Answer Questions

We have cisco ASR 9902 running on IOX 24.1.2 version, ASR 9902 - lC comes with 48 physical ports starting from 0/0/0 to 0/0/48 with various speed configuration, but surprisingly interface 8 and 9 not showing by any command , show interfacace status or try anything but unable to locate or check interface 8 and 9 

Can anyone have a document or guide describe making a dial up vpn between forrigate as a hub and cisco ftd managed by fmc as spoke ?

i want practice ios-xr on ASR 9000 series any advice any advice any lab should i use

Hi communitySomeone knows how Can I repair or report devnet support because the sandbox nx-os always 2 days ago appear like "active with error", do you know the email?Regards 

Hi,I’m working with CML Free version 2.9.1 using the IOL-L2 switch and I’m trying to validate L2 security mechanisms (DHCP Snooping, Port Security).After extensive testing and debugging, I’m starting to believe that these features are configurable but not actually enforced in the dataplane.What I’m testingDHCP starvation (dhcpig)Rogue DHCP (ettercap)Simple lab: switch + attacker + victimNo uplink to router (physically disconnected)Expected behavior (on real hardware):→ Rogue DHCP should be blocked when DHCP Snooping is enabled.Actual behavior in CML:→ Victim still gets an IP from the rogue DHCP.What I already checkedNon-VLAN1 (tested VLAN 100)Correct trusted / untrusted portsClean lab (full wipe of switch, attacker, victim)Port Security on access port (max 1 MAC, violation shutdown)DHCP Snooping shows as operationalStill:DHCP Snooping statistics show 0 dropsBinding table stays emptyPort Security never triggers, even during starvationRogue DHCP works even when it’s the only DHCP server in the labI also tried multiple debugs (ip dhcp snooping, port-security, udp) and saw weird messages like:UDP: Failed to clear inject subblock preroute state%AMDP2_FE-6-EXCESSCOLLMy questionIs this just a known limitation of IOL-L2 in CML?Because as you can see in picture, official documentation states that it is supported.I’m not really looking for a workaround — just want to know:does anyone here successfully demo DHCP Snooping / Port Security against rogue DHCP in CML?or is this one of those “works in config, not in practice” things?I am also sending the lab if you want to try.Thanks!  

Hi AllAny one did tried to register/installCisco CP-8865-3PCC (MPP)on mitel 3300/MivbAppreciate any adviceThanks

BackgroundWe're deploying Cisco Secure Client (5.1.0.130) to our MacBooks via Kandji/Iru MDM on macOS 13+ (we only use the Umbrella module). We've deployed the app, system extension approval profiles, content filter, and login items according to Cisco's documentation. The app installs fine, but shows "Service Unavailable" because the system extension never registers.The ProblemWhen the Socket Filter app launches, it immediately exits with this error in the logs: Cisco Secure Client - Socket Filter: Unexpected user context for extension activationexiting with status 6...The Socket Filter rejects activation before even attempting to register with macOS. Running systemextensionsctl list shows no Cisco extension registered, and checking the SystemExtensions logs confirms no registration attempt was ever made. No approval dialog appears for users.What Works vs. What Doesn'tMacs that work: Devices that previously had the old Cisco Umbrella Roaming Client installed. When we temporarily removed the WebContentFilter profile from our MDM, the approval popup appeared on these Macs. After approval, the extension registered successfully. We've since uninstalled Umbrella and even re-added the WebContentFilter profile - these Macs still work fine.Macs that don't work: Brand new Macs or any Mac that never had Umbrella installed. The Socket Filter gives the "Unexpected user context" error every time, regardless of:Fresh installation vs. reinstallationWhether FortiClient or other VPN clients are presentWhether the WebContentFilter profile is deployed or notManual launching vs. automatic launchingFor comparison, FortiClient VPN installs and presents the approval dialog successfully on the same Macs with the same MDM configuration, so this seems specific to Cisco Secure Client.MDM ConfigurationWe're using the standard profiles from Cisco's documentation:System extension policy approving com.cisco.anyconnect.macos.acsockext with AllowUserOverrides: trueWebContentFilter policy with proper bundle identifiersService management for login itemsAll profiles are confirmed installed correctly.QuestionsWhy does migrating from Umbrella Roaming Client work, but clean installations fail?What "user context" is the Socket Filter expecting that's missing on clean installs?Is there a supported way to deploy Cisco Secure Client to new Macs via MDM without first installing Umbrella?The only workaround is installing legacy Umbrella first, then Cisco Secure Client, triggering the approval, then removing Umbrella. This isn't scalable for new device deployments.Has anyone successfully deployed Cisco Secure Client to brand new Macs via MDM without this issue? Any suggestions would be appreciated!

