Answer Questions

Hi ExpertsRecently we renewed our Root CA certificates and Intermediate CA certificates, we didn't uploaded them to our ISE server. While all devices with new certificates or old ones are working. Just curious it seems didn't verify the certificate chain of trust, and it mainly verified the Common Name(username) in AD.1. On ISE , the certificates are: Old Root CA certificates, old Intermediate(issuing) Certificates x 2.  The settings are   2.On users’ devices, the below certificates can pass authentication:on iPhones, SCEP certificates pointing to Old Root CA certificateon iPhones, SCEP certificates pointing to New Root CA certificateon Windows10, user/computer certificates on Windows 10 all pointing to New root CA 3. the below is Authentication logs, it looks ISE will only use the uploaded Intermediate CA certificates for CRL verification, and then select Common Name from the SCEP certificate to verify it in AD.Looks ISE didn't verify the chain of trust, as new SCEP certificates pointing to new Root CA will still get allowed. It only do CRL verification via old intermediate CA certificate.(I think the CRL didn't change during our Root CA renew).If it is right, then when should we upload the new Root CA and new Intermediate(issuing) CA certificates onto ISE? only when the old ones expired? or we can just upload the new ones to let them coexist in parallel. Thanks very much    

お世話になっております。以下の脆弱性について影響を受けているか確認しているのですが、https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfCWLC#show running-config | include ap upgradeWLC#コマンド結果は上記の通り、何も表示されず影響を受けていないものと判断したのですが、#show ap config generalを実行したところ、AP Upgrade Out-Of-Band Capability : Enabledとなっておりました。また、GUI上でも　「アウトオブバンドAPのアップグレードが可能です　はい」　となっており、有効なのか無効なのか判断できませんでした。show running-config | include ap upgradeで何も表示されなければ影響を受けていないという認識でよろしいでしょうか？ よろしくお願いいたします。

Hello, Today i check on SNTC services.cisco.com and see announcement "Important Update: Smart Net Total Care Portal Migrates to Cisco CX Cloud". I try to "Activate CX Cloud" and got this error : Account Creation Not Allowed You do not have sufficient access to create a CX Cloud account. If you are using a public email domain, try using your company email to log in. Otherwise, contact your Cisco Account Manager What it is ? How to migrate to CX Cloud ? My account is already corporate account and i have access to SNTC. Pls need for your help Thanks,    

Running CVC 5.2 and have reviewed the CLI and Admin guides but I can't seem to find the method(s) to use to update the DNS and NTP configuration for our center. Any help would be appreciated.

Hi,I'm trying to export telemetry data from ACI to Cribl (could be other products as well).Under Fabric/Fabric Policies/Policies/Monitoring I can configure a stats export policy using http/s, sftp..etc.The aim is to do direct streaming like gRPC or a simple TCP/UDP, but I dont see that option. Question: Is there any way to do real-time streaming of telemetry data to a 3rd party system like Cribl? Or is it actually real-time, when I select the Export Frequency to stream?  Thanks a lotStefan

Currently we have an ASA and use Secure Client 5.1.8.105 and two profiles using Alia that authenticate via 2FA. To get the correct profile, split tunnel or full tunnel a use tacks the alias on to the URL and then connects, authenticates full 2FA and gets the appropriate profile and goes to work.Trying to replicate this on an FTD using same versions of client, and 7.4.2 gold star, it fails when trying to add the alias with a No valid certificates available for authentication being logged before disconnect.To block hackers and spammers, DefaultGroup is setup for DefaultWEbVPN and is sent to AAA in the sky, IOW a dead server. To avoid being hacked on our active profiles, the drop down is disabled on login.  Its the exact same setup as the ASA which works fine. I attempted to access this page since I managed via CDO, It's description statesAliases —Provide an alternate name or URL for the connection profile. Remote Access VPN administrators can enable or disable the Alias names and Alias URLs. VPN users can choose an Alias name when they connect to the FTD device remote access VPN using the AnyConnect VPN client. Step 4: Click Save.but the URL is https://edge.us.cdo.cisco.com/content/docs/t_configure_multiple_connection_profiles.html#!c-migrating-palo-alto-networks-firewall-to-multicloud-defense-with-the-firewall-migration-tool-in-cisco-defense-orchestrator.html and it directs to a Migration document for Palo Alto.  Cisco  web techs must be drunk.It looked like what I need is the doc prior to redirection, but its doesn't stay up long enough to understand what it says. Where can I find the documentation to configure teh Secure Connect to work as it does on my ASA by adding the alias to the URL  https://vpn.domain.com/mfa  

