I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch) My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports. cisp enable ! interface FastEthernet0/2  description *** Client Device ***  switchport access vlan 2  switchport mode access  no logging event link-status  authentication event fail action next-method  authentication event server dead action reinitialize vlan 3  authentication event server alive action reinitialize  authentication order mab dot1x webauth  authentication priority mab dot1x webauth  authentication port-control auto  authentication fallback GUEST_FALLBACK  mab eap  dot1x pae authenticator  dot1x timeout tx-period 3  dot1x timeout supp-timeout 10  dot1x max-reauth-req 1  dot1x timeout auth-period 600  no cdp enable  spanning-tree portfast Any help will be greatly appreciated.  Thanks John ... View more

I am trying to configure two ASA 5525 in Active/Standby mode using multiple contexts and is in transparent mode. We are using trunk ports which are ether-channeled. The problem we are having is the the ASA's alternate betwen active/standby with the following messages being seen         Switching to Active Dec 31 2013 10:23:48: %ASA-1-104001: (Secondary) Switching to ACTIVE - Other unit wants me Active. Primary unit switch reason: Interface check. . Dec 31 2013 10:23:58: %ASA-1-105003: (Secondary) Monitoring on interface management waiting Dec 31 2013 10:24:08: %ASA-1-105004: (Secondary) Monitoring on interface management normal         Switching to Standby Dec 31 2013 10:24:16: %ASA-1-104002: (Secondary) Switching to STANDBY - Interface check Dec 31 2013 10:24:38: %ASA-1-104004: (Secondary) Switching to OK. Here is the configuration from the ASA's. Active ASA interface Ethernet0/0 speed 100 duplex full channel-group 1 mode on ! interface Ethernet0/1 speed 100 duplex full channel-group 1 mode on ! interface Ethernet0/2 speed 100 duplex full channel-group 2 mode on ! interface Ethernet0/3 speed 100 duplex full channel-group 2 mode on ! interface Management0/0 ! interface Port-channel1 speed 100 duplex full ! interface Port-channel1.105 vlan 105 ! interface Port-channel1.106 vlan 106 ! interface Port-channel1.107 vlan 107 ! interface Port-channel1.108 vlan 108 ! interface Port-channel1.155 vlan 155 ! interface Port-channel1.156 vlan 156 ! interface Port-channel1.157 vlan 157 ! interface Port-channel1.158 vlan 158 ! interface Port-channel2 speed 100 duplex full ! interface Port-channel2.801 description LAN Failover Interface vlan 801 ! interface Port-channel2.802 description STATE Failover Interface vlan 802 ! failover failover lan unit primary failover lan interface LAN-Failover Port-channel2.801 failover link State-Failover Port-channel2.802 failover interface ip LAN-Failover 10.xx.xx.12 255.255.255.248 standby 10.xx.xx.13 failover interface ip State-Failover 10.xx.xx.20 255.255.255.248 standby 10.xx.xx.21 ! admin-context admin context admin   allocate-interface Management0/0   config-url disk0:/admin.cfg ! context Context-1   allocate-interface Port-channel1.105-Port-channel1.106   allocate-interface Port-channel1.155-Port-channel1.156   config-url disk0:/Context-1.cfg ! context Context-2   allocate-interface Port-channel1.107-Port-channel1.108   allocate-interface Port-channel1.157-Port-channel1.158   config-url disk0:/Context-2.cfg Standby ASA The same configuration except apart from the failover commands failover failover lan unit secondary failover lan interface LAN-Failover Port-channel2.801 failover link State-Failover Port-channel2.802 failover interface ip LAN-Failover 10.xx.xx.12 255.255.255.248 standby 10.xx.xx.13 failover interface ip State-Failover 10.xx.xx.20 255.255.255.248 standby 10.xx.xx.21 Can anyone see any issues with this configuration? Many thanks John ... View more

I am trying to setup a VPN connection between two sites. The remote site is a 3650 switch connecting to a Palo alto firewall. I can bring up the VPN with no problems but I am unable to send traffic over the VPN. Here is the config from the Cisco switch crypto isakmp policy 10 <removed> <removed> <removed> crypto isakmp key xxxxxxxx address 10.1.1.252 ! crypto ipsec transform-set myset <removed> ! crypto map GNFVPN 10 ipsec-isakmp set peer 10.1.1.252 set transform-set myset <removed> match address VPN-Traffic ! interface Vlan41 ip address 10.10.0.70 255.255.255.192 crypto map GNFVPN ! interface Vlan100 ip address 10.20.0.1 255.255.248.0 ! ip access-list extended VPN-Traffic permit ip 10.20.0.0 0.0.255.255 any log ! ip route 0.0.0.0 0.0.0.0 10.10.0.65 When I ping an address that should go over the VPN from 10.10.0.70 I see a log message that says traffic has hit the ACL and it goes over the VPN. When I try from a PC in Vlan 41 I see nothing and it goes out on the correct interface but not within the VPN. Any help would be great! ... View more

