Answer Questions

We have CUCM 12.5 SR7 and Cisco Attendant Console Advanced version 12.0.5As we have now moved on to a new console solution (keeping the rest of the CUCM stack), I am looking for guides / recommendations / best practices to decommissioning the CUACA servers gracefully

To get the enrollment in the patient assistance program, the e-signature of the healthcare provider is important to validate the enrollment forms. Do I need this software to complete the task?

Hi,I have just started picking up on NSO and currently we are in process of importing devices to NSO. When i import a10 devices and try to validate simple cli configurations i see that it is actually over-writing and deleting other configs at that level instead of just merging it.For example,Via CLI, i would be doing this a10_device: active-partition TEST a10_device[2/1][TEST]#configa10_device[2/1][TEST](config:1)#class-list TEST ipv4a10_device[2/1][TEST](config:1-class list)# 10.10.10.0/24 lsn-lid 2When i add above configuration via cli it merges and updates the class-list TEST to now have 10.10.10.0/24 subnet with lsn-lid 2.When i try to do the same via NSOuser@nso(config): devices device a10_device config active-partition TEST class-list TESTuser@nso(config-class-list-TEST)# 10.10.10.0/24 lsn-lid 2if i do a commit dry-run it shows me that it's removing all existing configurations user@nso(config-class-list-TEST)# commit dry-run cli {    local-node {        data  devices {                  device a10_device {                      config {                          active-partition TEST {                              class-list TEST {             -                    cl-type ipv4;             +                    v4 10.10.10.0/24 {             +                        lsn-lid 2;             +                    }             -                    v4 10.10.1.0/24 {             -                        lsn-lid 4;             -                    }             -                    v4 10.10.2.0/24 {             -                        lsn-lid 5;             -                    }             -                    v4 10.10.3.0/24 {             -                        lsn-lid 6;             -                    } We're currently running a10 NEDs with below versions:packages package a10-acos-cli-3.22package-version 3.22.5.I just wanted to understand if anyone has any experience with a10 and NSO and if i'm missing something simple or it's how NEDs are communicating with devices and that has some issues?

I have two cisco catalyst 9300 switches with a trunk between the two. The monitoring session destination interface gig 1/0/24 is not displaying any output traffic. below are the configurations i have in place:Type : Local SessionSource VLANs :Both : 20Destination Ports : Gi1/0/24Encapsulation : NativeIngress : Enabled, default VLAN = 1Ingress encap : DOT1QPCN247#show interface gig 1/0/24GigabitEthernet1/0/24 is up, line protocol is down (monitoring)Hardware is Gigabit Ethernet, address is 482e.724d.6898 (bia 482e.724d.6898)Description: monitor session back to Nozomi port #1MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPA, loopback not setKeepalive set (10 sec)Full-duplex, 100Mb/s, media type is 10/100/1000BaseTXinput flow-control is on, output flow-control is unsupportedARP type: ARPA, ARP Timeout 04:00:00Last input never, output never, output hang neverLast clearing of "show interface" counters neverInput queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0Queueing strategy: fifoOutput queue: 0/40 (size/max)5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts (0 multicasts)0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored0 watchdog, 0 multicast, 0 pause input0 input packets with dribble condition detected0 packets output, 0 bytes, 0 underrunsOutput 0 broadcasts (0 multicasts)0 output errors, 0 collisions, 2 interface resets0 unknown protocol drops0 babbles, 0 late collision, 0 deferred0 lost carrier, 0 no carrier, 0 pause output0 output buffer failures, 0 output buffers swapped out

This is not a minor severity.  It makes the cli almost unusable.

After running the CiscoTSPx64.exe downloaded from our V11 lab switch, I cannot seem to get a connection.  I've done the configuration to enter the CUCM address and a user login with full CTI permissions on the CUCM.  The windows dialer says it was unable to find a telephone device.  When initializing the TAPI api from a C++ application, I get no error but also 0 configured devices. 