Hi guys,I have a five nodes cluster ISE 3.3 patch-4:Node 1:  PAN & Primary MNTNode 2:  SAN & Secondary MNTNode 3, 4, 5:  PSNThese servers were built before I work here, and the engineer before me used EST time zone instead of UTC as recommended by Cisco.  We are on the Eastern time zone and currently the clock shows that we are one hour behind the current local time.  For example, the "show clock" shows 12:37pm but it is actually 1:37pm.  The clock will show correctly when we have to move back the clock one hour in November.  I want to change the time zone from EST to UTC but I've been really scared of doing so because this is stated in Cisco documentation:  https://community.cisco.com/t5/network-access-control/cisco-ise-timezone-change-in-ver-3-0/td-p/4520720Changing the Time Zone on Cisco ISE NodesChanging the time zone on a Cisco ISE appliance after installation causes the Cisco ISE application on that node to be unusable. However, the preferred time zone (default UTC) can be configured during the installation when the initial setup wizard prompts you for the time zones.Has anyone successfully changed the time zone in a PRODUCTION environment in an ISE cluster?TIA...

Hi,My switch can't connect to the internet - feels isolated and all alone. I got here after a factory reset. Can someone help me fix this? For details, please see the attachment: no_internet.txt

hi all, does any one know where in vmange to change the cert expiry warning time line? to 90 days? we got this alert but days to expiry is 221. *** This is an automatically generated email, please do not reply ***An event with following details happened in your network:Severity: MajorEvent: Security Certificate ExpiringDevices: [x.x.x.x.]Hostnames: [xxxx-vSmartsX]CertificateType: ENTERPRISE_CERTIFICATECertificateSerialNumber: xxxxxxxxxxxxxxxxxxxxxxxxxIssuerName: xxxxxxxDaysToExpire: 221Message: Security certificate about to expireOccurred on: Wed Apr 30 14:01:00 EDT 2025

Hello,We are having this issue on Macbook Air M4 processors. Anyone else?Thanks,

Hi I have a situation that I'm trying (and failing) to recreate. When a call is placed to a Hunt Pilot, the receiving user's Jabber shows the calling party ID and the called number (the hunt pilot number), like in the following picture. The caller is 647445536, and they dialed 3585009, which is a hunt pilot that directed the call to the user.   Now the issue: I have an external system (Asterisk) that receives calls from our SIP provider, applies some logic and then directs the call to the user via CUCM. I would like Jabber to display the original called number, so the users can know if the call was made directly to them or if went through Asterisk. Which SIP headers do I have to send CUCM when placing the call from Asterisk, so this information gets sent to the end user? Thanks

Hi, The heavy duty access point to be installed in a zone 2 hazardous area has a ATEX equipment protection as shown on the ATEX certificate to II 3 G Ex ic ec IIC T4 GcIn order to be installed correctly a Detailed System Designs (DSDs) calculation needs to be produced. if the intrinsically safe section of the protection which is ic.The certificate does not show any information needed to produce the calculation so I am unsure if the protective concept of the device is the ec which is increased safety to zone 2. If the incresed safety is the protective concept of the ic then the ic should be shown in brackets (ic).We require power over ethernet for the unit so we are unsure if we require an intrinsically safe switch port. To select the correct type we need to do a DSD calculation but nowhere in the manual or ATEX certificate gives us information we require to use for the calculation which we can do ourselves with our Ex14 engineers.Any help would be appreciated

I am migrating from 9396S to 9396T through ISL based migration, 9396S (OLD SWITCH) has Enhanced zone set with valid zones,Question is, I shall set Enhanced zone on 9396T, but the warning below is confusing, if I continue, doesn't the empty zoneset get pushed to the old switch (9396S)zone mode enhanced vsan 103WARNING: This command would distribute the zoning database of this switch throughout the fabric. Do you want to continue? (y/n) [n] ^C

Hello Guys, recently we installed in our Main Collaboration Room a new Cisco Room Kit EQX, with 3 new Mic Ceiling PRO. We will also install a Wifi Mic Infrastructure by Shure, with DSP, AP end Wireless MIC dedicated (we will try via AES67, we buyed the AV License..). We want to have a simple button(with macro) on the tablet to enable/disable the Mic Ceiling PRO when we use the Shure's MIC, and viceversa; we tried some configuration, we used the example "Microphone Controls Macro" on the Codec but doesn't work, i think the problem is related to the MIC ID const ceilingMics = [5, 6, 7]; const panelMics = [2, 3, 4];   Wich value are used for Ethernet MIC? Can you help me to understand which value we must use for Ethernet Mic?  