I am just the email regarding the LAN is ready to access but not getting cisco VPN credentials to login and accessing the ACI SANDBOX. Thanks & Regards,Shakti Chouhan+917470978478shakti.chouhan1982@gmail.com

  When customer drops from the voice call, finesse event data on dialog handler for “onCollectionDelete” is returning incorrect data for participant representing customer Tested Scenarios: Agent and customer on a call, and customer drops Agent1 and Agent2 on consult call , customer is on hold and customer drops In both the cases, I see the participant representing customer is returned as active and agent returned as dropped which is in-correct.

If you manage VPNs on Cisco Firepower (FTD) with FMC, you’ve probably seen this at least once:Phase 1 is up. Phase 2 is up. Users still can’t reach anything.That moment is why I always remind teams of one simple truth:An IPsec tunnel can be “UP” and still pass zero traffic.Here’s a short, practical way to troubleshoot (and explain) FTD/FMC IPsec issues without turning it into a 3-hour debate.1) Control-plane vs data-plane (the fastest mindset shift)IKE/IPsec status = control-plane (negotiation and security associations)Actual application traffic = data-plane (routing, NAT, policy, and MTU)When the tunnel shows up but traffic doesn’t, it’s usually a data-plane problem.2) The 5 most common “tunnel up, traffic dead” causes on FTD/FMC1) NAT exemption missing (the #1 culprit)If VPN traffic is getting PAT’d, the remote side often drops it or never returns it.On FMC, NAT rule order matters — the No-NAT for VPN must be placed correctly above general internet PAT.2) Interesting traffic / selectors mismatchOne side thinks the tunnel protects 10.10.0.0/16 ↔ 172.16.10.0/24, the other side expects something else.Result: SAs exist, but the wrong subnets are encrypted.3) Routing / return path issueYour packets enter the tunnel, but return traffic takes a different path (asymmetry). Stateful devices don’t forgive that for long.4) Access Control Policy not permitting the flowEven if VPN is configured correctly, traffic still has to be allowed by the ACP. If logging isn’t enabled, it can look like “nothing is happening,” which wastes time.5) MTU/MSS problems (apps fail, pings lie)IPsec adds overhead. You may see some basic connectivity work while web apps, RDP, or large transfers fail. When “small works, big doesn’t,” MTU/MSS is a strong suspect.3) My “incident update” line (saves time and arguments)When people ask for an update, I keep it crisp:“Tunnel established; validating NAT exemption, selectors, routing/return path, ACP permit/logging, and MTU for the protected networks.”It signals you’re not guessing — you’re narrowing the failure domain.4) A quick example you’ve probably lived throughSymptom: Tunnel shows UP, but users can’t reach internal apps.Everyone says: “Firewall is blocking.”Turns out:VPN traffic was matching a general PAT rule instead of a No-NAT exemption.Fix the NAT order → traffic immediately starts working.Same tunnel, same peer, same crypto — completely different outcome.Closing thoughtIf you’re supporting IPsec on FTD/FMC, don’t let “UP” fool you.Treat VPN troubleshooting like this:First prove the tunnel. Then prove the flow.If you have your own “first thing you check” on FTD (NAT order, ACP logging, routing, selectors, MTU), share it — those habits are what keep incidents short. 

Is there a way to use abbreviated dialing on a third party SIP endpoint?  The device doesn't have any special feature keys, just the regular number pad. Tried to research this, but keep getting AI answers that are just wrong....

