Hi,    The vCM is recently upgraded from 5.3.3 to 5.5.3 to 6.2.3 version. Now, the web GUI is going down every 12 to 14 minutes, and all managed WAAS devices would go from Online to Pending to Online again. The VMware hosted vCM has 2 CPU's and 4GB of memory. In the final minutes before the service restart, the free memory is about 2.2-2.4GB.   vCM#show ver Cisco Wide Area Application Services Software (WAAS) Copyright (c) 1999-2018 by Cisco Systems, Inc. Cisco Wide Area Application Services (universal-k9) Software Release 6.2.3e (build b45 Ju l 8 2018) Version: oe-vwaas-6.2.3e.45 Compiled 04:20:37 Jul 8 2018 by cnbuild Device Id: 00:50:56:b1:33:a1 System was restarted on Thu May 16 16:00:19 2019. System restart reason: Power-on. The system has been up for 22 minutes, 48 seconds. vCM#show cms info Device registration information : Device Id = 12872 Device registered as = WAAS Central Manager Current WAAS Central Manager role = Primary CMS services information : Service cms_httpd is running Service cms_cdm is running vCM#show alarms history detail Op Sev Alarm ID Module/Submodule Instance -- --- -------------------- -------------------- -------------------- 1 C Mi servicedead nodemgr cms_cdm May 16 16:25:16.115 AEST, Processing Error Alarm, #000004, 2000:330004 nodemgr: The cms_cdm service died. 2 R Mi servicedead nodemgr cms_cdm May 16 16:25:05.833 AEST, Processing Error Alarm, #000004, 2000:330004 nodemgr: The cms_cdm service died. 3 C Mi servicedead nodemgr cms_cdm May 16 16:13:43.903 AEST, Processing Error Alarm, #000003, 2000:330004 nodemgr: The cms_cdm service died. 4 R Mi servicedead nodemgr cms_cdm May 16 16:13:33.632 AEST, Processing Error Alarm, #000003, 2000:330004 nodemgr: The cms_cdm service died. The syslog.txt file has this single line repeating for the last 30 minutes.   /local1/syslog.txt 2019 May 16 06:28:57 eahiwcmed01vwa getty[12418]: %WAAS-UNKNOWN-3-899999: ttyS0: tcgetattr: Input/output error       Thanks,  Rick.   ... View more

Hi,   Release notes for vWLC states 'Mobility / Guest Anchor' as unsupported on vWLC -  https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr4.html#wlc-vwlc   Can the vWLC act as a foreign controller, to establish a tunnel to a physical WLC in the DMZ for guest traffic?   Regards,  Rick. ... View more

Hi,    I am trying to get the AnyConnet VPN client device's hostname in ISE. DHCP profiling probe is enabled on ISE and works for LAN devices.   AnyConnect is 4.6 version. The headend firewall is FTD 2110, 6.2.3. ISE is running 2.4 patch 5.   The VPN client gets an IP address via DHCP. The DHCP server (Windows) shows the active lease and displays the client's hostname correctly. ISE is also configured as a 3rd DHCP server on FTD for profiling purposes. However, the ISE DHCP profiling of AnyConnect clients is not working as ISE sees the DHCP request coming from the FTD's MAC address - confirmed on ISE through tcpdump capture. ISE create a new Endpoint record for the FTD's MAC address and shows the client's hostname under it. When a new client connects, ISE updates the FTD Endpoint MAC to that client's hostname. The actual client's MAC address also gets created as Endpoint in ISE but misses all the DHCP related profiling info, most importantly for me, the host-name attribute.   My question is if there is a command to tell the FTD to send the original client's MAC address in the DHCP discover message instead?      I need the above as a guestimate to tell apart Corporate from BYOD VPN devices. The customer doesn't have CA deployment so can't identify corporate devices through certificates. My intention is to use ISE AD Profiling Probe to assess that a device really is a corporate asset. AD Profiling Probe relies on hostname of the device to validate AD join status. I can't use DNS based probing as there is no DDNS setup on the central DHCP/DNS servers for VPN clients. ISE Posture could be an option (check for certain registry key for AD join) but even the latest FTD code 6.3 doesn't seem to support ISE Posture. Any other way we can identify VPN corporate from VPN BYOD devices?   Regards,  Rick. ... View more

