier 950 MAC address e210.1732.4206, MTU 1500 IP address 10.173.242.6, subnet mask 255.255.255.248 Traffic Statistics for "Inside": 1195852 packets input, 75673947 bytes 318932 packets output, 24815909 bytes 4278 packets dropped   Thanks,  Rick. ... View more

Hi,    I am trying to get the AnyConnet VPN client device's hostname in ISE. DHCP profiling probe is enabled on ISE and works for LAN devices.   AnyConnect is 4.6 version. The headend firewall is FTD 2110, 6.2.3. ISE is running 2.4 patch 5.   The VPN client gets an IP address via DHCP. The DHCP server (Windows) shows the active lease and displays the client's hostname correctly. ISE is also configured as a 3rd DHCP server on FTD for profiling purposes. However, the ISE DHCP profiling of AnyConnect clients is not working as ISE sees the DHCP request coming from the FTD's MAC address - confirmed on ISE through tcpdump capture. ISE create a new Endpoint record for the FTD's MAC address and shows the client's hostname under it. When a new client connects, ISE updates the FTD Endpoint MAC to that client's hostname. The actual client's MAC address also gets created as Endpoint in ISE but misses all the DHCP related profiling info, most importantly for me, the host-name attribute.   My question is if there is a command to tell the FTD to send the original client's MAC address in the DHCP discover message instead?      I need the above as a guestimate to tell apart Corporate from BYOD VPN devices. The customer doesn't have CA deployment so can't identify corporate devices through certificates. My intention is to use ISE AD Profiling Probe to assess that a device really is a corporate asset. AD Profiling Probe relies on hostname of the device to validate AD join status. I can't use DNS based probing as there is no DDNS setup on the central DHCP/DNS servers for VPN clients. ISE Posture could be an option (check for certain registry key for AD join) but even the latest FTD code 6.3 doesn't seem to support ISE Posture. Any other way we can identify VPN corporate from VPN BYOD devices?   Regards,  Rick. ... View more

Hi,   I am using BGP advertise-map and exist-map to conditionally advertise a prefix 10.10.10.10/24 from R2 to R1, only when R2 can receive default-route from R3. I am using "prefix-list" to match on desired prefixes.   R1 --- R2 ------- R3     !!!! R2 config snippet router bgp 2   neighbor 192.168.1.1 remote-as 2   neighbor 192.168.1.1 advertise-map bgp-adv exist-map bgp-exist route-map bgp-adv permit 10   match ip address prefix-list bgp-adv route-map bgp-exist permit 10   match ip address prefix-list bgp-exist ip prefix-list bgp-adv seq 10 permit 10.10.10.10/24 ip prefix-list bgp-exist seq 20 permit 0.0.0.0/0   R2 always sets the exist-map condition successful, the status is set to Advertise on R2 and R1 receives the 10 route. This is true regardless R2 has received 0.0.0.0/0 from R3 or not.   Now for the sake of testing, If I base the conditional check on a normal prefix say 20.20.20.20/24 on R2 (received from R3), the check passes only when the 20 route exists in R2's bgp table.    The BGP conditional check works with a normal prefix but not with a default-route. Is this expected?   I am Lab'ing this in GNS3 on 3745 router and IOS 12.4(15)T14.   Regards,  Rick. ... View more

