I am a mother of two two dragons :) When the dragons are in school, I transition to provide support to our Network Devices consisting of ASA, Routers, Switches, ISE 2.4.
Its such a fast paced environment that I work in and do my best to keep up.
Hello, I recenlty turned on the email logging feature. And I see a lot of ASA Alerts for Deny UDP reverse path from 169.254.x.x to 169.254.x.x to vlan(inside). Keep in mind, my level of experience is novice/noob. There are several of these within an hour and day. So far I have been able to list 12 different IP's 169.154.x.x and because we have 12 endpoints on our small network, I figured it was possibly a triggered DHCP request/Self Assigned IP process happening and forgets it has a static IP for a moment. What is the best action to take from discovering this? Understanding where this is coming from, why it is happening, and if it needs to be allowed nor not, create a rule or disable something on the firewall? Should I ask the Sys Admin/Endpoint Admin check and validate settings for DHCP is turned off on the endpoints, check logs to verify and match up that 169.154.x.x is coming from the endpoint and should not? Thanks!
... View more
Since the roll out of fully authenticating dot1x for wired endpoints and mad for printers/vtc. Been noticing two things when customers log into endpoints. 1. Customer has already been authenticated and working on documents. After x amount of time, it seems as though the session drops which as a result there profile disappears (background, shortcut to shared drives, network connection) drops but customer is still logged in. They experience a black background with mouse available. Some are patient than others, so the session comes back. And others that tried to log off then log back in, remain having the black background. And try again until either they log off and walk away or they are persistent and get the profile restored. 2. Customer makes the attempt to log into endpoint but receive a Domain is unavailable... Environment: -cisco 2960 (user/endpoint switch) -ISE 2.4 -DOT1x with Wired AutoConfig (supplicant) -windows 10 with wired connectivity & static IPs What I've been able to piece together so far is that these endpoints tries to do DHCP with discovery of 169.254.x.x APIPA -I see on the firewall "Deny UDP Reverse path 169.254.x.x...to 255.255.255.x from vlan xx" -we have static IP's configured, so why would this start (although the answer to that could be that our supplicant is Wired AutoConfig service in windows 10 and wants to advertise this first before choosing to use the static IP definied" -log from endpoint, TCPIP 4199 "duplicate ip 0.0.0.0 to C4.4-.--.--.--" I cannot find any mac address on switches, ISE appliances, etc that we own. But to match up the duplicate ip error message, i stumbled onto this link,https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.pdf From what I can gather about all this is that since Windows 10 added this Wired AutoConfig service - it wants to do this first before using static IP? But why would this happen if endpoints have static IP? should that DHCP step be disabled and move to STATIC IP? Oh and another thing, to temporarily clear the issue, staff has been rebooting the workstation and is able to authenticate. Need help understanding this and was wondering if you folks could help me get to the right path of resolving and understanding dot1x and supplicant when it has Static IP. As for the second issue (not sure yet what that problem is..or if its also part of dot1x at all).
... View more
We are trying to use Security Center v18.104.22.168 to scan our network devices and get a successful Credential scan but am stuck as to how to troubleshoot.
In SC it has a username and password defined which is also created in AD. It is also placed in a security group to access the network devicse.
The account is setup to SSH and do cisco enable.
When we attempt to run the scan, it can get to the network device's IP and do some scans but it needs to authenticate into device to complete the scan. When we view the details, in the Credentialed Scan plug in, it does not load any Results.
It works if you create a local account on the device but we are trying to do it via ssh for sake of compliance and not have too many local accounts on the devices.
... View more