Hi,   I am using BGP advertise-map and exist-map to conditionally advertise a prefix 10.10.10.10/24 from R2 to R1, only when R2 can receive default-route from R3. I am using "prefix-list" to match on desired prefixes.   R1 --- R2 ------- R3     !!!! R2 config snippet router bgp 2   neighbor 192.168.1.1 remote-as 2   neighbor 192.168.1.1 advertise-map bgp-adv exist-map bgp-exist route-map bgp-adv permit 10   match ip address prefix-list bgp-adv route-map bgp-exist permit 10   match ip address prefix-list bgp-exist ip prefix-list bgp-adv seq 10 permit 10.10.10.10/24 ip prefix-list bgp-exist seq 20 permit 0.0.0.0/0   R2 always sets the exist-map condition successful, the status is set to Advertise on R2 and R1 receives the 10 route. This is true regardless R2 has received 0.0.0.0/0 from R3 or not.   Now for the sake of testing, If I base the conditional check on a normal prefix say 20.20.20.20/24 on R2 (received from R3), the check passes only when the 20 route exists in R2's bgp table.    The BGP conditional check works with a normal prefix but not with a default-route. Is this expected?   I am Lab'ing this in GNS3 on 3745 router and IOS 12.4(15)T14.   Regards,  Rick. ... View more

Hi,   The issue almost resembles this post, although I am running the ISE URT tool first. https://supportforums.cisco.com/t5/aaa-identity-and-nac/profilerupgradeservice-2-1-0-166-error-ise-global-data-upgrade/m-p/3318564#M67457   The URT fails at this point: ... ... Running data upgrade on cloned database - Data upgrade step 1/100, AuthzUpgradeService(2.0.0.308)... ..Done in 169 seconds. - Data upgrade step 2/100, NSFUpgradeService(2.1.0.102)... Done in 1 seconds. - Data upgrade step 3/100, UPSUpgradeHandler(2.1.0.105)... ..Done in 131 seconds. - Data upgrade step 4/100, UPSUpgradeHandler(2.1.0.107)... Done in 2 seconds. - Data upgrade step 5/100, NSFUpgradeService(2.1.0.109)... Done in 0 seconds. - Data upgrade step 6/100, NSFUpgradeService(2.1.0.126)... Done in 0 seconds. - Data upgrade step 7/100, NetworkAccessUpgrade(2.1.0.127)... Done in 1 seconds. - Data upgrade step 8/100, ProfilerUpgradeService(2.1.0.134)... Done in 0 seconds. - Data upgrade step 9/100, ProfilerUpgradeService(2.1.0.139)... Done in 0 seconds. - Data upgrade step 10/100, ProfilerUpgradeService(2.1.0.166)... ................- Failed Final cleanup before exiting... Collecting log files ... - Encrypting logs bundle... Please enter encryption password: Please enter encryption password again to verify: Encrypted URT logs(urt_logs.tar.gpg) are available in localdisk. Please reach out to Cisco TAC to debug % Post-install step failed. Please check the logs for more details. In the generated log file, I can see an OutOfMemoryError exception: Instance details com.cisco.profiler.upgrade.ProfilerUpgradeService@27df971b ProfilerUpgradeService.upgrade for version 2.1.0.166 java.lang.OutOfMemoryError: GC overhead limit exceeded Dumping heap to /var/tmp/java_pid25697.hprof ... Heap dump file created [2017383231 bytes in 18.479 secs] Terminated with exception java.lang.OutOfMemoryError: GC overhead limit exceeded java.lang.OutOfMemoryError: GC overhead limit exceeded at java.util.Arrays.copyOfRange(Arrays.java:3664) at java.lang.String.<init>(String.java:207) at oracle.jdbc.driver.CharCommonAccessor.getString(CharCommonAccessor.java:463) at oracle.jdbc.driver.T4CVarcharAccessor.getString(T4CVarcharAccessor.java:464) at oracle.jdbc.driver.OracleResultSetImpl.getString(OracleResultSetImpl.java:1297) at org.apache.commons.dbcp.DelegatingResultSet.getString(DelegatingResultSet.java:213) at org.apache.commons.dbcp.DelegatingResultSet.getString(DelegatingResultSet.java:213) at com.cisco.epm.pap.api.services.persistance.dao.ResourceDAO.searchEntities(ResourceDAO.java:6922) at com.cisco.epm.pap.api.services.server.resource.ResourceImpl.searchEntities(ResourceImpl.java:2016) at com.cisco.cpm.nsf.impl.NSFGroup.load(NSFGroup.java:212) at com.cisco.cpm.nsf.impl.NSFGroup.load(NSFGroup.java:158) at com.cisco.cpm.nsf.impl.policy.NSFPolicyImpl.loadAssociatedSubjects(NSFPolicyImpl.java:2171) at com.cisco.cpm.nsf.impl.policy.NSFPolicyImpl.loadPolicy(NSFPolicyImpl.java:1841) at com.cisco.cpm.nsf.impl.policy.NSFPolicyImpl.<init>(NSFPolicyImpl.java:233) at com.cisco.cpm.nsf.impl.policy.NSFPolicyImpl.retrieveAll(NSFPolicyImpl.java:1600) at com.cisco.profiler.api.EndpointPolicyHandler.getAll(EndpointPolicyHandler.java:238) at com.cisco.profiler.api.LogicalProfileImporter.<init>(LogicalProfileImporter.java:48) at com.cisco.profiler.api.ProfilerRegistration.defaultLogicalProfiles(ProfilerRegistration.java:703) at com.cisco.profiler.upgrade.DefaultLogicalProfileUpgrade.execUpgrade(DefaultLogicalProfileUpgrade.java:17) at com.cisco.profiler.upgrade.ProfilerUpgradeService.upgrade(ProfilerUpgradeService.java:107) at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:132) at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:185) ERROR! isedataupgrade.sh FAILED. ISE GLOBAL DATA UPGRADE FAILED The ISE SAN node had 16G memory on first URT run. Thought that may not be enough. Increased it to 24G and still, URT fails at the exact same point. "show inventory" and "show memory" confirms that additional memory is all available.   Seems I am also hitting bug CSCvh13873. Open a Cisco TAC case ?   ISE 2.0 patch 5, 2 nodes deployment.   Regards, Rick. ... View more