Hi,   The issue almost resembles this post, although I am running the ISE URT tool first. https://supportforums.cisco.com/t5/aaa-identity-and-nac/profilerupgradeservice-2-1-0-166-error-ise-global-data-upgrade/m-p/3318564#M67457   The URT fails at this point: ... ... Running data upgrade on cloned database - Data upgrade step 1/100, AuthzUpgradeService(2.0.0.308)... ..Done in 169 seconds. - Data upgrade step 2/100, NSFUpgradeService(2.1.0.102)... Done in 1 seconds. - Data upgrade step 3/100, UPSUpgradeHandler(2.1.0.105)... ..Done in 131 seconds. - Data upgrade step 4/100, UPSUpgradeHandler(2.1.0.107)... Done in 2 seconds. - Data upgrade step 5/100, NSFUpgradeService(2.1.0.109)... Done in 0 seconds. - Data upgrade step 6/100, NSFUpgradeService(2.1.0.126)... Done in 0 seconds. - Data upgrade step 7/100, NetworkAccessUpgrade(2.1.0.127)... Done in 1 seconds. - Data upgrade step 8/100, ProfilerUpgradeService(2.1.0.134)... Done in 0 seconds. - Data upgrade step 9/100, ProfilerUpgradeService(2.1.0.139)... Done in 0 seconds. - Data upgrade step 10/100, ProfilerUpgradeService(2.1.0.166)... ................- Failed Final cleanup before exiting... Collecting log files ... - Encrypting logs bundle... Please enter encryption password: Please enter encryption password again to verify: Encrypted URT logs(urt_logs.tar.gpg) are available in localdisk. Please reach out to Cisco TAC to debug % Post-install step failed. Please check the logs for more details. In the generated log file, I can see an OutOfMemoryError exception: Instance details com.cisco.profiler.upgrade.ProfilerUpgradeService@27df971b ProfilerUpgradeService.upgrade for version 2.1.0.166 java.lang.OutOfMemoryError: GC overhead limit exceeded Dumping heap to /var/tmp/java_pid25697.hprof ... Heap dump file created [2017383231 bytes in 18.479 secs] Terminated with exception java.lang.OutOfMemoryError: GC overhead limit exceeded java.lang.OutOfMemoryError: GC overhead limit exceeded at java.util.Arrays.copyOfRange(Arrays.java:3664) at java.lang.String.<init>(String.java:207) at oracle.jdbc.driver.CharCommonAccessor.getString(CharCommonAccessor.java:463) at oracle.jdbc.driver.T4CVarcharAccessor.getString(T4CVarcharAccessor.java:464) at oracle.jdbc.driver.OracleResultSetImpl.getString(OracleResultSetImpl.java:1297) at org.apache.commons.dbcp.DelegatingResultSet.getString(DelegatingResultSet.java:213) at org.apache.commons.dbcp.DelegatingResultSet.getString(DelegatingResultSet.java:213) at com.cisco.epm.pap.api.services.persistance.dao.ResourceDAO.searchEntities(ResourceDAO.java:6922) at com.cisco.epm.pap.api.services.server.resource.ResourceImpl.searchEntities(ResourceImpl.java:2016) at com.cisco.cpm.nsf.impl.NSFGroup.load(NSFGroup.java:212) at com.cisco.cpm.nsf.impl.NSFGroup.load(NSFGroup.java:158) at com.cisco.cpm.nsf.impl.policy.NSFPolicyImpl.loadAssociatedSubjects(NSFPolicyImpl.java:2171) at com.cisco.cpm.nsf.impl.policy.NSFPolicyImpl.loadPolicy(NSFPolicyImpl.java:1841) at com.cisco.cpm.nsf.impl.policy.NSFPolicyImpl.<init>(NSFPolicyImpl.java:233) at com.cisco.cpm.nsf.impl.policy.NSFPolicyImpl.retrieveAll(NSFPolicyImpl.java:1600) at com.cisco.profiler.api.EndpointPolicyHandler.getAll(EndpointPolicyHandler.java:238) at com.cisco.profiler.api.LogicalProfileImporter.<init>(LogicalProfileImporter.java:48) at com.cisco.profiler.api.ProfilerRegistration.defaultLogicalProfiles(ProfilerRegistration.java:703) at com.cisco.profiler.upgrade.DefaultLogicalProfileUpgrade.execUpgrade(DefaultLogicalProfileUpgrade.java:17) at com.cisco.profiler.upgrade.ProfilerUpgradeService.upgrade(ProfilerUpgradeService.java:107) at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:132) at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:185) ERROR! isedataupgrade.sh FAILED. ISE GLOBAL DATA UPGRADE FAILED The ISE SAN node had 16G memory on first URT run. Thought that may not be enough. Increased it to 24G and still, URT fails at the exact same point. "show inventory" and "show memory" confirms that additional memory is all available.   Seems I am also hitting bug CSCvh13873. Open a Cisco TAC case ?   ISE 2.0 patch 5, 2 nodes deployment.   Regards, Rick. ... View more