After much unsuccessful searching, I wanted to share my findings on getting Cisco Flexible NetFlow (FNF) data to work with PRTG Network Monitor, specifically using a Cisco Catalyst 3850 running IOS XE Gibraltar 16.12.13 and PRTG version 25.4.114.1032. PRTG's standard NetFlow v9 sensor does not inherently support the fully customised fields often generated by FNF records right out of the box. PRTG requires specific, standard predefined fields to decode the flow packets reliably. While the template is generated by the switch, ensuring the record uses common, expected fields (like those below) is key to compatibility. The critical issue in my initial setup was selecting the right combination of fields. Ok more by trial and error and the flow monitor was actively applied to an interface receiving traffic (VLAN). PRTG Configuration In PRTG, you should use a NetFlow v9 sensor.Port: 9995 (matches the configuration below)IP Address: The IP of your PRTG Probe/Core Server.Active Flow Timeout: 60 seconds (Ensure this matches or is slightly longer than the active timeout on the switch, though the default is usually fine).Disabled Channels: I typically disable unnecessary channels like "IP Protocol" or "TOS" if I only care about top talkers and bandwidthCisco 3850 ConfigurationHere is the complete configuration required for the Cisco 3850. ! Define what information to capture in each flow flow record myRecord match ipv4 source address match ipv4 destination address match ipv4 protocol match transport source-port match transport destination-port collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last ! ! Define where to send the data flow exporter myExporter destination x.x.x.x <-- Replace with your PRTG Server/Probe IP transport udp 9995 source loopback0 <-- Ensure the source interface has an IP and is up ! ! Combine the record and the exporter flow monitor myMonitor exporter myExporter record myRecord ! ! Apply the monitor to an active interface interface Vlan10 description Main VLAN Interface ip flow monitor myMonitor input <-- THIS IS THE CRITICAL COMMAND ip address x.x.x.x 255.255.255.0 <-- The IP from the 'source' command above i.e the SVI gateway ! Validation Commands and ResultsAfter applying the configuration, use these commands to verify that data is being exported and cached. You should immediately see statistics increasing, indicating data is successfully sent to your PRTG server. switch3850#show flow exporter statisticsswitch3850#show flow exporter templatesswitch3850#show flow exporter name myExporter statisticsswitch3850#show flow monitor myMonitor cache If everything is configured correctly, your PRTG sensor should turn green and start populating bandwidth graphs within a minute!

Hello Everyone,I’m working on an MRA lab, and I’m facing an issue where login to jabber via MRA it's getting Error: Can’t Connect to the Server even though The user and Jabber setup work correctly internally I followed the lab setup and configuration from uccollabing, and everything appears to be configured according to the guide.I would also like to mention that I am using MRA without any licenses, as I previously verified that no licenses are required for MRA VMs UsedWINSRV – Internal DNS with CA ServerWINSRV – External DNSCUCM:12.5IM&P:12.5Windows 10 – Internal testingWindows 10 – External testingExpressway-E :X15.3.1Expressway-C :X15.3.1CSR – Used to connect Expressway-E external network with WINSRV-External and external Windows 10 on the same network

Hi All-I can find the AP Device Details and Device 360 pages in Catalyst Center for my AP.  What I don;t see is a link the the map that the AP is on.  Am I missing something? Thanks

Just received a new router from my ISP which seems to have changed my home IP. As I was trying to update my network in OpenDNS settings, I noticed the pop up "your IP address is taken by another user" in my OpenDNS updater. I also can't add this new IP in the OpenDNS settings and is showing as "inactive".From what I understand, this could mean that there is an OpenDNS account with this IP already, which could be stale. Would anyone have any insight into how can I reach out to OpenDNS support regarding this?Added a screenshot if that's helpful. Note: removed IP and account info.

We have a mcu 5320 , no web access . we try with chrome and firefox. Software version: 4.5(1.72)please help.

Catalyst8200を構築します。ライセンスはDNAライセンス（5年）を使用する予定です。機器へスマートライセンス設定をするにあたり手順をご教示ください。また、定期的なレポーティングは必要になるのでしょうか？

I am using Cerberus FTP and after they integrated DUO for 2FA via Web SDK I had successfully followed the instructions on their site to enable DUO.  When the universal prompt was available I enabled that and all was working fine.  Then somewhere between July and September 2025 the integration broke and the new universal prompt no longer worked.  I would get the DUO push on my phone, accept it and then would get a Login expired error message (see snippet below). I changed back to the traditional prompt and DUO again worked as expected.I used Copilot to help with troubleshooting this and it led me down a road to say that "Duo now enforces stricter OIDC semantics".  A summary of my Copilot troubleshooting is below.Observed Behavior:Duo health check passes (Duo healthcheck: OK).Push authentication succeeds (HAR shows /auth/factors/push/status returns success).Duo attempts finalization (/auth/finalize_auth) → 200 OK.Browser navigates to Duo’s external/exit endpoint:GET https://api-6d756393.duosecurity.com/frame/v4/oidc/external/exit?code=...&state=...Duo responds with:{"stat":"FAIL","message_enum":57,"is_preauth_outcome":false}Cerberus never logs MFA completion; user sees Login expired.HAR Evidence:redirect_uri in the initial Duo authorize request points to:https://api-6d756393.duosecurity.com/frame/v4/oidc/external/exitNo callback to Cerberus occurs after MFA success.I've reached out to Cerberus support and they were initially able to replicate the issue.  They however mentioned that by using a "paid" version of DUO the implementation works.  Is there any difference between a free and a paid DUO account that would cause what I'm seeing?  Did something truly change in DUO's implementation this past summer?  If so, did is it something Cerberus would need to adjust?Any input or feedback is appreciated.Thanks 