Hi All,  We had an issue with our Catalyst 9000 Always-On Sandbox over the weekend. Reservations were failing but the issue is now fixed.  Thanks,  Joe 

Hello team,I have a topology as attached ,needed guidelines to setup fmc in high availability,as well what are the options of clustering ftds in different sites?  

Call is taking one minute to connect between CUCM and CME Router. The CUCM is 12.0 and it is configured as a CUCM Cluster with one publisher and one subscriber node. The call works fine from both sides (CME to CUCM and CUCM to CME).When publisher is active. But when publisher is down. Then call works fine from one side (CUCM to CME).But takes one minute to set up from other side (CME to CUCM).The CME is cisco 8300 Router. And I am using cisco IP Phone 7965 on CME side and Cisco Video phone 9971 on CUCM. Kindly advice for possible solution.  

LAN:192.168.88.254/24ASA5505(branch)WAN:60.0.0.1------Internet------WAN:59.0.0.1CP1555(HQ)LAN:192.168.169.254/24Cisco Adaptive Security Appliance Software Version 9.2(3)Checkpoint 1500 Appliance Version R81.10.10 (996002945)Here's partial running configobject-group network local-networknetwork-object 192.168.88.0 255.255.255.0object-group network remote-networknetwork-object 192.168.169.0 255.255.255.0access-list asa-router-vpn extended permit ip object-group local-network object-group remote-netw orkaccess-list asa-router-vpn2 extended permit ip object-group remote-network object-group local-net workaccess-list alloweverything standard permit any4nat (inside,outside) source dynamic obj-192.168.88.0 interfacenat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookupcrypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmaccrypto ipsec security-association lifetime seconds 120crypto ipsec security-association pmtu-aging infinitecrypto map outside_map 10 match address asa-router-vpncrypto map outside_map 10 set peer 59.0.0.1crypto map outside_map 10 set ikev1 transform-set ESP-AES-MD5crypto map outside_map interface outsidecrypto ca trustpool policycrypto isakmp identity hostnamecrypto ikev1 enable outsidecrypto ikev1 policy 10authentication pre-shareencryption aeshash md5group 2lifetime 300tunnel-group 59.0.0.1 type ipsec-l2ltunnel-group 59.0.0.1 ipsec-attributesikev1 pre-shared-key *****isakmp keepalive threshold 15 retry 10sh cry isa saIKEv1 SAs:Active SA: 1Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 21 IKE Peer: 59.0.0.1Type : L2L Role : responderRekey : no State : MM_REKEY_DONE_H22 IKE Peer: 59.0.0.1Type : L2L Role : responderRekey : yes State : MM_ACTIVE_REKEYThere are no IKEv2 SAssh cry ipsec saThere are no ipsec sas Checkpoint side config:Connection type: Hostname or IP address60.0.0.1Pre-Shared Secret: *****Encryption domain:manuallySite Name: HQ_subnet 192.168.88.0/24Encryption settings:CustomIKE (Phase 1)Encryption:AES-128Authentication:MD5DH Group: Group 2Renegotiate every: 5 minutesIPSec (Phase 2)Encryption:AES-128Authentication:MD5[Disabled] Perfect Forward SecrecyRenegotiate every: 120 seconds[Disabled] Remote gateway is a Check Point Security Gateway[Enabled]Enable permanent VPN tunnels[Enabled]Disable NAT for this site[Disabled]Allow traffic to the Internet from remote site through this Security GatewayEncryption Method:IKEv1[Disabled]Enable aggressive mode for IKEv1

Hi Team, Please map the below CCO ID with the mentioned contract no on priority & confirm. Contract no:  206573263 CCOID: ntacindia Tata Communications Limited

Hello @All,This question has been asked before. However, the proposed solution does not seem to work.https://community.cisco.com/t5/email-security/custom-bounce-message/td-p/5136251If the "bounce()" action is triggered via a message filter, this text appears in the bounce message by default:"554 5.0.0 < #5.0.0 smtp; 5.x.0 - Message bounced by administrator (delivery attempts: 0)>"How can I customize the text? For example:'554 5.0.0 < #5.0.0 smtp; 5.x.0 - Message bounced by policy violation, policy #123>'I tried the following:* Created a bounce notification text resource "CustomBounce"* Created a bounce profile "CustomBounce" and selected the text resource "CustomBounce" as the notification template.* Created a message filter with the actions "bounce-profile("CustomBounce");" and "bounce();"I still get the default notification, not the text from the "CustomBounce" template.How can I ensure that bounce actions in message filters do not output the default text in the bounce, but rather a customized, meaningful message?ThanksStefan