Hi,    I am facing an issue where Firefox/Chrome prompts for authentication on domain joined Windows 7 machines but IE does not. The setup uses Explicit Proxy and is configured like this:     WSA01: M1 intf for management, P1 for data, AsyncOS 10.5.1 System Hostname: wsa01.example.com P1 Name: wsa01-data.example.com (10.10.10.21) WSA02: M1 intf for management, P1 for data, AsyncOS 10.5.1 System Hostname: wsa02.example.com P1 Name: wsa02-data.example.com (10.10.10.22) Failover Groups (on both wsa01 and wsa02): FG1: wsa-vip1.example.com (10.10.10.11) - Active on wsa01 FG2: wsa-vip2.example.com (10.10.10.12) - Active on wsa02 DNS Server: Round-Robin DNS based proxy server load-balancing proxy.example.com A-record: 10.10.10.11 A-record: 10.10.10.12 MGMT interfaces are not given above, but they exist and configured on a different subnet. End user machines are configured with "proxy.example.com: 3128" via group policy. WSA policy authenticates all corporate machine users via AD - Identification Profile specifies (Kerberos OR NTLM OR Basic) auth schemes; explicit mode surrogates not used [unchecked].   With this setup IE works without any issues. However, Chrome and Firefox (latest versions) both brings a pop up asking for user credentials the first time. After that it seem to work fine until browser is closed and re-opened. Whitelisting proxy url in firefox trusted lists does not seem to help. Modifying advanced ntlm, proxy params in firefox "about:config" does not seem to help either.      The User Guide here https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa_10-0/WSA_10-5-1_UserGuide.pdf states this, "In explicit mode, the WSA host name (CLI command sethostname) and the proxy name configured in the browser must be the same." I cannot sysname both wsa proxies to "proxy.example.com" as these nodes are AD joined and we can't have two AD joins with the same machine name.   Interestingly, when these browsers are configured with "wsa01-data.example.com" or "wsa02-data.example.com", the pop up does not appear. It seems there is a trust issue where the browser is not trusting our "explicit" proxy when the configured proxy url does not contain the wsa's system name in it. Is this not limited to transparent deployments only as stated here https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117934-technote-csc-00.html ?   If sysname match in proxy url is still a requirement, how can we design the solution with failover groups?   Regards,  Rick. ... View more