Hi Folks, For the past while we have been getting daily topology changes on our Cisco 2960-X Switches. They are all configured with standard PVST settings, but still do topology change frequently. This is causing our access points to drop sessions whilst the recornvergence is occuring. "last change occurred 00:25:19 ago" Our debug logs do not appear to be showing anything and our settings are relatively simple: spanning-tree mode pvst spanning-tree logging spanning-tree extend system-id no spanning-tree vlan 1 spanning-tree vlan 2-45,69,75 priority 20480 show spanning-tree detail VLAN0009 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 20480, sysid 9, address 00b6.70aa.0680 Configured hello time 2, max age 20, forward delay 15 Current root has priority 12297, address 00b6.7054.ed80 Root port is 46 (GigabitEthernet1/0/46), cost of root path is 4 Topology change flag not set, detected flag not set Number of topology changes 100 last change occurred 00:25:19 ago from GigabitEthernet1/0/46 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300 Any suggestions?
... View more
After sending Cisco all the debug logs, DART logs, metadata XML files (from SSO) they cam back to me with the following solution.
I’ve done research regarding SAML configuration on ASA and found that changes on SAML configuration do not take effect immediately, it is described in this bug:
CSCvi23605 (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi23605/?reffering_site=dumpcr) - Re-enable SAML to make config changes take effect.
SAML on ASA is using lasso library. If we need to make changes take effect and refresh the memory, we can only either re-enable or reboot to destroy the old SAML IdP in memory and create a new one. This is the limitation of the lasso library. So yes, it is kind of cached and this is limitations of used library.
Regarding the tunnel-group. I found only a bug where you can use only one certificate for the same SAML IDP config on the ASA:
CSCvi29084 Creating multiple SAML trustpoints in IDP config ( https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi29084/?reffering_site=dumpcr )
In this situation I suspect that some configuration (like signature algorithm or the certificate) was not applied properly due to this defect. In this situation I propose the following:
Re-enable SAML Auth in tunnel group:
ciscoasa(config-tunnel-webvpn)# no saml identity-provider https://...
ciscoasa(config-tunnel-webvpn)# saml identity-provider https://...
Hope this helps anyone else looking for the solution to this.
... View more
I am having a problem with my configuration of AnyConnect authentication using Azure Single Sign-On. This configuration was done following the "Configure a SAML 2.0 Identity Provider (IdP)" & "Example SAML 2.0 and Onelogin" sections of the following Cisco CLI Book 3 document:
When connecting I am getting the message "Authentication failed due to problem retrieving the single sign-on cookie." and within the ASDM logs I am getting "Failed to consume SAML assertion. reason: The profile cannot verify a signature on the message."
So far I have double checked my certificates, URL's and edited the request signature with no change.
Any suggestions would be greatly appreciated.
... View more
HI Folks, I have two Cisco ASA 5525's in a Active / Standby configuration. ASDM stopped working with the Active firewall first while making a small change, while researching the issue I failed over, and made the Secondary device Active. The secondary device had the same problem with ASDM when making the change. SSH has always worked and never faulted. Now both devices in the pair have the following error: "ASDM is unable to read the configuration from the ASA since it is currently synching. Please try again by clicking the Refreash icon." Research showed me that configs greater than 512KB can cause issues with ASDM. Our is currently 525KB, and I am wondering if this is the root cause and how to solve this issue? Based on research around this I have done the following (among other things): Cleared 'ASDM Cache' and 'Internal Log Buffer' Edited the amount of RAM ADSM is using. -Xms1g -Xms2g Reloading the firewall's fixes the issues, but this is not a solution. Kind Regards, Michael
... View more