Hi everyone, As you may be aware, Cisco ISE 3.4 Patch 1 introduces the Dynamic Reauthorization Scheduler feature. To implement this, we need to: Define a string attribute in the format: YYYY-MM-DDThh:mm:ss+timezone (e.g., 2024-12-31T23:59:59+00:00). Reference this attribute in the corresponding Authorization Profile. My question: Could someone please guide me on how to create this custom attribute in ISE? Any insights or documentation references would be greatly appreciated! Thanks

The Warning message is: The mcafee was restarted due to an error. A debug file was generated for troubleshooting. Please contact your authorized support center.Version: 13.0.5-007Serial Number: 9CD57D419786-WMP260100TNTimestamp: 29 Jun 2025 14:35:00 +0300

                                                                           Implementing IPsec over DMVPN Tunnels Introduction Lab Topology IPsec Configuration Verification Conclusion Introduction The drawbacks of DMVPN Phase 2 are overcome by DMVPN Phase 3 implementation. DMVPN Tunnels don't offer any encryption, so the traffic passing through these tunnels are not secure. You can implement ipsec protocol over DMVPN tunnels to encrypt traffic and make them secure. While IPsec is not mandatory for a DMVPN (Dynamic Multipoint VPN) setup, it's highly recommended, especially when using the internet as the underlay network. DMVPN, in itself, provides a scalable and dynamic way to create VPN tunnels between multiple sites, but it doesn't inherently encrypt the traffic. IPsec, on the other hand, provides encryption and authentication for the data being transmitted, enhancing the security of the VPN connection. So, in this article, we will discuss how to implement IPsec over DMVPN Tunnels. To know more about DMVPN Phase 3 implementation, please go through the following the link: https://community.cisco.com/t5/vpn/dmvpn-phase-3-implementation/m-p/5302916#M299236 Lab Topology                                      Assuming that all routers are configured with Underlay and Overlay (DMVPN Phase 3) configurations. Since traffic is not encrypted by default with DMVPN, we are going to implement IPsec to encrypt the traffic passing through the DMVPN tunnels and secure them. IPSec Configuration R1 Configuration R1(config)# crypto isakmp policy 5 R1(config-isakmp)# encryption aes 256 R1(config-isakmp)# hash sha256 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 14 R1(config-isakmp)# exit R1(config)# crypto isakmp key cisco@123 address 0.0.0.0 R1(config)# crypto ipsec transform-set TSET esp-aes 128 esp-sha384-hmac R1(cfg-crypto-trans)# mode transport R1(cfg-crypto-trans)# exit R1(config)# crypto ipsec profile PRO R1(ipsec-profile)# set transform-set TSET R1(ipsec-profile)# exit R1(config)# Interface Tunnel 0 R1(config-if)# ip mtu 1400 R1(config-if)# ip tcp adjust-mss 1272 R1(config-if)# tunnel protection ipsec profile PRO R1(config-if)# end R2 Configuration R2(config)# crypto isakmp policy 5 R2(config-isakmp)# encryption aes 256 R2(config-isakmp)# hash sha256 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 14 R2(config-isakmp)# exit R2(config)# crypto isakmp key cisco@123 address 0.0.0.0 R2(config)# crypto ipsec transform-set TSET esp-aes 128 esp-sha384-hmac R2(cfg-crypto-trans)# mode transport R2(cfg-crypto-trans)# exit R2(config)# crypto ipsec profile PRO R2(ipsec-profile)# set transform-set TSET R2(ipsec-profile)# exit R2(config)# Interface Tunnel 0 R2(config-if)# ip mtu 1400 R2(config-if)# ip tcp adjust-mss 1272 R2(config-if)# tunnel protection ipsec profile PRO R2(config-if)# end R3 Configuration R3(config)# crypto isakmp policy 5 R3(config-isakmp)# encryption aes 256 R3(config-isakmp)# hash sha256 R3(config-isakmp)# authentication pre-share R3(config-isakmp)# group 14 R3(config-isakmp)# exit R3(config)# crypto isakmp key cisco@123 address 0.0.0.0 R3(config)# crypto ipsec transform-set TSET esp-aes 128 esp-sha384-hmac R3(cfg-crypto-trans)# mode transport R3(cfg-crypto-trans)# exit R3(config)# crypto ipsec profile PRO R3(ipsec-profile)# set transform-set TSET R3(ipsec-profile)# exit R3(config)# Interface Tunnel 0 R3(config-if)# ip mtu 1400 R3(config-if)# ip tcp adjust-mss 1272 R3(config-if)# tunnel protection ipsec profile PRO R3(config-if)# end Once we configure IKE Phase 1 policy, we need to specify the address of our VPN peers. However, this is meant to be dynamic. Therefore, we have to specify the address 0.0.0.0 0.0.0.0, which will allow any IP address to connect as long as they know the password. DMVPNs would send traffic over mGRE tunnels, and the data is encrypted using IPSec. Now IPSec and mGRE each add their own headers, and this could lead to the packet size exceeding the MTU, or the maximum transmission unit. And this would cause fragmentation, and fragmentation is bad because it increases CPU usage on routers. So to work around this, we can use the client MSS setting in order to adjust the MTU size. Now Cisco recommends that when you set the GRE MTU on the tunnel interface, that the MTU is set to 1400. Now from this, we can then calculate the MSS. Let's say, for example, we have a GRE packet, and the maximum MTU is 1400. Now, we have the GRE header itself that's 24 bytes, then we also have the DMVPN key in the header. That's another 4 bytes. We have the IPSec header, which is 60 bytes. After the IPSec header, we have the TCP header, which is 20 bytes, and we have the IP header, which is another 20 bytes. This makes a total overhead of 128 bytes. So, if we subtract 128 from 1400, we get 1272.                                  Verification Conclusion: As we know that DMVPNs allows multi-point connectivity over the internet, but they can only do so with Cisco routers. What happens if you have a non-cisco router and you wanted to connect to a Cisco router? Well in this situation, you’d use FlexVPNs. We will discuss FlexVPNs in another article. References: OCG and Networklessions.com ........................................................................................ Thank you very much..! ...............................................................................            

