We've had a couple of instances where users accidentally dial something like "9118883540". The call isn't recognized as a 911 call by CUCM, so it just routes it to our SIP Provider (Centurylink). Centurylink treats it like a 911 call. CER doesn't get triggered so we get no alerts.   The user ends up panicking (I know, lack of user training/awareness), and hang up. The police show up, and everyone is confused due to the lack of alerts.   So I'm thinking we just need a translation pattern that translates calls like "9118883540" to "911".   Am I wrong?   Would the translation pattern just look like.... (with no quotes) "911!" and "9911!" translate to "911"   Thanks in advance ... View more

We had an interesting issue where a user accidentally called “9118884000”. It completely bypasses our CER setup. We didn’t get an alert for it. And the user didn’t realize they accidentally called. And the police showed up and there was a lot of confusion.   Do people typically put in safeguards to prevent this? (ie a pattern that matched 911* and rewrites it as 911 so it gets properly alerted and routed). ... View more

Currently running Anyconnect 4.5x and ASA 9.6.x.   I have Azure MFA working for authentication/2-factor. The user gets prompted for username and password, a radius requests goes to Azure MFA. It does username/password auth and 2-factor, and then sends a response to the ASA.   Is there a way to use the Azure MFA as secondary auth without requiring the user to type in the password twice? I have a need to do primary auth against LDAP direct (so we can choose what AD groups get which Group-policy).   So for example, this works: tunnel-group EXAMPLE-TG general-attributes authentication-server-group LDAP secondary-authentication-server-group AZURE_MFA_RADIUS use-primary-username   With this setup, it looks like this: -Username -Password -Secondary Password   So the user would have to enter the password twice. Is it possible to only have 1 password box and have the secondary-authentication use the same password?   ... View more

I'm trying to figure out how to update an anyconnect profile XML and make it seamless to my users. Tricky part is, the new xml profile enables certificate auth. So it's required to be there when a tunnel-group is selected.   Current: Tunnel-group-A Profile-xml-A -Auth timer: 12 -Certificate store: All -Certificate store override: false   Future: Tunnel-group-B Profile-xml-B                 -Profile-xml-B HAS to be on the machine to use Tunnel-group-B since it allows for the certificate auth -Auth timer: 62 -Certificate store: Machine -Certificate store override: true   Sounds like TAC recommends: Create a group-url for tunnel-group-B that is different than tunnel-group-A Profile-xml-B to reference only the group-url for tunnel-group-B Deploy profile-xml-B to users. At this point, original URL’s AND new group-url will be in the users dropdown. Users can test tunnel-group-B. Once testing is done, remove profile-xml-A. When profile-xml-A is gone, the URL’s from profile-xml-B will be the only ones left.   What I was GOING to do: Create a new Profile-xml-B (with cert and auth timer changes). Associate profile-xml-B to both tunnel-groups. Make sure Profile-xml-B is alphabetically first so the machine uses profile B if both B and A exist. This ensures if we push out profile-xml-B to users, it will NOT get overwritten when they log into tunnel-group-A Push out profile-xml-B to all users and delete profile-xml-A Make tunnel-group-B the default once everyone has the new profile. ... View more

When logging into the VPN, if a user doesn't respond to an MFA prompt within Authentication Timer (set in the Anyconnect XML profile), the user gets stuck with "connection attempt has failed". The user can't re-enter creds until 4 x the auth timer.   In the Anyconnect Message history, I see "connect attempt has failed" 4 times.   Is there a way to reduce the number of times Anyconnect reattempts to connect in this situation? Ideally no reconnect attempts.   Thanks! ... View more

  Hi all, I currently use Anyconnect SSL VPN (4.5) connecting to an ASA running 9.X code. I am transitioning to Azure MFA, and use ISE as well for authentication. So the thought is, when logging into the VPN, the ASA would send a radius request to ISE (username and password). ISE would then send a radius request the Azure MFA server which does the authentication of the username/password and 2-factor. I have this working assuming the user responds to the 2-factor. I stumbled upon this scenario. If the user does NOT respond to the 2-factor and just let's it hang, the auth times out. And I can cancel out of the login prompt. However, the ASA continues to send access-requests. Even after ISE sends a access-reject. This results in continuous 2-factor requests. Any ideas? ASA to ISE is set to 65 second timeout. ISE to Azure MFA is set to 60 second timeout. aaa-server TEST protocol radius interim-accounting-update periodic 3 max-failed-attempts 1 merge-dacl before-avpair dynamic-authorization aaa-server TEST (inside) host 10.X.X.1 timeout 65 key ***** aaa-server TEST (inside) host 10.x.x.2 timeout 65 key ***** Any ideas would help! ... View more

This is a pretty silly limitation. The bright white screen that's default looks terrible.   Anyone find any work arounds? ... View more