We have installed two two ASA service modules into our 6509 switches. They are both working fine but we are now looking into the option of using the Cisco Context Directory Agent for identity firewalling. So far we have a VM running the Cisco ISO downloaded from the site and that connects to all our AD servers. The ASA have been registered to the CDA server and can connect to the AD servers themselves to pull down usernames and groups. I have tested that it all works with different usernames and groups and all works well. The problem we have is that we run a number of terminal services servers that users can connect to. I have rules on the ASA that user A can connect to server X from the terminal service server but user B cannot connect to server X. When user A logs into the TS server he can connect to server X but if user B also logs to the TS server they can also get to server X even though there is a rule to say they cannot. Now I understand the reason why this happens as it is because of the IP address that the user is mapped to. We have Palo Alto firewalls that uses a pluggin installed on the TS server which allows multiple users connected at the same time which would allow the rules above to work as they should. The question is...Is there a pluggin available for the ASA's that perform a similar function. Any help is appreciated ... View more

We are in the process of migrating to the ASA service modules on both our 6509E switches from our current FWSM. We have used the Cisco conversion tool and applied that to the service module. When viewing the context in ASDM we are unable to view the object names in the right hand pane. On the FWSM I would see the following under Network Objects: Network Objects - JQ-Test - JQ-Test2 - JQ-Test3 Network Object Group + JQ Group       - JQ-Test       - JQ-Test2       - JQ-Test3 Now I have run the conversion tool and applied that to the ASA's I now get the following results. Network Objects - 10.1.1.1 - 10.2.2.2 - 10.3.3.3 Network Object Group + JQ Group      - 10.1.1.1      - 10.2.2.2      - 10.3.3.3 I am aware that the naming convention on the ASA's are different to the FWSM as you can no longer use the "name 1.1.1.1 JQ-Test1" format but I was hoping that the conversion tool would do this for me. Is there any way I can get the names of the object back without having to script something that takes the old FWSM format and convert it into an ASA format? Thanks John ... View more

We are trying to upgrade the IOS on one of our 6509 switches. We have two 720 10GE supervisors running in SSO. Our procedure is reload the standby supervisor with the new IOS. We understand that you can only use one console connection when in RPR mode so we rely on the active supervisor giving us information that the standby unit is up and running. The problem we have is that when we do a "show Module" on the switch the online diagnostics for the standby supervisor comes back us unknown. SWITCH#sh module Mod Ports Card Type                              Model              Serial No. --- ----- -------------------------------------- ------------------ -----------   3   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP       SAL1231Z2E6   4   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP       SAL1231Z2EF   5    5  Supervisor Engine 720 10GE (Cold)      VS-S720-10G        SAL1222S8XT   6    5  Supervisor Engine 720 10GE (Active)    VS-S720-10G        SAL1430P5L5   7   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL12340ZU0   Mod MAC addresses                       Hw    Fw           Sw           Status --- ---------------------------------- ------ ------------ ------------ -------   3  0022.902b.5c98 to 0022.902b.5caf   3.2   12.2(18r)S1  12.2(33)SXI1 Ok   4  0022.902b.5a10 to 0022.902b.5a27   3.2   12.2(18r)S1  12.2(33)SXI1 Ok   5  001d.45e2.1038 to 001d.45e2.103f   2.0   8.5(2)       12.2(33)SXJ3 Ok   6  0026.cb61.6d70 to 0026.cb61.6d77   3.4   8.5(4)       12.2(33)SXI1 Ok   7  0022.55ec.a218 to 0022.55ec.a247   3.0   12.2(18r)S1  12.2(33)SXI1 Ok   Mod  Online Diag Status ---- -------------------   3  Pass   4  Pass   5  Unknown   6  Pass   7  Pass   We believe the active supervisor can see the standby supervisor because when we save the configuration we get a message saying that the config is sync'd with the standby router. We have a TAC case raised to investigate but wondered if anyone else has had the same experience We are upgrading from 12.2(33) SXI1 to 12.2(33) SXJ3 Any help would be great. Thanks John ... View more

We are planning to upgrade the IOS on our two 6509E supervisors in the next few weeks. We currently run IOS 12.2(33) SXI1 and are upgrading to 12.2(33) SXJ3. At the moment the two supervisors are in SSO mode and after reading many articles it says that when the images are different on the two supervisors they are in RPR mode. When you then reload the active supervisor it will reboot all the line cards. So my questions... 1. Is above correct? Will my line card reload? 2. We also have a FWSM installed, When/If the line cards are rebooted does the FWSM also reboot? Any help is appreciated Thanks John ... View more

I am looking to replace the active supervisor (S720-10G) on our 6509E running in SSO mode. The new module already has the same IOs version as the standby supervisor. Once I have swapped the module how do I know that the config has sync'd correctly other than checking the logs? Is it a case of looking at the "Redundancy Mode (Operational)" state and ensuring is says SSO? Also, is there a command than will force a config-sync if it is running in a mode other than SSO? Thanks John ... View more