Hi Community,I've been upgrading a few Catalyst C9300L and C9300LM, from 17.08.x and 17.09.x to most recent 17.12.04 using Catalyst Center SWIM and noticed that while monitoring a switch with a continuous ping, there are two times that a switch stops replying (dual reboot) during the process as the Catalyst Center still shows progress after the second reboot, assuming final tasks are being executed.I've also performed a manual upgrade on those platforms, from same versions to 17.12.04 and noticed only one reboot.All these switches are being upgraded for the first time after being shipped, so it's their original version from factory.Both attempts, manual and SWIM, have been following Cisco Upgrade Guide recommendations.So, I'm just wondering if the dual reboot could be due to a firmware upgrade of both bootloader and OS images. Cisco says that bootloader can be upgraded before or after OS upgrade at any time but is Catalyst Center performing the bootloader first as a best practice, before upgrading OS?If so, and in case of a small maintenance window allowing only a single reboot, can we disable the option of bootloader firmware upgrade through Catalyst Center?Much appreciated for all if your inputs. 

We're looking for a consultant or contractor that can help with an Umbrella SIG-E deployment. The organization already has a lower tier version of Umbrella in place, so this would be an upgrade, but we're looking for a resource that we can hire to perform the upgrade.Please DM me if you're an Umbrella expert and are interested.Thanks!