I am currently looking into ways to streamline our workflow when moving from initial detection to full remediation. We have been using Cisco SecureX to try and unify our view across different tools, but I am finding that the pivot into actual threat hunting still feels a bit disconnected.I am curious if others here are relying more on open source integrations or if you have found that sticking purely to the native Cisco threat response ecosystem provides better results for long term investigations. Any insight on how you are balancing third party integrations without cluttering your relations graph would be incredibly helpful as we refine our current setup.

Hello all,A couple of days ago I installed a ProxMox server on a Thinkserver to experiment and deploy some containers and VMs. The server has two network ports, so it seemed a good idea to aggregate the two network ports into an aggregated link. I was able to setup an etherchannel and all seems fine except that I cannot reach the server anymore. I tried to ping the server from different clients and they all fail. If I ping the server from the switch, then the ping succeeds.This is the first time that I try to make use of an etherchannel, so I am probably making some beginner error, that is why I could use some help. I have searched extensively and tried other setups (like an access etherchannel instead of a trunk) but nothing resolves the problem = I cannot access the server.The setup I have made is as follows: I started out connecting this Proxmox server with my Catalyst 1000 switch as a trunk (VLAN 10 & 99). On the Proxmox server I created a Linux Bond (Mode LACP & Hash policy Layer2+3).On the Catalyst switch I created a port-channel=interface Port-channel1 description Ethernet trunk verbinding met SpectaModulus ProxMox server switchport access vlan 10 switchport trunk allowed vlan 10,99 switchport trunk native vlan 10 switchport mode trunk ip arp inspection trustI linked at first only 1 network port (both switch & server) to the etherchannel = gigabitethernet 1/0/16 =interface GigabitEthernet1/0/16 description AQ_GD-14-0758 Lan 2 verbinding switchport access vlan 10 switchport trunk allowed vlan 10,99 switchport trunk native vlan 10 switchport mode trunk ip arp inspection trust channel-protocol lacp channel-group 1 mode activeThis seems to function properly as the etherchannel is up and running =AQ-880#show etherchannel summaryFlags: D - down P - bundled in port-channelI - stand-alone s - suspendedH - Hot-standby (LACP only)R - Layer3 S - Layer2U - in use N - not in use, no aggregationf - failed to allocate aggregatorM - not in use, minimum links not metm - not in use, port not aggregated due to minimum links not metu - unsuitable for bundlingw - waiting to be aggregatedd - default portA - formed by Auto LAGNumber of channel-groups in use: 1Number of aggregators: 1Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) LACP Gi1/0/16(P)I include the detail status below.Extra info:AQ-880#show lacp 1 neighborFlags: S - Device is requesting Slow LACPDUsF - Device is requesting Fast LACPDUsA - Device is in Active mode P - Device is in Passive modeChannel group 1 neighborsPartner's information:LACP port Admin Oper Port PortPort Flags Priority Dev ID Age key Key Number StateGi1/0/16 SA 255 f80f.41fa.4f9b 18s 0x0 0x9 0x1 0x3DAQ-880#show lacp 1 countersLACPDUs Marker Marker Response LACPDUsPort Sent Recv Sent Recv Sent Recv Pkts Err---------------------------------------------------------------------Channel group: 1Gi1/0/16 2477 2292 0 0 0 0 0AQ-880#show interfaces gigabitEthernet 1/0/16 accountingGigabitEthernet1/0/16 AQ_GD-14-0758 Lan 2 verbindingProtocol Pkts In Chars In Pkts Out Chars OutOther 0 0 330532 19833678Spanning Tree 0 0 1271288 76395172CDP 0 0 58016 27213736LACP 18370 2277880 23300 2889200Some of the things I tried and results which seemed odd:When I set the native VLAN to 333 (the void) then also the ping from the switch to the server stops working = I also tried the extended ping explicitely stating the switch ip address (SVI) on VLAN 99 and still the ping fails - I don't understand why this fails as this packet should be tagged by VLAN 99 and not be sent over the native VLAN (which can indeed not connect to the server)I also investigated if something basic at the level of ARP or MAC address table was going wrong but looking at the packets sent from my PC with Wireshark the translation from the IP address to the MAC address works fine. When I looked at the MAC address table in the switch this MAC address was mapped to the portchannel 1 port = seems perfect to meStill I cannot connect to my Proxmox server although Etherchannel has every indication that it is working fine.Any ideas on how I can solve this? What have I overlooked?Kind regards, Steven------------------------------------------------------------------------Detail statusAQ-880#show etherchannel detailChannel-group listing:----------------------Group: 1----------Group state = L2Ports: 1 Maxports = 16Port-channels: 1 Max Port-channels = 16Protocol: LACPMinimum Links: 0Ports in the group:-------------------Port: Gi1/0/16------------Port state = Up Mstr Assoc In-BndlChannel group = 1 Mode = Active Gcchange = -Port-channel = Po1 GC = - Pseudo port-channel = Po1Port index = 0 Load = 0x00 Protocol = LACPFlags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.A - Device is in active mode. P - Device is in passive mode.Local information:LACP port Admin Oper Port PortPort Flags State Priority Key Key Number StateGi1/0/16 SA bndl 32768 0x1 0x1 0x111 0x3DPartner's information:LACP port Admin Oper Port PortPort Flags Priority Dev ID Age key Key Number StateGi1/0/16 SA 255 f80f.41fa.4f9b 24s 0x0 0x9 0x1 0x3DAge of the port in the current state: 0d:00h:01m:51sPort-channels in the group:---------------------------Port-channel: Po1 (Primary Aggregator)------------Age of the Port-channel = 7d:17h:00m:40sLogical slot/port = 9/1 Number of ports = 1HotStandBy port = nullPort state = Port-channel Ag-InuseProtocol = LACPPort security = DisabledLoad share deferral = DisabledPorts in the Port-channel:Index Load Port EC state No of bits------+------+------+------------------+-----------0 00 Gi1/0/16 Active 0Time since last port bundled: 0d:00h:01m:51s Gi1/0/16Time since last port Un-bundled: 0d:00h:01m:58s Gi1/0/16