Hi there, I'm looking for a custom Cisco ISO of ESXi 6.7u3 or possibly version 7.0, as those versions are no longer available on Broadcom's site currently. I'm running VMware ESXi 6.7.0, build 10302608, and I want to upgrade to ESXi 8.0u3 custom Cisco. However, I'm not sure if a direct upgrade is possible or if I first need to upgrade to version 6.7u3 or 7.0 before moving to 8.0u3I attempted to upgrade directly to 8.0u3, but it threw several errors. For example:Unable to download VIB: This may be due to network problems or the specified VIB does Not exist or does Not have a proper 'read' privilege set. Make sure that the specified VIB exists and can be accessed from vCenter Server.These VIBs on the host do not have the requiered SHA-256 checksum for their payloads: NetApp_bootbank_NetAppNasPlugin_1.1.2-3 Thiswill prevent VIB security verification and secure boot from functioning properly.Please remove these VIBs and contact your vender for replacements.Thanks! 

Hello,I am trying to get a list of bugs for some devices I have, yet the only option I am offered is to search by bug ID. This is how BST looks for me.If I reload the page, for a split second I get the "correct" UI with all the fields (product and version). I have tried accessing the page with different networks and browsers, incognito windows too.

Hello, We are implementing ISE at a customer and we have enabled posturing for windows clients. When we check the endpoint attributes in Context Visibility we are able to see an attribute "PostureOS". Is it possible to use this in profiling policy to correctly identify the OS of the endpoint?. The endpoint is windows 10. Thanks  Shabeeb    

Hello,I have several questions regarding the CBS11-16T-NA (North America) network switch. Any help is much appreciated. Does the item utilize: A) Electronic AC switch consisting of optically coupled input and output circuits (insulated thyristorAC switches), B) Electronic switch, including temperature protected, consisting of transistor and a logic chip (chipon chip technology), or C) Electromechanical snap-action switches for a current not exceeding 11 amps? If no to all of the above, is the switch one of the following?rotary type (if so, what is the amps (A) rating?)push button type (if so, what is the amps (A) rating? if a push button switch, is it a momentary contact switch, gang switch, or other type?)snap action other than limitknife typeslide typelimit type Is this panel/board assembly containing other types of electrical circuit apparatus such as fuses, relays, etc, as well as a switch(s)? 

Hi ! I have a multicast setup in my network using PIM-ASM. For some reason a router in my network stopped responding to IGMP requests. Although the show commands for IGMP showed everything works. Has anyone experienced the same thing? I’m planning to upgrade and restart the router and see if this resolves the problem. Another question, one of my customers is complaining that the multicast traffic stops every 30 seconds and starts again. I have checked the multicast table (sh ip mroute) and I can see the streams have been there for several weeks. I can see the packet count is increasing (mfib). I have checked the unicast routing table, and the routes has been there for a long time (no route flapping). I have checked errors and physical interfaces and none is there. Does anyone have an advice? What kind of troubleshooting I could do to verify that there is no problem on the network side? I want to ask about converting to SSM, would it be more beneficial if the customer has only few sites? So is there more benefit of using SSM over ASM other than the ease of configuration?

Good afternoon, sorry for the inconvenience. Someone had an issue with Catalyst Center where some devices appear unreachable and others are accessible without problems. Assurange say unrechable and device 360 notihing.. . Thank you. Ciro Gustavo Mele.

Is anyone using the Cisco ISE with DoD CAC card login to manage their Cisco devices? We are being required to implement PKI on our devices for management purposes per DISA STIGs.

We followed the instructions for creating a tunnel from fortigate to secure access. However, the status of the tunnel is still disconnected. Just also wanted to ask—does this setup apply if the use case is for remote access VPN (users connecting remotely), and not for traffic from on-prem users going through IPSec? If so, the source IP we entered in FortiGate policy is VPN subnets that are also added to the VPN IP Pool in cisco secure access. But based on the documentation, even before setting policy, it should be established for a few minutes which didn't happen. Does anyone experience this kind of scenario? For the policy, based on the documentation, the destination is all. Can we set the destination only for server apps (private resources) or specific IP address only and the source IP is the VPN subnet?

Hello, I have opened a Cisco TAC regaring failing scheduled config Backups in our deployment. We are running Cisco ISE 3.1 Patch 10. Cisco TAC found out, that our /OPT Direcotry is above the treshold of 70 %. TAC deleted some Files but it did not went down below the threshold so he recommended a MnT Database Reset. I did that on the nodes but after the MnT Database Reset it does not show any Logs in the ISE GUI. In our Remote Logging target we set up we still see the Logs. TAC took a Support Bundle after that but could not replicate the issue. In the lab the Reset went through without any problems so he recommended to do the Reset again. But this did not help either.   Anyone with a similar issue an a solution ? Any suggestions ?

Hi,How can I enable snmp v2c between glpi server and collaboration devices including : cms (version 3.10.2), voice gateways ( c8300), ip phones, Webex Room Kit Thanks

I recall looking at this a while back and letting it go, but it is bothering me again. This is from spec sheet, but it doesn't make sense. There are 6 PCIe slots, MLOM, and MRAID. Where are slots 8, 9, and 10?