Hello, I want to change default country code and sms provider in sponsor portal. Would someone please kindly explain what custom script is needed to achieve this. Thanks  

Hi everyone, We are working within a single company that uses multiple Cisco Umbrella tenants (for example, different departments, business units, or managed customer environments). We would like to implement the Cisco Umbrella Multi-Org Console to gain centralized visibility and management across all tenants. Could someone please clarify the following: Is it possible to implement the Multi-Org Console within a single organization managing multiple Umbrella tenants? What are the steps to activate and implement the Multi-Org Console? Are there any specific licensing or Cisco partner requirements? Does the Multi-Org Console support centralized policy management, reporting, and alerting across all tenants? If anyone has experience with this type of deployment or knows which Cisco team to contact for enabling this feature, I would greatly appreciate your input.  

Hello, I have a client we provide Duo to for Google workspace SSO.  they want to implement Forcepoint DLP and while we have not been involved in that project, they are asking us why the redirects break when both are used at the same time.  looking at the setup docs my brain is telling me they should be redirecting login to Forcepoint and then let duo protect it rather than sitting in-between, but has anyone set this combo up before?Right now the go to google to login and it redirects to Duo SSO.Sign in passes and it kicks it back to google workspaceGoogle tries to bring up Forcepoint and errors out. 

Hi,I have Signed up for some Cisco licencing for the colaboration flex plan. with that order there is entitlements to access the associated software.after making the purchase i have actually found that the company selling the contracts are not proper cisco partners (already paid for the service now) The contract has been created however it hasnt been associated to my company properly meaning i cant access anything. I have engaged with that company and basically getting the response of "oh it should appear" "it may take some more time" I have spoken to cisco about why im unable to access my entitlements and the reason i was given is that the support contract is not assigned to the company and it needs to be assigned in order to make it work.So now i have a subscription licence that is burning through the subscription that im unable to use because 1. the vendor doesn't seem willing to help. 2. Dicker Data wont cooperate with me to fix it even when their branding is all over this. so not a good look professionally on their part especially given they are the ones who have likely made the mistake, I have asked them how to get around that and they said there is nothing i can do. So are my only options hear for real to just create a new contract again?

The new Cisco Workflows documentation is now live.  You can find it here: https://documentation.meraki.com/Workflows This will continue to be updated, but if you have any comments on missing or confusing content, please let us know.

We are using Imagicle for call records. When a call rings a shared line directly, imagicle shows the Device Name (MAC) in the report.When callers reach the shared line thru UCCX menu, the MAC does not show in the Device Name column.We are trying to determine how many calls each user is taking daily on the shared line. They are not UCCX agents.CDR/CMR reports in CM for these calls include the MAC.Call records

I have several tabs open to several switches and routers in the WebUI.  I'm using the troubleshooting tab to create a few PCAP files.  The issue occurs in both chrome or firefox, so I dont think it's a browser issues specifically, but some of the time I'm unable to "export to desktop".The packet capture feature (EPC) in the web interface is very intuitive and easy to use.  It's simply using the monitor capture commands but using it in the web ui allows you to download using HTTPS and in this environment that is the only option available, so it's invaluable.When it works you click the Export button and a window pops up allowing you to choose several options, default being "my desktop" which just allows you to download it directly to your PC.  When it doesn't work and you select "my desktop" the browser errors out stating it can't find the selected file.  However you can immediately select export once again and select flash: and it will create the pcap as bootflash:WebUITmp.pcap which you can then browse to in file manager and download it that way (which i found in another thread here) however it's a multi step process that's for some reason unnecessary at times.The one thing is if *it is* a browser problem, which again, multiple tabs open and on some they download fine and others I get this problem, developer tools is disabled by security so I don't have that luxury...

Hi all, I have been losing my mind for a couple of weeks trying to fix this issue, but using the desktop Webex tool, every meeting I have joined for the last few weeks is only showing a maximum of 6 participants in the meeting at one time. I have tried every option for the layout, including grid, and I have gone into the meeting settings through the app to change the maximum participants in the grid view to every possible number, including the maximum, but nothing changes. I've restarted my computer and the app without luck. The one thing I haven't done is delete and reinstall the app as I do not have the ability to do so on my work computer.Aside from reinstalling, any ideas on how to fix this that don't involve changing meetings layout settings? (which I have already tried a million times)