Dear Cisco Secure Email Threat Defense Team,We are facing an issue where a SharePoint folder sharing email is being blocked and marked as a scam due to a retrospective verdict.Details:Message ID: <Share-3d3ce3a1-a014-6000-40fe-b8bee2adf36e,3d3ce3a1-a014-6000-40fe-b8bee2adf36e-3837fc27-8fb8-46cb-8d9e-c206c2e61464-SendEmail-PreprocessPayload-ioe_0-tid_002644ab-d7ea-49f0-97eb-54d815d02b85-rh_jw_notifyp-aid_409cce40-8c64-4426-9db0-b2161a8540a1@odspnotify>Verdict: Retrospective ScamService: Microsoft SharePoint OnlineAction Taken: Email reverted / blockedURL Type: SharePoint folder sharing linkThis email was generated when a user attempted to share a SharePoint folder. The link is legitimate and belongs to our organization’s Microsoft 365 tenant.Request:Please review this as a false positiveAdvise on whitelisting SharePoint sharing URLs or excluding them from retrospective scam detectionSuggest policy changes to prevent similar blocks in the futureWe have attached the notification email for reference.Thank you for your support.

Greetings,I'm new to PowerShell, but I have been able to automate generating the BAT files used for CUCM and popping up new Outlook email items to send new hire information for end users, including their assigned phone number. Thanks to other community members, I am able to perform an LDAP Sync in CMS using PowerShell. I now want to use PowerShell to connect to Cisco Meeting Server to GET the 'callId' for the new end users.I've been going through the documentation and other sites, not really finding what I need. I also don't currently have Postman installed to verify my requests, but I will be getting it installed soon.In any case, I have been using different AI's, such as ChatGPT, Gemini, and Copilot and they have been able to generate some PowerShell scripts for me. However, no scripts have been able to retrieve any information, specifically the 'callId' that I need.Has anyone done this, or would have knowledge on how to do this and be able to kindly share their PowerShell script? Since I know the 'name' starts with the user's username and the 'uri' starts with their email, I want to GET the 'callId' returned. I also don't know how to deal with querying multiple pages, as we have a few thousand spaces. I know limit and offset can be used. I've also opened a case with Cisco to see if they have any insight.Thank you.Below are a couple of sample scripts that were generated: $Username = "admin" $securePassword = Read-Host -Prompt "Enter password for ADMIN" -AsSecureString $Password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePassword)) $OwnerID = "XXXXXXX" $baseUrl = "https://cms.my.domain:8443/api/v1/coSpaces" $auth = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$($Username):$($Password)")) $headers = @{ Authorization = "Basic $($auth)" } $offset = 0 $limit = 10 # Reasonable batch size; adjust if needed $foundSpaceId = $null do { $url = "$($baseUrl)?filter=$($OwnerID)&limit=$($limit)&offset=$($offset)" try { $response = Invoke-RestMethod -Uri $url -Method Get -Headers $headers -ContentType "application/xml" } catch { Write-Error "API request failed: $($_.Exception.Message)" } # Parse coSpaces (response is XML) foreach ($coSpace in $response.coSpaces.coSpace) { $currentOwnerID = $coSpace.OwnerID if ($currentOwnerID -eq $OwnerID) { $foundSpaceId = $coSpace.id Write-Output "Found Space ID for $($OwnerID): $($foundSpaceId)" } } # Check if more pages (total attribute on coSpaces element) $total = [int]$response.coSpaces.total $offset += $limit } while ($offset -lt $total) if (-not $foundSpaceId) { Write-Output "No coSpace found with OwnerID = $($OwnerID)" }   # Define CMS connection details $cmsBaseUrl = "https://my.cms.domain:8443/api/v1/coSpaces" $cmsUser = "admin" $securePassword = Read-Host -Prompt "Enter password for ADMIN" -AsSecureString $Password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePassword)) # Define header $headers = @{ Authorization = "Basic " + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$($cmsUser):$($Password)")) Accept = "application/json" } #Get coSpaces $response = Invoke-RestMethod -Uri $cmsBaseUrl -Headers $headers -Method Get $coSpaces = $response.items $results = @() foreach ($coSpace in $coSpaces) { $detailUrl = "$($cmsBaseUrl)/$($coSpace.id)" $detail = Invoke-RestMethod -Uri $detailUrl -Headers $headers -Method Get $name = $detail.name $uri = $detail.uri $callId = $detail.callId if ($name -match "^TESTUSER123" -or $uri -match "^testuser123") { $results += [PSCustomObject]@{ Name = $name URI = $uri CallId = $callId } } } if ($results.Count -gt 0) { $results | Format-Table -AutoSize } else { Write-Host "No matching coSpaces found for username prefix 'TESTUSER123'." }

Hi, I'm looking to change the wallpaper image of our room navigators to a custom image. Currently, this is not possible, only one of the default wallpapers are getting applied to the navigator (,they work fine on the screens attached to the codes/room bars).I'm pretty sure that this did work previously and that one of the last updated disabled this.Am I missing something? Is there a workaround?  Thanks, David 

Hello, we are thinking we may be running up to this bug here on our core C1300 switches https://bst.cisco.com/quickview/bug/CSCwp39029The topology is that we have 2 Catalyst 1300's with an LACP between them, with multiple other Catalyst 9300 and 2960X switches connected to both of the 1300s. The border firewall is connected to a port on one of the 1300s. The 1300 connected to the firewall has a Rapid PVST priority of 4096, the adjacent 1300 has priority 8192, and the rest of the network is at 12288. What we are seeing is that if a link goes down somewhere and the network topology changes, the 2nd of the core 1300s will sometimes start advertising itself with priority 4096 instead of its configured 8192. Because of the MAC address it wins the election and starts being the root, clearly not what want.The Cisco bug page says to change to using MSTP. What I am wondering is whether we can do that just on the core switches, and leave the rest in Rapid PVST, or should we change all of them? We are not using different priorities on each of the VLAN, so per-VLAN STP isn't really needed here, it was just what was already configured on the Cat 2960s before we put the cores in. Hope the description and question make sense. Thanks.

I have a case where two ASR1002HX routers form an HSRP, and in between I have an N7K-C7010 switch and then a firewall that sees both Cisco routers. At some point, the standby configuration changed, but we can't detect the reason. The track was ruled out because the BGP connection has been up for 58 days. ¿Do you know if the bug affects the virtual IP address generated by the HSRP?